Cisco Systems IPS4510K9 User Manual

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-29168-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

CONTENTS

CHAPTER

Contents

Audience

Organization

Conventions

Preface

Published: April 29, 2013, OL-29168-01

This document describes how to configure the sensor using the Cisco IPS 7.2 CLI. It contains the following sections:

Audience

This guide is intended for administrators who need to do the following:

Organization

This guide includes the following sections:

Section Title Description

1 “Introducing the CLI Configuration

2 “Logging In to the Sensor” Describes how to log in to the various sensors.

3 “Initializing the Sensor” Describes how to use the setup command to

4 “Setting Up the Sensor” Describes how to use the CLI to configure initial

•

Audience, page xxiii

•

Organization, page xxiii

•

Conventions

This document uses the following conventions:

Conventions

Convention Indication

bold font Commands and keywords and user-entered text appear in bold font.

italic font Document titles, new or emphasized terms, and arguments for which you supply

values are in italic font.

[ ] Elements in square brackets are optional.

{x | y | z } Required alternative keywords are grouped in braces and separated by

vertical bars.

[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by

vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string or

the string will include the quotation marks.

courier

< > Nonprinting characters such as passwords are in angle brackets.

[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code

font Terminal sessions and information the system displays appear in

indicates a comment line.

courier

font.

Note

Tip

Caution

Timesaver

Warning

Means reader take note.

Means the following information will help you solve a problem.

Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.

Means the described action saves time. You can save time by performing the action described in the paragraph.

Means reader be warned. In this situation, you might perform an action that could result in bodily injury.

Obtaining Documentation and Submitting a Service Request

For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the following URL:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

Chapter

-xxvi

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Logging In to the Sensor

This chapter explains how to log in to the sensor. It contains the following sections:

•

Logging In Notes and Caveats, page ii-1

•

Supported User Roles, page ii-1

•

Logging In to the Appliance, page ii-2

•

Connecting an Appliance to a Terminal Server, page ii-3

•

Logging In to the ASA 5500-X IPS SSP, page ii-4

•

Logging In to the ASA 5585-X IPS SSP, page ii-5

•

Logging In to the Sensor, page ii-6

Logging In Notes and Caveats

CHA PTER

ii

The following notes and caveats apply to logging in to the sensor:

•

All IPS platforms allow ten concurrent log in sessions.

•

The service role is a special role that allows you to bypass the CLI if needed. Only a user with administrator privileges can edit the service account.

•

You must initialize the appliance (run the setup command) from the console. After networking is configured, SSH and Telnet are available. You can log in to the appliance from a console port.

•

You log in to the ASA 5500-X IPS SSP and ASA 5585-X IPS SSP from the adaptive security appliance.

Supported User Roles

You can log in with the following user privileges:

•

Administrator

•

Operator

•

Viewer

•

Service

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

ii-1

Logging In to the Appliance

The service role does not have direct access to the CLI. Service account users are logged directly into a bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation. You can create only one user with the service role.

When you log in to the service account, you receive the following warning:

******************************** WARNING ***************************************** UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation. **********************************************************************************

Chapter ii Logging In to the Sensor

Note

The service role is a special role that allows you to bypass the CLI if needed. Only a user with administrator privileges can edit the service account.

For More Information

•

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

•

For the procedures for adding and deleting users, see Configuring Authentication and User

Parameters, page 3-18.

Logging In to the Appliance

Note

Step 1

Step 2

You can log in to the appliance from a console port. The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and IPS 4520.

To log in to the appliance, follow these steps:

Connect a console port to the sensor to log in to the appliance.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first time you log in to the appliance.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

ii-2

login: cisco Password: ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter ii Logging In to the Sensor

Connecting an Appliance to a Terminal Server

***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor#

For More Information

•

For the procedure for connecting an appliance to a terminal server, see Connecting an Appliance to

a Terminal Server, page ii-3.

•

For the procedure for using the setup command to initialize the appliance, see Basic Sensor Setup,

page 2-4.

Connecting an Appliance to a Terminal Server

A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices. You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps:

Step 1

Step 2

Step 3

Caution

Connect to a terminal server using one of the following methods:

•

For terminal servers with RJ-45 connections, connect a rollover cable from the console port on the appliance to a port on the terminal server.

•

For hydra cable assemblies, connect a straight-through patch cable from the console port on the appliance to a port on the terminal server.

Configure the line and port on the terminal server. In enable mode, enter the following configuration, where # is the line number of the port to be configured.

config t

line # login transport input all stopbits 1 flowcontrol hardware speed 9600

exit exit wr mem

Be sure to properly close a terminal session to avoid unauthorized access to the appliance. If a terminal session is not stopped properly, that is, if it does not receive an exit(0) signal from the application that initiated the session, the terminal session can remain open. When terminal sessions are not stopped properly, authentication is not performed on the next session that is opened on the serial port.

Always exit your session and return to a login prompt before terminating the application used to establish the connection.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

ii-3

Logging In to the ASA 5500-X IPS SSP

Chapter ii Logging In to the Sensor

Caution

If a connection is dropped or terminated by accident, you should reestablish the connection and exit normally to prevent unauthorized access to the appliance.

Logging In to the ASA 5500-X IPS SSP

You log in to the ASA 5500-X IPS SSP from the adaptive security appliance.

To session in to the ASA 5500-X IPS SSP from the adaptive security appliance, follow these steps:

Step 1

Step 2

Step 3

Log in to the adaptive security appliance.

Note

If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing.

Session to the IPS. You have 60 seconds to log in before the session times out.

asa# session ips Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

login: cisco Password: ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

ii-4

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter ii Logging In to the Sensor

***LICENSE NOTICE*** There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a new license or install a license.

asa-ips#

Logging In to the ASA 5585-X IPS SSP

Step 4

To escape from a session and return to the adaptive security appliance prompt, do one of the following:

•

Enter

exit

.

•

Press CTRL-Shift-6-x (represented as CTRL^X).

For More Information

For the procedure for using the setup command to initialize the ASA 5500-X IPS SSP, see Advanced

Setup for the ASA 5500-X IPS SSP, page 2-13.

Logging In to the ASA 5585-X IPS SSP

You log in to the ASA 5585-X IPS SSP from the adaptive security appliance.

To session in to the ASA 5585-X IPS SSP from the adaptive security appliance, follow these steps:

Step 1

Log in to the adaptive security appliance.

Note

If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing.

OL-29168-01

Step 2

Step 3

Session to the ASA 5585-X IPS SSP. You have 60 seconds to log in before the session times out.

asa# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Enter your username and password at the login prompt.

Note

The default username and password are both cisco. You are prompted to change them the first time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.

login: cisco Password: ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

ii-5

Logging In to the Sensor

Chapter ii Logging In to the Sensor

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. ips-ssp#

Step 4

To escape from a session and return to the adaptive security appliance prompt, do one of the following:

•

Enter

exit

.

•

Press CTRL-Shift-6-x (represented as CTRL^X).

For More Information

For the procedure for using the setup command to initialize the ASA 5585-X IPS SSP, see Advanced

Setup for the ASA 5585-X IPS SSP, page 2-17.

Logging In to the Sensor

Note

Step 1

After you have initialized the sensor using the setup command and enabled Telnet, you can use SSH or Telnet to log in to the sensor.

To log in to the sensor using Telnet or SSH, follow these steps:

To log in to the sensor over the network using SSH or Telnet.

ssh sensor_ip_address telnet sensor_ip_address

ii-6

Step 2

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Enter your username and password at the login prompt.

login: ****** Password: ****** ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable law s and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to export@cisco.com.

