Cisco IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor Installation And Configuration Manual
Cisco Intrusion Detection System
Appliance and Module Installation
and Configuration Guide
Version 4.1
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7815597=
Text Part Number: 78-15597-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR T HE A CCOMPANYING PRODUCT ARE SET FOR TH IN T HE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class
A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when
the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed
and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause h armful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC comp liance of Cl ass B devices: The equipm ent descr ibed in thi s manual gener ates and may radi ate
radio-frequency energy. If it is not installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television
reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in
part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation.
However, there is no guarantee that interference wi ll not occur in a particular installation.
Modifying the equipm ent wit hout C isco’s written autho rizatio n may re sul t in the equipm ent no lon ger comply ing with FC C re quirem ents for Class
A or Class B digital devices. In that event, your right to use the equ ipment m ay be limit ed by FCC regulati ons, and yo u may be r equi red t o correct
any interference to radio or television communi cations at you r own expense.
You can det ermine wh ether your equipmen t is causing interf erence by turning it off. If the interference stop s, it was probabl y caused by the Cisco
equipment or one of its peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by
using one or more of the following measures :
• Turn the television or radio antenna until the interfe rence stops .
• Move the equipment to one side or the other of the te levision or radio .
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is , make certain the equi pment and the television
or radio are on circuits controlled by different circuit br eakers or fuses.)
Modifications to this product no t authori zed by Cisco Syst ems, Inc. could void the FCC app roval and negate your authori ty to oper ate the product.
The Cisco implementation of TCP header com pression i s an adap tati on o f a pr ogr am d eveloped by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX opera ti ng s ys tem. All rights reserved. Copyrig ht © 1981, Regents of the University of California.
NOTWITHSTANDIN G ANY OTHER WA RRANTY HEREIN, AL L DOCUMENT FILE S AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICU LAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We W ork, Live,
Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco
Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare,
GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys,
MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX,
ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0411R)
Cisco Intrusion Detection System A pplianc e and Modul e Install ati on and Configuration Guid e
Copyright © 2004 Cisco Sy stems, In c. All rights reser ved.
Preface xvii
Audience xvii
Conventions xviii
Related Documentation xix
Obtaining Documentation xix
Cisco.com xix
Ordering Documentation xx
Documentation Feedback xx
Obtaining Technical Assistance xxi
CONTENTS
CHAPTER
Cisco Technical Support Website xxi
Submitting a Service Request xxii
Definitions of Service Request Severity xxii
Obtaining Additional Publications and Information xxiii
1 Introducing the Sensor 1-1
Appliances 1-1
Introducing the Appliance 1-2
How the Appliance Functions 1-3
Your Network Topology 1-4
Placing an Appliance on Your Network 1-6
Deployment Considerations 1-8
Appliance Restrictions 1-9
Setting Up a Terminal Server 1-9
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
v
Contents
Modules 1-12
Introducin g the Cisco Intrusi on Detection System Network Module 1-12
Introducin g the Cisco Catalyst 6500 Series Intrusion Detecti on System
Services Module
Supported Sensors 1-16
Setting the Time on Sensors 1-18
Installation Preparation 1-20
Working in an ESD Environment 1-21
1-14
CHAPTER
CHAPTER
2 Installing the IDS-4210 2-1
Front Panel Features and Indicators 2-1
Upgrading the Memory 2-3
Installing the IDS-4210 2-5
Installing the Accessories 2-8
Accessories Package Contents 2-8
Installing and Removing the Bezel 2-9
Installing Center Mount Brackets 2-9
Installing Front Mount Brackets 2-11
3 Installing the IDS-4215 3-1
Front and Back Panel Features 3-2
Specifications 3-4
Accessories 3-5
Surface Mounting 3-6
Rack Mounting 3-7
Installing the IDS-4215 3-9
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
vi
78-15597-02
Removing and Replacing the Chassis Cover 3-12
Removing the Chassis Cover 3-13
Replacing the Chassis Cover 3-15
Removing an d R ep lacing the IDE H ar d- D is k D riv e 3-17
Removing the Hard-Disk Drive 3-18
Replacing the Hard-Disk Drive 3-20
Removin g an d R ep l a ci ng the Compact Flash Devi c e 3-21
Removin g th e Co m p ac t Flash Device 3-21
Replacing the Compact Flash Devic e 3-23
Removing and Installing the 4FE Car d 3-25
Removing the 4FE Card 3-25
Installing the 4FE Card 3-27
Contents
CHAPTER
CHAPTER
4 Installing the IDS-4220 and IDS-4230 4-1
Front and Back Panel Features 4-2
Recommended Keyboards and Monitors 4-4
Upgrading the IDS-4220-E and IDS-4230-FE to 4.x Software 4-5
Installing the IDS-4220 and ID S-4230 4-6
5 Installing the IDS-4235 and IDS-4250 5-1
Front-Panel Features and Indicators 5-2
Back-Panel Features and Indicators 5-4
Specifications 5-5
Installing Sp ar e H ar d-Disk Drives 5-6
Upgrading the BIOS 5-7
Using the TCP Reset Interface 5-8
Installing the IDS-4235 and ID S-4250 5-9
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
vii
Contents
Installing the Accessories 5-11
Accessories Package Contents 5-12
Installing and Removing the Bezel 5-12
Installing the Power Supply 5-13
Installing Optional PCI Cards 5-16
Disconnecting the XL Card Fiber Ports 5-19
Removing and Replacing the SCSI Hard-Disk Drive 5-20
Removing the SCSI Hard-Disk Drive 5-21
Replacing the SCSI Hard-Disk Drive 5-22
Four-Post Rack Installation 5-23
Recommended Tools and Supplies 5-23
Rack Kit Contents 5-23
Installing the Slide Assemblies 5-24
CHAPTER
Installing the Appliance in the Rack 5-26
Installing the Cable-Management Arm 5-28
Routing the Cables 5-32
Two-Post Rack Installation 5-34
Recommended Tools and Supplies 5-35
Rack Kit Contents 5-35
Marking the R ac k 5-35
Installing the Slide Assemblies in the Rack 5-36
6 Installing the IPS-4240 and IPS-4255 6-1
Front and Back Panel Features 6-2
Specifications 6-5
Accessories 6-6
Rack Mounting 6-7
Installing the IPS-4240 and IPS-4255 6-9
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
viii
78-15597-02
Contents
CHAPTER
7 Installing th e NM-CIDS 7-1
Specifications 7-1
Software and Hardware Requirements 7-2
Hardware Architecture 7-4
Front Panel Features 7-5
Interfaces 7-5
Installation and Removal Instructions 7-6
Required Tools 7-7
Installing the NM-CIDS 7-7
Installing the NM-CIDS Offline 7-7
Installing an NM-CIDS Using OIR Support 7-10
Removing the NM-CIDS 7-11
Removing th e N M-C ID S Of fli ne 7-12
Removing the NM-CIDS Using OIR Support 7-13
Blank Network Module Panels 7-14
CHAPTER
78-15597-02
8 Installing the IDSM-2 8-1
Specifications 8-1
Software and Hardware Requirements 8-2
Supported IDSM-2 Configurations 8-3
Using the TCP Reset Interface 8-4
Front Panel Description 8-4
Installation and Removal Instructions 8-5
Required Tools 8-6
Slot Assignments 8-6
Installing the IDSM-2 8-7
Verifying the IDSM-2 Installation 8-11
Removing the IDSM-2 8-13
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
ix
Contents
CHAPTER
CHAPTER
9 Obtaining Software 9-1
Obtaining Cisco IDS Software 9-1
IDS Software Versioning 9-3
IDS Software Image Naming Conventions 9-3
4.x Software Release Examples 9-6
Upgrading Cis co IDS Software from Version 4.0 to 4.1 9-8
Using the Recovery/Upgrade CD with the Appliance 9-9
Applying for a Cisco.com Account with Cryptographic Access 9-11
IDS Bulletin 9-12
10 Configuring the Sensor Using the CLI 10-1
Sensor Initial Configuration Tasks 10-2
Initializing the Sensor 10-2
Assigning and Enabling the Sensing Interface 10-9
Sensing Interfaces 10-11
Creating the Service Account 10-12