OL-29168-01

Chapter ii Logging In to the Sensor

***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor#

Logging In to the Sensor

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

ii-7

Logging In to the Sensor

Chapter ii Logging In to the Sensor

ii-8

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

CHA PTER

1

Introducing the CLI Configuration Guide

This chapter introduces the IPS CLI configuration guide, and contains the following sections:

•

Supported IPS Platforms, page 1-1

•

Sensor Configuration Sequence, page 1-2

•

IPS CLI Configuration Guide, page 1-1

•

User Roles, page 1-3

•

CLI Behavior, page 1-5

•

Command Line Editing, page 1-6

•

IPS Command Modes, page 1-8

•

Regular Expression Syntax, page 1-8

•

Generic CLI Commands, page 1-10

•

CLI Keywords, page 1-11

Supported IPS Platforms

IPS 7.2(1)E4 supports the following IPS platforms:

•

IPS 4345

•

IPS 4360

•

IPS 4510

•

IPS 4520

•

ASA 5500-X IPS SSP

•

ASA 5585-X IPS SSP

IPS CLI Configuration Guide

This guide is a task-based configuration guide for the Cisco IPS 7.2 CLI. The term “sensor” is used throughout this guide to refer to all sensor models, unless a procedure refers to a specific appliance or to one of the modules, then the specific model name is used.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

1-1

Sensor Configuration Sequence

For an alphabetical list of all IPS commands, refer to the Command Reference for Cisco Intrusion

Prevention System 7.2. For information on locating all IPS 7.2 documents on Cisco.com, refer to the Documentation Roadmap for Cisco Intrusion Prevention System 7.2.

You can also use an IPS manager to configure your sensor. For information on how to access documentation that describes how to use IPS managers, refer to the Documentation Roadmap for Cisco

Intrusion Prevention System 7.2.

Sensor Configuration Sequence

Perform the following tasks to configure the sensor:

1.

Log in to the sensor.

2.

Initialize the sensor by running the setup command.

3.

Verify the sensor initialization.

4.

Create the service account. A service account is needed for special debug situations directed by TAC .

Chapter 1 Introducing the CLI Configuration Guide

Note

5.

License the sensor.

6.

Perform the other initial tasks, such as adding users and trusted hosts, and so forth.

7.

Make changes to the interface configuration if necessary. You configure the interfaces during

Only one user with the role of service is allowed.

initialization.

8.

Add or delete virtual sensors as necessary. You configure the virtual sensors during initialization.

9.

Configure event action rules.

10.

Configure the signatures for intrusion prevention.

11.

Configure the sensor for global correlation.

12.

Configure anomaly detection if needed. You can run anomaly detection using the default values or you can tailor it to suit your network needs.

Note

Anomaly detection is disabled by default. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.

13.

Set up any external product interfaces if needed. The CSA MC is the only external product supported by the Cisco IPS.

14.

Configure IP logging if needed.

15.

Configure blocking if needed.

1-2

16.

Configure SNMP if needed.

17.

Perform miscellaneous tasks to keep your sensor running smoothly.

18.

Upgrade the IPS software with new signature updates and service packs.

19.

Reimage the application partition when needed.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 1 Introducing the CLI Configuration Guide

For More Information

•

For the procedure for logging in to your sensor, see Chapter ii, “Logging In to the Sensor.”

•

For the procedure for using the setup command to initialize your sensor, see Chapter 2, “Initializing

the Sensor.”

•

For the procedure for verifying sensor initialization, see Verifying Initialization, page 2-20.

•

For the procedure for obtaining and installing the license key, see Installing the License Key,

page 3-54.

•

For the procedures for setting up your sensor, see Chapter 3, “Setting Up the Sensor.”

•

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

•

For the procedures for configuring interfaces on your sensor, see Chapter 4, “Configuring

Interfaces.”

•

For the procedures for configuring virtual sensors on your sensor, see Chapter 5, “Configuring

Virtual Sensors.”

•

For the procedures for configuring event action rules policies, see Chapter 8, “Configuring Event

Action Rules.”

•

For the procedures for configuring signatures for intrusion prevention, see Chapter 7, “Defining

Signatures.”

User Roles

•

For the procedures for configuring global correlation, see Chapter 10, “Configuring Global

Correlation.”

•

For the procedure for configuring anomaly detection policies, see Chapter 9, “Configuring Anomaly

Detection.”

•

For the procedure for setting up external product interfaces, see Chapter 11, “Configuring External

Product Interfaces.”

•

For the procedures for configuring IP logging, see Chapter 12, “Configuring IP Logging.”

•

For the procedures for configuring blocking on your sensor, see Chapter 14, “Configuring Attack

Response Controller for Blocking and Rate Limiting.”

•

For the procedures for configuring SNMP on your sensor, see Chapter 15, “Configuring SNMP.”

•

For the administrative procedures, see Chapter 17, “Administrative Tasks for the Sensor.”

•

For more information on how to obtain Cisco IPS software, see Chapter 20, “Obtaining Software.”

•

For the procedures for installing system images, see Chapter 21, “Upgrading, Downgrading, and

Installing System Images.”

•

For the procedures specific to the ASA 5500-X IPS SSP, see Chapter 18, “Configuring the ASA

5500-X IPS SSP.”

•

For the procedures specific to the ASA 5585-X IPS SSP, see Chapter 19, “Configuring the ASA

5585-X IPS SSP.”

User Roles

OL-29168-01

The Cisco CLI permits multiple users to log in at the same time. You can create and remove users from the local sensor. You can modify only one user account at a time. Each user is associated with a role that controls what that user can and cannot modify. The CLI supports four user roles: administrator, operator, viewer, and service. The privilege levels for each role are different; therefore, the menus and available commands vary for each role.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

1-3

User Roles

Chapter 1 Introducing the CLI Configuration Guide

Administrator

This user role has the highest level of privileges. Administrators have unrestricted view access and can perform the following functions:

•

Add users and assign passwords

•

Enable and disable control of physical interfaces and virtual sensors

•

Assign physical sensing interfaces to a virtual sensor

•

Modify the list of hosts allowed to connect to the sensor as a configuring or viewing agent

•

Modify sensor address configuration

•

Tune signatures

•

Assign configuration to a virtual sensor

•

Manage routers

Operators

This user role has the second highest level of privileges. Operators have unrestricted view access and can perform the following functions:

•

Modify their passwords

•

Tune signatures

Tip

•

Manage routers

•

Assign configuration to a virtual sensor

Viewers

This user role has the lowest level of privileges. Viewers can view configuration and event data and can modify their passwords.

Monitoring applications only require viewer access to the sensor. You can use the CLI to set up a user account with viewer privileges and then configure the event viewer to use this account to connect to the sensor.

Service

This user role does not have direct access to the CLI. Service account users are logged directly into a bash shell. Use this account for support and troubleshooting purposes only. Unauthorized modifications are not supported and require the device to be reimaged to guarantee proper operation. You can create only one user with the service role. In the service account you can also switch to user root by executing

su-

. The root password is synchronized to the service account password. Some troubleshooting

procedures may require you to execute commands as the root user.

When you log in to the service account, you receive the following warning:

******************************* WARNING ***************************************** UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation. *********************************************************************************

1-4

Note

The service role is a special role that allows you to bypass the CLI if needed. Only a user with administrator privileges can edit the service account.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 1 Introducing the CLI Configuration Guide

CLI Behavior

Note

For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there

must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.

CLI Behavior

The following tips help you use the Cisco IPS CLI.

Prompts

Help

•

You cannot change the prompt displayed for the CLI commands.

•

User interactive prompts occur when the system displays a question and waits for user input. The default input is displayed inside brackets [ ]. To accept the default input, press Enter.

•

To display the help for a command, type ? after the command.

The following example demonstrates the ? function:

sensor# configure ? terminal Configure from the terminal sensor# configure

Note

When the prompt returns from displaying help, the command previously entered is displayed without the ?.