Logging in to the Sensor 10-14
Changing a Password 10-15
Adding a User 10-16
Removing a User 10-17
Adding Trusted Hosts 10-18
Adding Known Hosts to the SSH Known Hosts List 10-19
Configuring the Sensor to Use an NTP Server as its Time Source 10-21
Configuring a Cisco Router to be a n NTP Server 10-22
Sensor Adminis trative Tasks 10-24
Displaying the Current Version and Configuration Information 10-24
Creating and Usi ng a Backup Configuration File 10-28
Displaying and Clearing Events 10-28
Rebooting or Powering Down the Appliance 10-30
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
x
78-15597-02
Displaying T ech Support Information 10-31
Displaying a nd Clearing Statistics 10-33
Sensor Configuration Tasks 10-35
Configuring Signatures 10-35
Configurin g Alarm Channel System Variables 10-35
Configuring Alarm Channel Even t Filters 10-37
Viewing Signature Engine Parameters 10-39
Configuring Virtual Sensor System Variables 10-42
Tuning Signature Engines 10-45
IP Logging 10-50
Manual IP Loggi ng for a Specific IP Address 10-51
Automatic IP Logging for a Specific Signature 10-53
Disabling IP Logging 10-55
Contents
Copying IP Log Files to Be Viewed 10-56
Configuring Blocking 10-57
Understanding Blocking 10-57
Before Configuring Blocking 10-59
Supported Blocking Devices 10-59
Configuring Blocking Properties 10-60
Configuring Addresses Never to Block 10-65
Configuring Logical Devices 10-66
Configuring Blocking Devic es 10-67
Configuring the Sensor to be a Maste r Blocking Sensor 10-73
Obtaining a List of Blocked Hosts and Connections 10-75
How to Set up Manual Blocking and How to Unblock 10-76
NM-CIDS Configuration Tasks 10-77
Configuring Cisco IDS Interfaces on the Router 10-78
Establishing Cisco IDS Console Sessions 10-80
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
Using the Session Command 10-80
Suspending a Ses sion and Returning t o the Router 10-81
xi
Contents
Closing an Open Se ssion 10-81
Using Telnet 10-82
Rebooting the NM-CIDS 10-83
Setting Up Packe t Capture 10-84
Checking the Status of the Cisco IDS Software 10-85
Supported Cisco IOS Commands 10-86
IDSM-2 Configuration Tasks 10-87
Configurin g the Catalyst 6500 Series Switch for Command and Control
Access to the ID S M-2
Catalyst Software 10-89
Cisco IOS Software 10-89
Copying IDS Traffic 10-90
Using SPAN for Capturing IDS Traffic 10-90
10-88
Configurin g VACLS to Capture IDS Traffic 10-92
Using the mls ip i ds Command for Capturing IDS Traffic 10-96
Miscellaneous Tasks 10-98
Enabling a Full Memory Test 10-99
Resetting the IDSM-2 10-101
Catalyst Software Commands 10-103
Cisco IOS Software Co mmands 10-106
Reimaging Appliances and Modules 10-110
Reimaging the App liance 10-110
Recovering the Application Partition Image 10-111
Upgrading the Recovery Partition Image 10-112
Installing the IDS-4215 Syst em Image 10-113
Installing the IPS-4240 and IPS-4255 System Image 10-116
Reimaging the NM-C IDS Application Partition 10-119
Reimaging the IDSM-2 10-124
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
xii
Reimaging the IDSM-2 10-125
Reimaging the Maintenance Partit ion 10-127
78-15597-02
Contents
APPENDIX
A Intrusion Detection System Arc hitecture A-1
System Overview A-1
Software Architecture Overview A-2
Show Version Command Output A-4
User Interac tio n A-5
New Features in Version 4.x A-6
System Components A-7
MainApp A-8
SensorApp A-11
AuthenticationApp A-12
Authenticating Users A-12
Configuring Authenticati on on the Sensor A-13
Managing TLS and SSH Trust Relationshi ps A-14
LogApp A-15
NAC A-16
About NAC A-17
NAC-Controlled Devices A-19
NAC Features A-19
ACLs and VACLs A-22
Maintaining State Across Restarts A-23
Connection-Based and Unconditional Blocking A-24
Blocking w it h the PIX Firew al l A-25
Blocking w ith the Catal ys t 6000 A-27
TransactionSource A-28
WebServer A-29
CLI A-29
User Account Roles A-30
Service Account A-31
CLI Behavior A-32
Regular Expression Syntax A-34
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
xiii
Contents
EventStore A-36
About the EventStore A-36
Major Data Structures A-38
IDS Events A-39
System Architectural Details A-44
Communications A-45
IDAPI A-46
RDEP A-47
Sensor Directory Structure A-48
Summary of Applic ations A-49
APPENDIX
B Troubleshooting B-1
Preventive Maintenance B-1
Disaster Recovery B-2
Troubleshooting the 4200 Series Appliance B-4
Communication B-4
Cannot Access the Sensor Through th e IDM or Telnet and/or SSH B-5
IDM Cannot Access the Sensor B-7
Access List Misconfiguration B-10
Duplicate IP Address Shuts Interface Down B-10
SensorApp and Ale rting B-11
Sensing Proce ss Not Running B-11
Physical Connectivity, SPAN, or VACL Port Issue B-12
Unable to See Alerts B-14
Sensor Not Seeing Packets B-15
Cleaning Up a Corrupted SensorApp Configuration B-16
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
xiv
Running SensorApp in Single CPU Mode B-17
Bad Memory on the IDS-4250-XL B-18
78-15597-02
Blocking B-18
Verifying NAC is Running B-19
Verifying NAC is Connecting B-20
Device Access Is sues B-22
Verifying the Interfaces/Directions on the Network Device B-23
Enabling SSH Connections to the Net w ork Device B-24
Blocking Not Occurring for a Signature B-25
Verifying the Master Blocking Sensor Configurat ion B-26
Logging B-28
Enabling Debug Logging B-28
Zone Names B-31
Directing cidLog Messages to SysLog B-31
NTP B-33
Contents
Verifying that the Sensor is Synchronized with the NTP Server B-34
NTP Server Connec tivity Problem B-35
NTP Reconfiguration Defect B-35
TCP Reset B-37
Reset Not Occurr ing for a Signature B-37
Using the TCP Reset Interface B-39
Software Upgrade B-39
IDS-4235 and IDS -4250 Hang During A Software Upgrade B-40
Which Updates to Apply and in Which Order B-40
Issues With Automatic Update B-41
Verifying the Version of the IDSM-2 and NM-CIDS 4.1(4) Images B-42
Updating a Sensor with the Update Stored on the Sensor B-43
Troubleshooting the IDSM-2 B-44
Diagnosing IDSM-2 Problems B-44
Switch Commands for Troubleshooting B-46
Status LED Off B-46
Status LED On But IDSM-2 Does Not Come Online B-48
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
xv
Contents
Cannot Communica te With IDSM-2 Command and Control Port B-49
Using the TCP Reset Interface B-51
Connecting a Serial Cable to the IDSM-2 B-51
Gathering Inf o rm a tion B-52
show tech-support Command B-52
show tech-support Command B-53
Displaying Te ch Support Information B-53
show tech-suppo rt Command Output B-55
show version Command B-56
show version Command B-57
Displaying the Current Version B-57
show configuration/more current-config Command B-60
show statistics Command B-61
G
LOSSARY
show statistics Command B-61
Displaying St atistics B-62
show statistics Command Output B-63
show interfaces Command B-64
show interfaces Command B-64
show interfaces Command Output B-65
show events Command B-66
Sensor Events B-67
show events Command B-67
Displaying and Clearing Events B-68
show events Command Output B-69
cidDump Script B-70
Uploading and Accessing Files on the Cisco FTP Site B-71
I
NDEX
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
xvi
78-15597-02
Preface
This guide de scri bes h ow to i nstal l ap plianc es and m odule s an d p rovides ba sic
configuration proced ures using t he CLI.
This preface contains the following topics:
• Audience, page xvii
• Conventions, page xviii
Audience
• Related Docume ntat ion , page xix
• Obtaining Do cu ment ation , pa ge xix
• Documentation Feedba ck, page xx
• Obtaining Technical Assistance, page xxi
• Obtaining Additional Publications and Information, page xxiii
This guide i s inte nded fo r audi ence s who nee d to do the fo llowing :
• Install appliances and modules.
• Secure their network with sensors.
• Detect intrusion on their networks and monitor subsequent alarms.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
xvii
Conventions
Conventions
This guide uses the fol lowing conventions:
Item Convention
Commands and keywords boldface font
Variables for wh ich you supply values italic font
Preface
Displayed session and system inform ation
Information you enter
screen font
boldface screen font
Variables you enter italic screen font
Menu items a nd button na mes boldface font
Selecting a menu item Option > Networ k Preferences
Note Means reader take note. Notes contain helpful suggestions or references to
material not covered in the gui de.