•

You can type ? after an incomplete token to view the valid tokens that complete the command. If there is a trailing space between the token and the ?, you receive an ambiguous command error:

sensor# show c ? % Ambiguous command: “show c”

If you enter the token without the space, a selection of available tokens for the completion (with no help description) appears:

sensor# show c? clock configuration sensor# show c

•

Only commands available in the current mode are displayed by help.

Tab Completion

•

Only commands available in the current mode are displayed by tab complete and help.

•

If you are unsure of the complete syntax for a command, you can type a portion of the command and press Ta b to complete the command.

•

If multiple commands match for tab completion, nothing is displayed.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

1-5

Command Line Editing

Chapter 1 Introducing the CLI Configuration Guide

Recall

•

To recall the commands entered in a mode, use the Up Arrow or Down Arrow keys or press Ctrl-P or Ctrl-N.

Note

•

A blank prompt indicates the end of the recall list.

Case Sensitivity

•

The CLI is not case sensitive, but it does echo back the text in the same case you typed it. For

Help and tab complete requests are not reported in the recall list.

example, if you type:

sensor# CONF

and press Ta b, the sensor displays:

sensor# CONFigure

Note

CLI commands are not case sensitive, but values are case sensitive. Remember this when you are creating regular expressions in signatures. A regular expression of “STRING” will not match “string” seen in a packet.

Display Options

• —More—

is an interactive prompt that indicates that the terminal output exceeds the allotted display space. To display the remaining output, press the spacebar to display the next page of output or press Enter to display the output one line at a time.

•

To clear the current line contents and return to a blank command line, press Ctrl-C.

For More Information

For more information on CLI command regular expression syntax, see Regular Expression Syntax,

page 1-8.

Command Line Editing

Table 1-1 describes the command line editing capabilities provided by the Cisco IPS CLI.

Table 1-1 Command Line Editing

Keys Description

Tab Completes a partial command name entry. When you type a unique set of characters and

press Tab, the system completes the command name. If you type a set of characters that could indicate more than one command, the system beeps to indicate an error. Type a question mark (?) immediately following the partial command (no space). The system provides a list of commands that begin with that string.

Backspace Erases the character to the left of the cursor.

Enter At the command line, pressing Enter processes a command. At the

on a terminal screen, pressing Enter scrolls down a line.

---More---

prompt

1-6

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 1 Introducing the CLI Configuration Guide

Table 1-1 Command Line Editing (continued)

Keys Description

Spacebar Enables you to see more output on the terminal screen. Press the Spacebar when you see

the line

Left arrow Moves the cursor one character to the left. When you type a command that extends

beyond a single line, you can press the Left Arrow key repeatedly to scroll back toward the system prompt and verify the beginning of the command entry.

Right arrow Moves the cursor one character to the right.

Up Arrow or Ctrl-P

Down Arrow or Ctrl-N

Recalls commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.

Returns to more recent commands in the history buffer after recalling commands with the Up Arrow or Ctrl-P. Repeat the key sequence to recall successively more recent commands.

Ctrl-A Moves the cursor to the beginning of the line.

Ctrl-B Moves the cursor back one character.

Ctrl-D Deletes the character at the cursor.

Ctrl-E Moves the cursor to the end of the command line.

Ctrl-F Moves the cursor forward one character.

Ctrl-K Deletes all characters from the cursor to the end of the command line.

Ctrl-L Clears the screen and redisplays the system prompt and command line

Ctrl-T Transposes the character to the left of the cursor with the character located at the cursor.

Ctrl-U Deletes all characters from the cursor to the beginning of the command line.

Ctrl-V Inserts a code to indicate to the system that the keystroke immediately following should

be treated as a command entry, not as an editing key.

Ctrl-W Deletes the word to the left of the cursor.

Ctrl-Y Recalls the most recent entry in the delete buffer. The delete buffer contains the last ten

items you deleted or cut.

Ctrl-Z Ends configuration mode and returns you to the EXEC prompt.

Esc-B Moves the cursor back one word.

Esc-C Capitalizes the word at the cursor.

Esc-D Deletes from the cursor to the end of the word.

Esc-F Moves the cursor forward one word.

Esc-L Changes the word at the cursor to lowercase.

Esc-U Capitalizes from the cursor to the end of the word.

---More---

Command Line Editing

on the screen to display the next screen.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

1-7

IPS Command Modes

The Cisco IPS CLI has the following command modes:

•

privileged EXEC—Entered when you log in to the CLI interface.

•

global configuration—Entered from privileged EXEC mode by entering command prompt is

•

service mode configuration—Entered from global configuration mode by entering

sensor(config)#

service-name. The command prompt is characters of the service name.

•

multi-instance service mode—Entered from global configuration mode by entering service-name log-instance-name. The command prompt is first three characters of the log instance name. The only multi-instance services in the system are anomaly detection, signature definition, and event action rules.

Regular Expression Syntax

.

sensor(config-ser)#

Chapter 1 Introducing the CLI Configuration Guide

configure terminal

, where

sensor(config-log)#

ser

is the first three

service

where

log

. The

is the

Note

The syntax in this section applies only to regular expressions used as part of a CLI command. It does not apply to regular expressions used by signatures.

Regular expressions are text patterns that are used for string matching. Regular expressions contain a mix of plain text and special characters to indicate what kind of matching to do. For example, if you are looking for a numeric digit, the regular expression to search for is “[0-9]”. The brackets indicate that the character being compared should match any one of the characters enclosed within the bracket. The dash (-) between 0 and 9 indicates that it is a range from 0 to 9. Therefore, this regular expression will match any character from 0 to 9, that is, any digit.

To search for a specific special character, you must use a backslash before the special character. For example, the single character regular expression “\*” matches a single asterisk.

The regular expressions defined in this section are similar to a subset of the POSIX Extended Regular Expression definitions. In particular, “[..]”, “[==]”, and “[::]” expressions are not supported. Also, escaped expressions representing single characters are supported. A character can be represented as its hexadecimal value, for example, \x61 equals ‘a,’ so \x61 is an escaped expression representing the character ‘a.’

The regular expressions are case sensitive. To match “STRING” or “string” use the following regular expression: “[Ss][Tt][Rr][Ii][Nn][Gg].”

Table 1-2 lists the special characters.

Table 1-2 Regular Expression Syntax

Character Description

^ Beginning of the string. The expression “^A” will match an “A” only at the beginning

of the string.

^ Immediately following the left-bracket ([). Excludes the remaining characters within

brackets from matching the target string. The expression “[^0-9]” indicates that the target character should not be a digit.

1-8

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 1 Introducing the CLI Configuration Guide

Table 1-2 Regular Expression Syntax (continued)

Character Description

$ Matches the end of the string. The expression “abc$” matches the sub-string “abc”

only if it is at the end of the string.

| Allows the expression on either side to match the target string. The expression “a|b”

matches “a” as well as “b.”

. Matches any character.

* Indicates that the character to the left of the asterisk in the expression should match 0

or more times.

+ Similar to * but there should be at least one match of the character to the left of the +

sign in the expression.

? Matches the character to its left 0 or 1 times.

() Affects the order of pattern evaluation and also serves as a tagged expression that can

be used when replacing the matched sub-string with another expression.

[] Enclosing a set of characters indicates that any of the enclosed characters may match

the target character.

\ Allows specifying a character that would otherwise be interpreted as special.

Regular Expression Syntax

\xHH represents the character whose value is the same as the value represented by (HH) hexadecimal digits [0-9A-Fa-f]. The value must be non-zero.

BEL is the same as \x07, BS is \x08, FF is \x0C, LF is \x0A, CR is \x0D, TAB is \x09, and VT is \x0B.