Caution Means reader be careful. In this situation, you might do som ethin g that cou ld
result in equipment dam age or loss of dat a.
Warning
This warning symbol means danger. You are in a situation that could cause
bodily injury. To see translations of the warnings that in this publication, refer
to the Regulatory Compliance and Safety Information document that
accompanied this device.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
xviii
78-15597-02
Preface
Related Documentation
Note We sometimes update the printed and electronic documentation after original
publication. Ther ef or e, yo u sh ould a ls o review the doc ume nta tio n on Ci sco .com
for any updates.
The following product docum entati on is available:
• Cisco Intrusion D etect ion Syst em ( IDS) Hardware and Software Version 4.1
Documentation Guide
• Quick Start Guide for the Cisco Intrusio n Detection Sy stem Ve rsion 4.1
• Regulatory Compliance and Safet y Informat ion for the Ci sco Intrusio n
Detection System 42 00 Series Appl iance Senso r
Related Do cu m entation
• Installing and Using the Ci sco Intrusion Detect ion System Devic e Manager
and Event Viewer Version 4.1
• Cisco Intrusion De tectio n Sy stem C om mand Ref erence Version 4.1
• Release Notes for Cisco Intru sion Dete ction Syst em Version 4. 1
Refer to the Cisco In trusi on D etec tion Syst em (ID S) H ardware and Software
Version 4.1 Docu mentatio n Guid e for information on how to access this
documentation .
Obtaining Documentation
Cisco documentati on and a dditi onal l itera tur e are available on Cisco.com . Cisc o
also provides several ways to obtain technical assistance and other technical
resources. These section s explain h o w to obtain technica l information from Cisco
Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
xix
Documentation Feedback
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Ordering Documentation
You can find i ns truc tio ns for or de ring do cu ment atio n a t th is U RL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco doc umen tation in these ways:
• Register ed Cisco.co m users (Cis co direct cus tomers) can order Cisco product
documentation fr om t he O r deri ng t ool:
Preface
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Nonregistered Cisco.com users can orde r documen tation thro ugh a loca l
account representa tive by calling Cisco Systems Corpor ate Head quarte rs
(California, US A) at 40 8 526-7208 o r, elsewhere in N orth A meri ca, by
calling 1 800 553-NETS (6387) .
Documentation Feedback
You can send comme nts ab out technic al docum entati on to bug-doc@c isco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the followin g address:
Cisco Systems
Attn: Customer Docu ment Orde ring
170 West Tasman Drive
San Jose, CA 951 34- 988 3
We ap prec iate yo ur comm ents .
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
xx
78-15597-02
Preface
Obtaining Technical Ass istance
For all customers, partners, resellers, and distributors who hold valid Cisco
service contracts, Cisco Technical Support provides 24-hour-a-day,
award-winning technica l assistan ce. The Ci sco Technical Support We bsite on
Cisco.com features extensive online support resou rces. In addi tion, Cisco
Technical Assistance Cente r (TAC) engi neers provide tel ephone sup port. If you
do not hold a valid Ci sco se rv ice c ontr act , cont act y our r esel ler.
Cisco Technical Support Website
The Cisco Technical Support Website provides online do cume nts a nd tools fo r
troubleshooting and re solvin g t ec hnic al issues w ith C isco pr oduc ts and
technologies. Th e web site is available 2 4 h ours a d ay, 365 days a year, at this
URL:
Obtaining Technical Assistance
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website require s a Cisco.com
user ID and pa ssword. If you have a valid servi ce contract but do not have a user
ID or password, you can register at thi s URL:
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Id entification (CPI ) tool to locate your prod uct seri al
number before submitting a web or phone request for service. You can access the
CPI tool from the Cisco Technical Support We bsite by clicking the Tools &
Resources link under Documentation & Tools. Choose Cisco Product
Identification Tool from the Alphabetical Index drop-down list, or click the
Cisco Product Identification Tool link under Alerts & RMAs. Th e CPI tool
offers three search optio ns: by product ID or model na me; by tree view; or for
certain product s, by copying and pasting show co mm and o ut put. Se ar ch r esu lt s
show an illustration of your product with the serial number label location
highlighted. Loca te the se rial numbe r label on you r produc t and record the
information before placing a service call.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
xxi
Obtaining Technical Assistance
Submitting a Service Request
Using the online TAC Ser vice Re quest Tool is the fastest way to open S3 and S4
service request s. (S3 a nd S4 ser vic e reque sts ar e t hose i n w hic h y our n etwor k is
minimally impaire d or for wh ich you requ ire prod uct inform ation .) After you
describe your situa tio n, t he TAC Servi ce Requ est Tool provides recommen ded
solutions. If your i ssue is not res olved using th e recomm ende d resour ces, your
service request is assigned to a Cisco TAC engineer. The TAC Service Request
Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet acc ess, cont act the
Cisco TAC by telephone. (S1 or S2 se rvic e r eque sts a re t hos e i n wh ich you r
production network is down or severely degraded.) Cisco TAC engineers are
assigned immedi atel y t o S1 and S2 servi ce re quest s to hel p keep y our busine ss
operations running smoothly.
Preface
To ope n a servic e request by telephone, use one of the fo llowing numb ers:
Asia-Pacific: +61 2 8446 7411 (Austral ia: 1 800 805 227 )
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has
established severity definitions.
Severity 1 (S1)—Your network is “down,” or there i s a crit ical impa ct to your
business operations. Yo u and Cisco w ill comm it all nece ssary resour ces ar ound
the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or
significant aspects o f y our business opera ti on ar e negatively affected by
inadequate perfor ma nce of Cisco pro duct s. You and Cisco will commit full-time
resources during normal business hours to resolve the situati on.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
xxii
78-15597-02
Preface
Obtaining Additional Publications and Inform ation
Severity 3 (S3) —Operational performance of your network is impaired, but most
business operations remain functional. You and Cisco will commit resources
during normal business hours to restor e service t o satisfact ory levels.
Severity 4 (S4)—You require infor mation or as sistance with Cisco produc t
capabilities, installation, or configuration. There is little or no effect on your
business operations.
Obtaining Additional Publication s and In formation
Information abo ut C isco pr odu cts, tech nol ogies, a nd ne twork solu tio ns is
available from various online and printed sources.
• Cisco Marketplace provides a variety of Cisco book s, refere nce guid es, and
logo merch and ise. Visit Cisco Ma rketp l ace, t h e co mpa ny st or e, a t thi s UR L:
http://www.cisco.com/go/marketplace/
• The Cisco Product Catalog describes the networking products offered by
Cisco Systems, as well as ordering and customer support services. Access the
Cisco Product Catalog at thi s URL:
http://cisco.com/univercd/cc/td/doc/pcat/
• Cisco Press publishes a wide range o f gen er al network ing, tra ining a nd
certification titles. Both new and experienced users will benefit from these
publications. For curren t Cisco Press titles and other information , go to Cisco
Press at this URL:
http://www.ciscopress.com
• Pa cket magaz ine is the Cisc o System s technic al user magaz ine for
maximizing Intern et an d networking investments. Each quarte r, Packet
delivers coverage of the latest industry trends, technology breakthroughs, and
Cisco products and solution s, as well as ne twork deployment and
troubleshooting ti ps, c onfigura tion exa mp les, cust om er c as e st udie s,
certification and training information, and links to scores of in-depth online
resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publ icat ion from Ci sco Sy stem s d esign ed t o
help growing comp an ies learn how th ey ca n u se techn ol ogy to i ncr ea se
revenue, streamline their business, and expand services. The publication
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
xxiii
Obtaining Additional Publications and Information
identifies the chal leng es facin g these compan ies and the tec hnologi es to help
solve them, using real-world case studies and business strategies to help
readers make sound techn ology investment decisions. You can access iQ
Magazine at thi s URL:
http://www.cisco.com/go/iqmagazine
• Internet Protocol Journal is a qua rte rly jour nal pub lished by Ci sco Syste ms
for engineerin g p rofe ssiona ls involved in designing , developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Jour nal at this URL:
http://www.cisco.com/ipj
• Worl d-cla ss networking training is available from Cisco. You can view
current offerings at thi s URL:
http://www.cisco.com/en/US/learning/index.html
Preface
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
xxiv
78-15597-02
CHAPTER
1
Introducing the Sensor
This chapter i ntr odu ces t h e sen sor a nd provi des i nf orma tion y ou shou l d k now
before you instal l the sensor. In this guide, the te rm “sensor” refers to all models
unless specifically noted otherwise. See Supported Sensors, page 1-16, for a
complete list of suppor ted sensors and their model numbers.