For any other character ‘c’, ‘\c’ is the same as ‘c’ except that it is never interpreted as special

The following examples demonstrate the special characters:

• a*

matches any number of occurrences of the letter a, including none.

• a+

requires that at least one letter a be in the string to be matched.

• ba?b

• \**

matches the string bb or bab.

matches any number of asterisks (*).

To use multipliers with multiple-character patterns, you enclose the pattern in parentheses.

• (ab)*

• ([A-Za-z][0-9])+

matches any number of the multiple-character string ab.

matches one or more instances of alphanumeric pairs, but not none (that is, an

empty string is not a match).

The order for matches using multipliers (*, +, or ?) is to put the longest construct first. Nested constructs are matched from outside to inside. Concatenated constructs are matched beginning at the left side of the construct. Thus, the regular expression matches A9b3, but not 9Ab3 because the letters are specified before the numbers.

OL-29168-01

You can also use parentheses around a single- or multiple-character pattern to instruct the software to remember a pattern for use elsewhere in the regular expression.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

1-9

Generic CLI Commands

To create a regular expression that recalls a previous pattern, you use parentheses to indicate memory of a specific pattern and a backslash (\) followed by a digit to reuse the remembered pattern. The digit specifies the occurrence of a parentheses in the regular expression pattern. If you have more than one remembered pattern in your regular expression, \1 indicates the first remembered pattern, and \2 indicates the second remembered pattern, and so on.

The following regular expression uses parentheses for recall:

•

a(.)bc(.)\1\2 matches an a followed by any character, followed by bc followed by any character, followed by the first any character again, followed by the second any character again.

For example, the regular expression can match aZbcTZT. The software remembers that the first character is Z and the second character is T and then uses Z and T again later in the regular expression.

Generic CLI Commands

The following CLI commands are generic to the Cisco IPS.

•

configure terminal—Enters global configuration mode.

Chapter 1 Introducing the CLI Configuration Guide

Global configuration commands apply to features that affect the system as a whole rather than just one protocol or interface.

sensor# configure terminal sensor(config)#

•

service—Takes you to the following configuration submodes: analysis-engine, anomaly-detection, authentication, event-action-rules, external-product-interfaces, global-correlation, health-monitor, host, interface, logger, network-access, notification, signature-definition, ssh-known-hosts, trusted-certificates, and web-server.

Note

The anomaly-detection, event-action-rules, and signature-definition submodes are multiple instance services. One predefined instance is allowed for each. For anomaly-detection, the predefined instance name is ad0. For event-action-rules, the predefined instance name is rules0. For signature-definition, the predefined instance name is sig0. You can create additional instances.

sensor# configure terminal sensor(config)# service event-action-rules rules0 sensor(config-rul)#

•

end—Exits configuration mode or any configuration submodes. It takes you back to the top-level EXEC menu.

sensor# configure terminal sensor(config)# end sensor#

1-10

•

exit—Exits any configuration mode or closes an active terminal session and terminates the EXEC mode. It takes you to the previous menu session.

sensor# configure terminal sensor(config)# service event-action-rules rules0 sensor(config-rul)# exit sensor(config)# exit sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 1 Introducing the CLI Configuration Guide

CLI Keywords

In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the command ssh host-key ip_address adds an entry to the known hosts table, the command no ssh host-key ip_address removes the entry from the known hosts table. Refer to the individual commands for a complete description of what the no form of that command does.

Service configuration commands can also have a default form. Use the default form of the command to return the command setting to its default. This keyword applies to the service submenu commands used for application configuration. Entering value. You can only use the default keyword with commands that specify a default value in the configuration files.

default

CLI Keywords

with the command resets the parameter to the default

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

1-11

CLI Keywords

Chapter 1 Introducing the CLI Configuration Guide

1-12

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Initializing the Sensor

This chapter describes how to use the setup command to initialize the sensor, and contains the following sections:

•

Initializing Notes and Caveats, page 2-1

•

Understanding Initialization, page 2-2

•

Simplified Setup Mode, page 2-2

•

System Configuration Dialog, page 2-2

•

Basic Sensor Setup, page 2-4

•

Advanced Setup, page 2-7

•

Verifying Initialization, page 2-20

Initializing Notes and Caveats

CHA PTER

2

The following notes and caveats apply to initializing the sensor:

•

You must be administrator to use the setup command.

•

You must have a valid sensor license for automatic signature updates and global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.

•

The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and IPS 4520.

•

You do not need to configure interfaces on the ASA IPS modules (ASA 5500-X IPS SSP and ASA 5585-X IPS SSP). You should ignore the modify interface default VLAN setting in setup. The separation of traffic across virtual sensors is configured differently for the ASA IPS modules than for other sensors.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-1

Understanding Initialization

After you install the sensor on your network, you must use the setup command to initialize it so that you can communicate with it over the network.

With the setup command, you configure basic sensor settings, including the hostname, IP interfaces, access control lists, global correlation servers, and time settings. You can continue using advanced setup in the CLI to enable Telnet, configure the web server, enable SSHv1 fallback, and assign and enable virtual sensors and interfaces, or you can use the Startup Wizard in the IDM or IME. After you configure the sensor with the setup command, you can change the network settings in the IDM or IME.

Chapter 2 Initializing the Sensor

Note

You must be administrator to use the setup command.

Simplified Setup Mode

The sensor automatically calls the setup command when you connect to the sensor using a console cable and the sensor basic network settings have not yet been configured. The sensor does not call automatic setup under the following conditions:

•

When initialization has already been successfully completed.

•

If you have recovered or downgraded the sensor.

•

If you have set the host configuration to default after successfully configuring the sensor using automatic setup.

When you enter the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process. The values shown in brackets next to each prompt are the default values last set.

System Configuration Dialog

When you enter the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process. The values shown in brackets next to each prompt are the current values.

You must go through the entire System Configuration Dialog until you come to the option that you want to change. To accept default settings for items that you do not want to change, press Enter.

2-2

To return to the EXEC prompt without making changes and without going through the entire System Configuration Dialog, press Ctrl-C. The System Configuration Dialog also provides help text for each prompt. To access the help text, enter

When you complete your changes, the System Configuration Dialog shows you the configuration that you created during the setup session. It also asks you if you want to use this configuration. If you enter

yes

, the configuration is saved. If you enter no, the configuration is not saved and the process begins

again. There is no default for this prompt; you must enter either

You can configure daylight savings time either in recurring mode or date mode. If you choose recurring mode, the start and end days are based on week, day, month, and time. If you choose date mode, the start and end days are based on month, day, year, and time. Choosing disable turns off daylight savings time.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

?

at a prompt.

yes

or no.

OL-29168-01

Chapter 2 Initializing the Sensor

System Configuration Dialog

Note

You only need to set the date and time in the System Configuration Dialog if the system is an appliance and is NOT using NTP.

The System Configuration Dialog is an interactive dialog. The default settings are displayed.

Example 2-1 shows a sample System Configuration Dialog.

Example 2-1 Example System Configuration Dialog

--- Basic Setup ---

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'.

Current time: Wed Mar 6 00:07:23 2013

Setup Configuration last modified:

Enter host name[sensor]: Enter IP interface[192.168.1.2/24,192.168.1.1]: Modify current access list?[no]: Current access list entries: [1] 0.0.0.0/0 Delete: Permit: Use DNS server for Auto-Updates from www.cisco.com and Global Correlation?[no]: DNS server IP address[171.68.226.120]: Use HTTP proxy server for Auto-Updates from www.cisco.com and Global Correlation?[no]: HTTP proxy server IP address: HTTP proxy server Port number: Modify system clock settings?[no]: Modify summer time settings?[no]: Use USA SummerTime Defaults?[yes]: Recurring, Date or Disable?[Recurring]: Start Month[march]: Start Week[second]: Start Day[sunday]: Start Time[02:00:00]: End Month[november]: End Week[first]: End Day[sunday]: End Time[02:00:00]: DST Zone[]: Offset[60]: Modify system timezone?[no]: Timezone[UTC]: UTC Offset[0]: Use NTP?[no]: NTP Server IP Address[]: Use NTP Authentication?[no]: NTP Key ID[]: NTP Key Value[]: Modify system date and time?[no]:

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-3

Basic Sensor Setup

Chapter 2 Initializing the Sensor

Local Date as YYYY-MM-DD[2013-03-06]: Local Time as HH:MM:SS[]: Participation in the SensorBase Network allows Cisco to collect aggregated statistics about traffic sent to your IPS. SensorBase Network Participation level?[off]:

If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about traffic sent to your IPS. This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other sensitive business or personal information. All data is aggregated and sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals. All data shared with Cisco will be anonymous and treated as strictly confidential. The table below describes how the data will be used by Cisco. Participation Level = "Partial": * Type of Data: Protocol Attributes (e.g. TCP max segment size and options string) Purpose: Track potential threats and understand threat exposure * Type of Data: Attack Type (e.g. Signature Fired and Risk Rating) Purpose: Used to understand current attacks and attack severity * Type of Data: Connecting IP Address and port Purpose: Identifies attack source * Type of Data: Summary IPS performance (CPU utilization memory usage, inline vs. promiscuous, etc) Purpose: Tracks product efficacy Participation Level = "Full" additionally includes: * Type of Data: Victim IP Address and port Purpose: Detect threat behavioral patterns

Do you agree to participate in the SensorBase Network?[no]:

Basic Sensor Setup

You can perform basic sensor setup using the setup command, and then finish setting up the sensor using the CLI, IDM, or IME.

To perform basic sensor setup using the setup command, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Log in to the sensor using an account with administrator privileges.

Note

Both the default username and password are cisco.

The first time you log in to the sensor you are prompted to change the default password. Passwords must be at least eight characters long and be strong, that is, not be a dictionary word. After you change the password, basic setup begins.

Enter the

setup

Specify the hostname. The hostname is a case-sensitive character string up to 64 characters. Numbers, “_” and “-” are valid, but spaces are not acceptable. The default is sensor.

Specify the IP interface. The IP interface is in the form of IP Address/Netmask,Gateway: X.X.X.X/nn,Y.Y.Y.Y, where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods.

command. The System Configuration Dialog is displayed.

2-4

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 2 Initializing the Sensor

Basic Sensor Setup

Step 6

Step 7

Caution

Enter

yes

to modify the network access list:

a.

If you want to delete an entry, enter the number of the entry and press Enter, or press Enter to get to the Permit line.

b.

Enter the IP address and netmask of the network you want to add to the access list.

Note

For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network (10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.1.1.0 subnet (10.1.1.0-10.1.1.255). If you want to permit access to a single IP address than the entire network, use a 32-bit netmask. For example, 10.1.1.1/32 permits just the 10.1.1.1 address.

c.

Repeat Step b until you have added all networks that you want to add to the access list, and then press Enter at a blank permit line to go to the next step.

You must configure a DNS server or an HTTP proxy server for automatic updates from www.cisco.com and global correlation to operate:

a.

Enter

yes

to add a DNS server, and then enter the DNS server IP address.

b.

Enter

yes

to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port

number.

You must have a valid sensor license for automatic signature updates and global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.

Step 8

Enter

yes

to modify the system clock settings:

a.

Enter

yes

to modify summertime settings.

b.

Note

Enter

Summertime is also known as DST. If your location does not use Summertime, go to Step m.

yes

to choose the USA summertime defaults, or enter no and choose recurring, date, or disable

to specify how you want to configure summertime settings. The default is recurring.

c.

If you chose recurring, specify the month you want to start summertime settings. Valid entries are january, february, march, april, may, june, july, august, september, october, november, and december. The default is march.

d.

Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth, fifth, and last. The default is second.

e.

Specify the day you want to start summertime settings. Valid entries are sunday, monday, tuesday, wednesday, thursday, friday, and saturday. The default is sunday.

f.

Specify the time you want to start summertime settings. The default is 02:00:00.

Note

The default recurring summertime parameters are correct for time zones in the United States. The default values specify a start time of 2:00 a.m. on the second Sunday in March, and a stop time of 2:00 a.m. on the first Sunday in November. The default summertime offset is 60 minutes.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-5

Basic Sensor Setup

Step 9

Chapter 2 Initializing the Sensor

g.

Specify the month you want summertime settings to end. Valid entries are january, february, march, april, may, june, july, august, september, october, november, and december. The default is november.

h.

Specify the week you want the summertime settings to end. Valid entries are first, second, third, fourth, fifth, and last. The default is first.

i.

Specify the day you want the summertime settings to end. Valid entries are sunday, monday, tuesday, wednesday, thursday, friday, and saturday. The default is sunday.

j.

Specify the time you want summertime settings to end. The default is 02:00:00.

k.

Specify the DST zone. The zone name is a character string up to 24 characters long in the pattern [A-Za-z0-9()+:,_/-]+$.

l.

Specify the summertime offset. Specify the summertime offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 60.

m.

Enter

yes

to modify the system time zone.

n.

Specify the standard time zone name. The zone name is a character string up to 24 characters long.

o.

Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 0.

p.

Enter

yes

if you want to use NTP. To use authenticated NTP, you need the NTP server IP address, the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure NTP later. Otherwise, you can choose unauthenticated NTP.

Enter

off, partial

, or

full

to participate in the SensorBase Network Participation:

Step 10

•

Off—No data is contributed to the SensorBase Network.

•

Partial—Data is contributed to the SensorBase Network, but data considered potentially sensitive is filtered out and never sent.

•

Full—All data is contributed to the SensorBase Network except the attacker/victim IP addresses that you exclude.

The SensorBase Network Participation disclaimer appears. It explains what is involved in participating in the SensorBase Network.

Enter

yes

to participate in the SensorBase Network.

The following configuration was entered. service host network-settings host-ip 192.168.1.2/24, 192.168.1.1 host-name sensor telnet-option disabled sshv1-fallback disabled access-list 10.0.0.0/8 ftp-timeout 300 no login-banner-text dns-primary-server enabled address 171.68.226.120 exit dns-secondary-server disabled dns-tertiary-server disabled http-proxy proxy-server address 128.107.241.170 port 8080 exit exit time-zone-settings offset -360 standard-time-zone-name CST

2-6

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 2 Initializing the Sensor

exit summertime-option recurring offset 60 summertime-zone-name CDT start-summertime month march week-of-month second day-of-week sunday time-of-day 02:00:00 exit end-summertime month november week-of-month first day-of-week sunday time-of-day 02:00:00 exit exit ntp-option enabled ntp-keys 1 md5-key 8675309 ntp-servers 10.10.1.2 key-id 1 exit service global-correlation network-participation full exit

Advanced Setup

[0] Go to the command prompt without saving this config. [1] Return to setup without saving this config. [2] Save this configuration and exit setup. [3] Continue to Advanced setup.

Step 11

Step 12

Enter 2 to save the configuration (or 3 to continue with advanced setup using the CLI).

Enter your selection[2]: 2 Configuration Saved.

If you changed the time setting, enter

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Advanced Setup

This section describes how to continue with advanced setup in the CLI for the sensor. It contains the following sections:

•

Advanced Setup for the Appliance, page 2-8

•

Advanced Setup for the ASA 5500-X IPS SSP, page 2-13

yes

to reboot the sensor.

OL-29168-01

•

Advanced Setup for the ASA 5585-X IPS SSP, page 2-17

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-7

Advanced Setup

Advanced Setup for the Appliance

Chapter 2 Initializing the Sensor

Note

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

The currently supported Cisco IPS appliances are the IPS 4345, IPS 4360, IPS 4510, and IPS 4520.

Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which virtual sensors.

The interfaces change according to the appliance model, but the prompts are the same for all models.

To continue with advanced setup for the appliance, follow these steps:

Log in to the appliance using an account with administrator privileges.

Enter the

setup

command. The System Configuration Dialog is displayed. Press Enter or the spacebar

to skip to the menu to access advanced setup.

Enter 3 to access advanced setup.

Specify the Telnet server status. The default is disabled.

Specify the SSHv1 fallback setting. The default is disabled.

Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.

Note

The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.

Step 7

Enter

yes

to modify the interface and virtual sensor configuration and to see the current interface

configuration.

Current interface configuration Command control: Management0/0 Unassigned: Promiscuous: GigabitEthernet0/0 GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3

Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

Virtual Sensor: vs1 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

Virtual Sensor: vs2 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

2-8

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 2 Initializing the Sensor

[1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option:

Advanced Setup

Step 8

Step 9

Caution

Enter 1 to edit the interface configuration.

Note

The following options let you create and delete interfaces. You assign the interfaces to virtual sensors in the virtual sensor configuration. If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary.

[1] Remove interface configurations. [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan. Option:

Enter 2 to add inline VLAN pairs and display the list of available interfaces.

The new VLAN pair is not automatically added to a virtual sensor.

Available Interfaces [1] GigabitEthernet0/0 [2] GigabitEthernet0/1 [3] GigabitEthernet0/2 [4] GigabitEthernet0/3 Option:

Step 10

Step 11

Step 12

Step 13

Enter 1 to add an inline VLAN pair to GigabitEthernet 0/0, for example.

Inline Vlan Pairs for GigabitEthernet0/0 None

Enter a subinterface number and description.

Subinterface Number: Description[Created via setup by user asmith]:

Enter numbers for VLAN 1 and 2.

Vlan1[]: 200 Vlan2[]: 300

Press Enter to return to the available interfaces menu.

Note

[1] GigabitEthernet0/0 [2] GigabitEthernet0/1 [3] GigabitEthernet0/2 [4] GigabitEthernet0/3 Option:

Entering a carriage return at a prompt without a value returns you to the previous menu.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-9

Advanced Setup

Chapter 2 Initializing the Sensor

Step 14

Step 15

Step 16

Step 17

Note

At this point, you can configure another interface, for example, GigabitEthernet 0/1, for inline VLAN pair.

Press Enter to return to the top-level interface editing menu.

[1] Remove interface configurations. [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan. Option:

Enter 4 to add an inline interface pair and see these options.

Available Interfaces GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3

Enter the pair name, description, and which interfaces you want to pair.

Pair name: newPair Description[Created via setup by user asmith: Interface1[]: GigabitEthernet0/1 Interface2[]: GigabitEthernet0/2 Pair name:

Press Enter to return to the top-level interface editing menu.

[1] Remove interface configurations. [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan. Option:

2-10

Step 18

Step 19

Step 20

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Press Enter to return to the top-level editing menu.

[1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option:

Enter 2 to edit the virtual sensor configuration.

[1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option:

Enter 2 to modify the virtual sensor configuration, vs0.

Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

No Interfaces to remove.

Unassigned: Promiscuous:

OL-29168-01

Chapter 2 Initializing the Sensor

[1] GigabitEthernet0/3 [2] GigabitEthernet0/0 Inline Vlan Pair: [3] GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: [4] newPair (GigabitEthernet0/1, GigabitEthernet0/2) Add Interface:

Advanced Setup

Step 21

Step 22

Step 23

Step 24

Step 25

Enter 3 to add inline VLAN pair GigabitEthernet0/0:1.

Enter 4 to add inline interface pair NewPair.

Press Enter to return to the top-level virtual sensor menu.

Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 Inline Vlan Pair: GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: newPair (GigabitEthernet0/1, GigabitEthernet0/2)

[1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option: GigabitEthernet0/1, GigabitEthernet0/2) Add Interface:

Press Enter to return to the top-level interface and virtual sensor configuration menu.

[1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option:

Enter

yes

if you want to modify the default threat prevention settings.

OL-29168-01

Step 26

Step 27

Note

The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.

Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk Rating 90-100) Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating 90-100) Do you want to disable automatic threat prevention on all virtual sensors?[no]:

Enter

yes

to disable automatic threat prevention on all virtual sensors.

Press Enter to exit the interface and virtual sensor configuration.

The following configuration was entered. service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name sensor telnet-option disabled sshv1-fallback disabled ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-11

Advanced Setup

Chapter 2 Initializing the Sensor

standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service interface physical-interfaces GigabitEthernet0/0 admin-state enabled subinterface-type inline-vlan-pair subinterface 1 description Created via setup by user asmith vlan1 200 vlan2 300 exit exit exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit physical-interfaces GigabitEthernet0/2 admin-state enabled exit physical-interfaces GigabitEthernet0/0 admin-state enabled exit inline-interfaces newPair description Created via setup by user asmith interface1 GigabitEthernet0/1 interface2 GigabitEthernet0/2 exit exit service analysis-engine virtual-sensor newVs description Created via setup by user cisco signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 operational-mode inactive exit physical-interface GigabitEthernet0/0 exit virtual-sensor vs0 physical-interface GigabitEthernet0/0 subinterface-number 1 logical-interface newPair service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit

2-12

[0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup.

Step 28

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Enter 2 to save the configuration.

Enter your selection[2]: 2 Configuration Saved.

OL-29168-01

Chapter 2 Initializing the Sensor

Advanced Setup

Step 29

Step 30

Step 31

Reboot the appliance.

sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []:

Enter

yes

to continue the reboot.

Apply the most recent service pack and signature update. You are now ready to configure your appliance for intrusion prevention.

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Advanced Setup for the ASA 5500-X IPS SSP

To continue with advanced setup for the ASA 5500-X IPS SSP, follow these steps:

Step 1

Step 2

Session in to the IPS using an account with administrator privileges.

asa# session ips

Enter the

setup

command. The System Configuration Dialog is displayed. Press Enter or the spacebar

to skip to the menu to access advanced setup.

Step 3

Step 4

Step 5

Step 6

Step 7

Enter 3 to access advanced setup.

Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.

Specify the SSHv1 fallback setting. The default is disabled.

Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.

Note

The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.

Enter

yes

to modify the interface and virtual sensor configuration.

Current interface configuration Command control: Management0/0 Unassigned: Monitored: PortChannel 0/0

Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

[1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option:

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-13

Advanced Setup

Chapter 2 Initializing the Sensor

Step 8

Step 9

Step 10

Step 11

Enter 1 to edit the interface configuration.

Note

You do not need to configure interfaces on the ASA 5500-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500-X IPS SSP than for other sensors.

[1] Modify interface default-vlan. Option:

Press Enter to return to the top-level interface and virtual sensor configuration menu.

[1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option:

Enter 2 to edit the virtual sensor configuration.

[1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option:

Enter 2 to modify the virtual sensor vs0 configuration.

Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

No Interfaces to remove.

Unassigned: Monitored: [1] PortChannel 0/0 Add Interface:

2-14

Step 12

Enter 1 to add PortChannel 0/0 to virtual sensor vs0.

Note

Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want to.

Step 13

Step 14

Step 15

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Press Enter to return to the main virtual sensor menu.

Enter 3 to create a virtual sensor.

Name[]:

Enter a name and description for your virtual sensor.

Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]:

OL-29168-01

Chapter 2 Initializing the Sensor

Advanced Setup

Step 16

Step 17

Step 18

Step 19

Enter 1 to use the existing anomaly-detection configuration, ad0.

Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]:

Enter 2 to create a signature-definition configuration file.