This chapter contains the following topics:
• Appliances, pa ge 1-1
• Modules, page 1-12
• Supported Sensors, page 1-16
Appliances
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
• Setting the Time on Sensors, page 1-18
• Installation Preparation, page 1-20
• Worki n g in an ES D E nvironment, p age 1-21
This section describes the appliance and contains the following topics:
• Introducing the Ap plian ce, page 1-2
• How the Appliance Fun ction s, page 1-3
• Your Network Topology, page 1-4
• Placing an App l iance on Your Network, pa ge 1-6
• Deployment Conside rations, pa ge 1-8
1-1
Appliances
• Appliance Restr ictions , page 1-9
• Setting Up a Terminal Server, page 1-9
Introducing the Appliance
The appliance is a high-pe rfor manc e, plug-a nd-pla y device. The a pplia nce is a
component of th e In tr usion D etec tio n Sy stem ( IDS ), a n etwork-b as ed, re al-t ime
intrusion detection system. See Supported Sensors, page 1-16, for a list of
supported applian ces.
You can use th e C omm a nd Li ne I nt erfac e (C LI ), IDS Device M an ager, or
Management Center for IDS Sens ors to configure th e applian ce. Refer t o your
IDS manager d ocume nta tio n. To access IDS docum enta tion on Cisc o.co m, re fer
to Cisco Intrusion Dete ction Syst em (IDS) H ardware and Software Version 4.1
Documentation Guide that shipped with your appliance.
Chapter 1 Introducing the Sensor
You can configure the appliance to respond to recognized signatures as it captures
and analyze s ne twor k tr affic. These r espon ses inc lu de l og ging th e event,
forwarding the event to the I DS man ager, perform ing a TCP rese t, ge nera ting a n
IP log, capturing the alert trigger packet, and/or reconfiguring a router.
After being installed at key points in the network, the appliance monitors and
performs real-time analysis of ne twork traffic by looking for anoma lies and
misuse based on an extensive, embedded signature lib rary. When the system
detects unauthorized activity, appliances can terminate the specific connection,
permanently block the att acking host, log the inciden t, and send an alert to the I DS
manager . Other le gitimate connections continue to operate indep endently without
interruption.
Appliances ca n al so moni tor and an aly ze sy sl og me ssa ges fr om Cisco rou ter s t o
detect and re port n etwork sec urity po l icy viol ati ons .
Appliances are opt imiz ed for spe cific data ra tes an d are pa ckag ed in Et hernet ,
Fast Ethernet, a nd G igabit Et herne t c on figurati ons. I n sw itc hed e nvironments,
appliances must be c onnected to the switch ’s Swi tched Port Ana lyzer (SPAN) port
or VLAN Access Control lis t (VACL) capture port.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
1-2
78-15597-02
Chapter 1 Introducing the Sensor
How the Appliance Functions
This section explains how the appliance captures network traffic.
Each appliance comes with at least two interfaces. In a typical installation, one
interface monitors (sniffs) the desired network segment, and the other interface
(command and cont rol) com municat es with the IDS manager a nd other netwo rk
devices. The monitoring inte rface is in pro miscuous mode, mean ing it has n o IP
address and is not vi sibl e on the m on itore d segm en t.
Note With the addition of the 4-port Fast Ethernet NIC card, the IDS-4235, IDS-4250,
and the IDS-4215 have six interfaces. With the addition of the 2-port XL card, the
IDS-4250 has four interfaces. With the addition of the SX card, the IDS-4250 has
three interfaces.
Appliances
The comman d a nd cont r ol i nte rfa ce i s always Ethe rn et. Thi s inte r face has a n
assigned IP address, which allows it to communicate with the IDS manager
workstation or network devices (typically a Cisco router). Because this interface
is visible on the network, you should use encryption to maintain data privacy.
Secure Shell (SSH) is used to protect the Command Line Interface (CLI) and the
Transaction Layer Security/Secure Sockets Layer (TLS/SSL) is used to protect
the IDS manager workstation. Both SSH and T LS/SSL are enabled by default o n
the IDS manager workstations .