Enter the signature-definition configuration name,

Event Action Rules Configuration [1] rules0 [2] Create a new event action rules configuration Option[2]:

newSig

.

Enter 1 to use the existing event-action-rules configuration, rules0.

Note

If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.

Virtual Sensor: newVs Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: newSig Monitored: PortChannel0/0

[1] Remove virtual sensor. [2] Modify "newVs" virtual sensor configuration. [3] Modify "vs0" virtual sensor configuration. [4] Create new virtual sensor. Option:

Step 20

Step 21

Step 22

Press Enter to exit the interface and virtual sensor configuration menu.

Modify default threat prevention settings?[no]:

Enter

yes

if you want to modify the default threat prevention settings.

Note

The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.

Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk Rating 90-100) Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating 90-100) Do you want to disable automatic threat prevention on all virtual sensors?[no]:

Enter

yes

to disable automatic threat prevention on all virtual sensors.

The following configuration was entered.

service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name asa-ips telnet-option disabled sshv1-fallback disabled access-list 10.0.0.0/8 access-list 64.0.0.0/8

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-15

Advanced Setup

Chapter 2 Initializing the Sensor

ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit

Step 23

Step 24

Step 25

Step 26

Step 27

Step 28

[0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup.

Enter 2 to save the configuration.

Enter your selection[2]: 2 Configuration Saved.

Reboot the ASA 5500-X IPS SSP.

asa-ips# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []:

Enter

yes

to continue the reboot.

After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).

asa-ips# show tls fingerprint SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27

Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5500-X IPS SSP with a web browser.

Apply the most recent service pack and signature update. You are now ready to configure the ASA 5500-X IPS SSP for intrusion prevention.

2-16

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 2 Initializing the Sensor

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Advanced Setup for the ASA 5585-X IPS SSP

To continue with advanced setup for the ASA 5585-X IPS SSP, follow these steps:

Advanced Setup

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Session in to the ASA 5585-X IPS SSP using an account with administrator privileges.

asa# session 1

Enter the

setup

command. The System Configuration Dialog is displayed. Press Enter or the spacebar

to skip to the menu to access advanced setup.

Enter 3 to access advanced setup.

Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.

Specify the SSHv1 fallback setting. The default is disabled.

Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.

Note

The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.

Enter

yes

to modify the interface and virtual sensor configuration.

Current interface configuration Command control: Management0/0 Unassigned: Monitored: PortChannel0/0

Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

[1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option:

OL-29168-01

Step 8

Step 9

Enter 1 to edit the interface configuration.

Note

You do not need to configure interfaces on the ASA 5585-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5585-X IPS SSP than for other sensors.

[1] Modify interface default-vlan. Option:

Press Enter to return to the top-level interface and virtual sensor configuration menu.

[1] Edit Interface Configuration

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-17

Advanced Setup

Chapter 2 Initializing the Sensor

[2] Edit Virtual Sensor Configuration [3] Display configuration Option:

Step 10

Step 11

Step 12

Enter 2 to edit the virtual sensor configuration.

[1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option:

Enter 2 to modify the virtual sensor vs0 configuration.

Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0

No Interfaces to remove.

Unassigned: Monitored: [1] PortChannel0/0 Add Interface:

Enter 1 to add PortChannel 0/0 to virtual sensor vs0.

Note

Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want to.

Step 13

Step 14

Step 15

Step 16

Step 17

Step 18

Press Enter to return to the main virtual sensor menu.

Enter 3 to create a virtual sensor.

Name[]:

Enter a name and description for your virtual sensor.

Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]:

Enter 1 to use the existing anomaly-detection configuration, ad0.

Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]:

Enter 2 to create a signature-definition configuration file.

Enter the signature-definition configuration name,

Event Action Rules Configuration [1] rules0 [2] Create a new event action rules configuration Option[2]:

newSig

.

2-18

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 2 Initializing the Sensor

Advanced Setup

Step 19

Step 20

Step 21

Enter 1 to use the existing event action rules configuration, rules0.

Note

If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.

Virtual Sensor: newVs Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: newSig Monitored: PortChannel0/0

[1] Remove virtual sensor. [2] Modify "newVs" virtual sensor configuration. [3] Modify "vs0" virtual sensor configuration. [4] Create new virtual sensor. Option:

Press Enter to exit the interface and virtual sensor configuration menu.

Modify default threat prevention settings?[no]:

Enter

yes

if you want to modify the default threat prevention settings.

Note

The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.

Step 22

Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk Rating 90-100) Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating 90-100) Do you want to disable automatic threat prevention on all virtual sensors?[no]:

Enter

yes

to disable automatic threat prevention on all virtual sensors.

The following configuration was entered.

service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name ips-ssm telnet-option disabled sshv1-fallback disabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-engine

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-19

Verifying Initialization

Chapter 2 Initializing the Sensor

virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit

[0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup.

Step 23

Step 24

Step 25

Step 26

Step 27

Step 28

Enter 2 to save the configuration.

Enter your selection[2]: 2 Configuration Saved.

Reboot the ASA 5585-X IPS SSP.

ips-ssp# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []:

Enter

yes

to continue the reboot.

After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).

ips-ssp# show tls fingerprint SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27

Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5585-X IPS SSP with a web browser.

Apply the most recent service pack and signature update. You are now ready to configure your ASA 5585-X IPS SSP for intrusion prevention.

For More Information

For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software,

page 20-1.

Verifying Initialization

Note

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-20

The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS version you have installed.

OL-29168-01

Chapter 2 Initializing the Sensor

To verify that you initialized your sensor, follow these steps:

Verifying Initialization

Step 1

Step 2

Log in to the sensor.

View your configuration.

sensor# show configuration ! -----------------------------! Current configuration last modified Fri Apr 19 19:01:05 2013 ! -----------------------------! Version 7.2(1) ! Host: ! Realm Keys key1.0 ! Signature Definition: ! Signature Update S697.0 2013-02-15 ! -----------------------------service interface physical-interfaces GigabitEthernet0/0 admin-state enabled exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit inline-interfaces pair0 interface1 GigabitEthernet0/0 interface2 GigabitEthernet0/1 exit bypass-mode auto exit ! -----------------------------service authentication exit ! -----------------------------service event-action-rules rules0 exit ! -----------------------------service host network-settings host-ip 10.106.133.159/23,10.106.132.1 host-name q4360-159 telnet-option enabled access-list 0.0.0.0/0 dns-primary-server disabled dns-secondary-server disabled dns-tertiary-server disabled exit exit ! -----------------------------service logger exit ! -----------------------------service network-access exit ! -----------------------------service notification exit ! -----------------------------service signature-definition sig0 exit ! -----------------------------service ssh-known-hosts exit ! ------------------------------

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

2-21

Verifying Initialization

Chapter 2 Initializing the Sensor

service trusted-certificates exit ! -----------------------------service web-server websession-inactivity-timeout 3600 exit ! -----------------------------service anomaly-detection ad0 exit ! -----------------------------service external-product-interface exit ! -----------------------------service health-monitor exit ! -----------------------------service global-correlation exit ! -----------------------------service aaa exit ! -----------------------------service analysis-engine virtual-sensor vs0 logical-interface pair0 exit exit sensor#

Step 3

Step 4

Note

You can also use the more current-config command to view your configuration.

Display the self-signed X.509 certificate (needed by TLS).

sensor# show tls fingerprint SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27

Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when connecting to this sensor with a web browser.

For More Information

For the procedure for logging in to the sensor, see Chapter ii, “Logging In to the Sensor.”