When responding to attacks, the appliance can do the following:
• Insert TCP resets via th e monitoring interface.
Note The TCP reset action is only appropriate as an action selection on
those signatures that are associated with a TCP-based service. If
selected as an action on non-TCP-based services, no action is taken.
Additionally, TCP resets are not guaranteed to tear down an offending
session because of limita tions in the TCP pr otocol. O n the
IDS-4250-XL, TCP re sets are se nt throug h the TCP Rese t interface.
• Make access control lis t (ACL) changes on routers th at the appli ance
manages.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
1-3
Appliances
Note ACLs may block only future traffic, not current traffic.
• Generate IP session logs
IP session logs are used to gather information about unauthorized use. IP log
files are written wh en a cert ain e vent or ev ents occu r that you hav e conf igured
the appliance to look for.
Because the appliance is not in the d ata path, it ha s a negligi ble impact on ne twork
performance. However, there are limitations on the data spee ds it can moni tor.
Your Network Topology
Before you dep loy an d c on figure y our a pp lianc es , y ou shoul d under stand t he
following about your ne twork :
Chapter 1 Introducing the Sensor
• The size and c om plexity of yo ur ne twork .
• Connections betw een your ne twork and othe r networks (and the Inte rnet).
• The amount and type of network tra ffic on your network.
This knowledge will he lp you determ ine how many appliances ar e requ ired, t he
hardware configurati on for each applianc e (for exam ple, th e size and type of
network interfac e c ards) , and h ow many IDS mana ge rs ar e ne eded .
The appliance monitors all traffic across a given network segment. With that in
mind, you should consider all the connections to the network you want to protect.
These connections fall into four categories, or locations, as illustrated in
Figure 1-1 on page 1-5.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
1-4
78-15597-02
Chapter 1 Introducing the Sensor
Figure 1-1 Major Types of Network Connections
Appliances
Internet
Business
partner
1
Appliance
E-commerce
network
Appliance Appliance
3
Appliance
Dial-up
server
Research and
Development
network
83874
42
In location one, the appliance is placed to monitor traffic between the
E-commerce (protected ) network and the Internet. Th is is referred to as perim eter
protection an d i s the mo st c ommon d ep loymen t fo r an a pplian ce. T his loc at ion
can be shared with firewall protection and is discussed in Placing an Applia nce on
Your Network, page 1-6.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
In location two, the appliance is monitoring an extranet connection with a
business partner. Although most companies h ave defined policie s on the u se an d
security of this type of co nnec tion, the re is no guarant ee tha t the network of a
partner is ade qua te ly pr ote cte d. Co nse quent ly, an outsider may e nte r your
network through t his t ype o f co nnect ion . Th ese extra ne t c on necti ons may have
firewalls as well.
In location three, the a pplia nce is monitoring the netwo rk si de o f a r emo te a cc ess
server. Although t his c on necti on m ay be o nly for emp loyee use, it could be
vulnerable to external attack.
In location four, the appliance is monitoring an intr anet connectio n. F or e xa mple,
the protected net work of one depa rtm ent m a y cont ai n an e -com me rce s ite whe re
all the acc ess type s de scr ibe d so far a re r e quire d. T he n etwor k of anot her
department may co ntain c ompany-spec ific researc h and development or oth er
engineering info rmat ion and shou ld be given additional pro tectio n.
1-5
Appliances
Determine which segments of the network you want to monitor to determine the
location for the applianc e. Remember, each appliance maintains a securit y policy
configured for the se gme nt it is monitoring . The security policies can be standard
across the organization or unique for each appliance. You may consider changing
your network topology to force traffic across a given monitored network segment.
There are always operational trade-offs when going through this process. The end
result should be a rough idea of the number of appliances required to protect the
desired network.
Placing an Appliance on Your Network
You can place an appliance in front of or behind a firewall. Each position has
benefits and drawbacks.
Placing an appliance in front of a firewall allows the appliance to monitor all
incoming and outgoing network traffic. However, when deployed in this manner,
the appliance does not detect traffic that is internal to the network. An internal
attacker taking advantage of vulnerabilities in network services would remain
undetected by th e extern al ap plian ce (s ee Figure 1-2 on p age 1-7).
Chapter 1 Introducing the Sensor
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
1-6
78-15597-02
Loading...