2-22

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

CHA PTER

3

Setting Up the Sensor

This chapter contains procedures for the setting up the sensor, and contains the following sections:

•

Setup Notes and Caveats, page 3-1

•

Understanding Sensor Setup, page 3-2

•

Changing Network Settings, page 3-2

•

Changing the CLI Session Timeout, page 3-14

•

Changing Web Server Settings, page 3-15

•

Configuring Authentication and User Parameters, page 3-18

•

Configuring Time, page 3-35

•

Configuring SSH, page 3-45

•

Configuring TLS, page 3-51

•

Installing the License Key, page 3-54

Setup Notes and Caveats

The following notes and caveats apply to setting up the sensor:

•

By default SSHv2 is enabled and SSHv1 is disabled.

•

When updating the hostname, the CLI prompt of the current session and other existing sessions is not updated with the new hostname immediately. Subsequent CLI login sessions reflect the new hostname in the prompt.

•

Telnet is not a secure access service and therefore is disabled by default on the sensor. However, SSH is always running on the sensor and it is a secure service.

•

For automatic and global correlation updates to function, you must have either a DNS server or an HTTP proxy server configured at all times.

•

DNS resolution is supported for accessing the global correlation update server as well as www.cisco.com for automatic updates.

•

The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.

•

The username command provides username and password authentication for login purposes only. You cannot use this command to remove a user who is logged in to the system. You cannot use this command to remove yourself from the system.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-1

Understanding Sensor Setup

•

Chapter 3 Setting Up the Sensor

You cannot use the privilege command to give a user service privileges. If you want to give an existing user service privileges, you must remove that user and then use the username command to create the service account.

Do not make modifications to the sensor through the service account except under the direction of TAC. If you use the service account to configure the sensor, your configuration is not supported by TAC. Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added.

You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system.

Administrators may need to disable the password recovery feature for security reasons.

We recommend that you use an NTP server to regulate time on your sensor. You can use authenticated or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. You can set up NTP during initialization or you can configure NTP through the CLI, IDM, IME, or ASDM.

In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.

Understanding Sensor Setup

Setting up the sensor involves such tasks as changing sensor initialization information, adding and deleting users, configuring time and setting up NTP, creating a service account, configuring SSH and TLS, and installing the license key. You configured most of these settings when you initialized the sensor using the setup command.

For More Information

For more information on using the setup command to initialize the sensor, see Chapter 2, “Initializing

the Sensor.”

Changing Network Settings

After you initialize your sensor, you may need to change some of the network settings that you configured when you ran the setup command. This section describes how to change network settings, and contains the following topics:

•

Changing the Hostname, page 3-3

•

Changing the IP Address, Netmask, and Gateway, page 3-4

•

Enabling and Disabling Telnet, page 3-5

•

Changing the Access List, page 3-6

•

Changing the FTP Timeout, page 3-8

•

Adding a Login Banner, page 3-9

3-2

•

Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update, page 3-10

•

Enabling SSHv1 Fallback, page 3-13

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

Changing the Hostname

Changing Network Settings

Note

Step 1

Step 2

Step 3

Step 4

The CLI prompt of the current session and other existing sessions will not be updated with the new hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt.

Use the host-name host_name command in the service host submode to change the hostname of the sensor after you have run the setup command. The default is sensor.

To change the sensor hostname, follow these steps:

Log in to the sensor using an account with administrator privileges.

Enter network settings submode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

Change the sensor hostname.

sensor(config-hos-net)# host-name firesafe

Verify the new hostname.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default:

192.168.1.2/24,192.168.1.1 host-name: firesafe default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

OL-29168-01

Step 5

Step 6

To change the hostname back to the default setting, use the default form of the command.

sensor(config-hos-net)# default host-name

Verify the change to the default hostname sensor.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default:

192.168.1.2/24,192.168.1.1 host-name: sensor <defaulted> telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-3

Changing Network Settings

ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

Chapter 3 Setting Up the Sensor

Step 7

Step 8

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Changing the IP Address, Netmask, and Gateway

Use the host-ip ip_address/netmask,default_gateway command in the service host submode to change the IP address, netmask, and default gateway after you have run the setup command. The default is

192.168.1.2/24,192.168.1.1.

The host-ip is in the form of IP Address/Netmask/Gateway: X.X.X.X/nn,Y.Y.Y.Y, where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods where X = 0-255, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods where Y = 0-255.

To change the sensor IP address, netmask, and default gateway, follow these steps:

Step 1

Step 2

Log in to the sensor using an account with administrator privileges.

Enter network settings mode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

3-4

Step 3

Change the sensor IP address, netmask, and default gateway.

sensor(config-hos-net)# host-ip 192.0.2.1/24,192.0.2.2

Note

The default gateway must be in the same subnet as the IP address of the sensor or the sensor generates an error and does not accept the configuration change.

Step 4

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Verify the new information.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

OL-29168-01

Chapter 3 Setting Up the Sensor

ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

-----------------------------------------------

Changing Network Settings

Step 5

Step 6

Step 7

Step 8

To change the information back to the default setting, use the default form of the command.

sensor(config-hos-net)# default host-ip

Verify that the host IP is now the default of 192.168.1.2/24,192.168.1.1.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted> host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Enabling and Disabling Telnet

Caution

Step 1

Step 2

Step 3

OL-29168-01

Telnet is not a secure access service and therefore is disabled by default. However, SSH is always running on the sensor and it is a secure service.

Use the telnet-option {enabled | disabled} command in the service host submode to enable Telnet for remote access to the sensor. The default is disabled.

To enable or disable Telnet services, follow these steps:

Log in to the sensor using an account with administrator privileges.

Enter network settings mode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

Enable Telnet services.

sensor(config-hos-net)# telnet-option enabled sensor(config-hos-net)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-5

Changing Network Settings

Chapter 3 Setting Up the Sensor

Step 4

Step 5

Step 6

Note

Verify that Telnet is enabled.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

To Telnet to the sensor, you must enable Telnet and configure the access list to allow the Telnet clients to connect.

For More Information

For the procedure for configuring the access list, see Changing the Access List, page 3-6.

Changing the Access List

Use the access-list ip_address/netmask command in the service host submode to configure the access list, the list of hosts or networks that you want to have access to your sensor. Use the no form of the command to remove an entry from the list. The default access list is empty.

The following hosts must have an entry in the access list:

•

Hosts that need to Telnet to your sensor.

•

Hosts that need to use SSH with your sensor.

•

Hosts, such as the IDM and the IME, that need to access your sensor from a web browser.

•

Management stations, such as the CSM, that need access to your sensor.

•

If your sensor is a master blocking sensor, the IP addresses of the blocking forwarding sensors must have an entry in the list.

3-6

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

To modify the access list, follow these steps:

Changing Network Settings

Step 1

Step 2

Step 3

Step 4

Log in to the sensor using an account with administrator privileges.

Enter network settings mode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

Add an entry to the access list. The netmask for a single host is 32.

sensor(config-hos-net)# access-list 192.0.2.110/32

Verify the change you made to the access-list.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted> host-name: sensor <defaulted> telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 2)

---------------------------------------------- network-address: 10.1.9.0/24

---------------------------------------------- network-address: 192.0.2.110/32

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

-----------------------------------------------

Step 5

Step 6

Step 7

Step 8

Remove the entry from the access list.

sensor(config-hos-net)# no access-list 192.0.2.110/32

Verify that the host is no longer in the list.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted> host-name: sensor <defaulted> telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 10.1.9.0/24

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

Change the value back to the default.

sensor(config-hos-net)# default access-list

Verify the value has been set back to the default.

sensor(config-hos-net)# show settings network-settings

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-7

Changing Network Settings

---------------------------------------------- host-ip: 192.168.1.2/24,192.168.1.1 <defaulted> host-name: sensor <defaulted> telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 0)

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

Chapter 3 Setting Up the Sensor

Step 9

Step 10

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Changing the FTP Timeout

Note

Step 1

Step 2

You can use the FTP client for downloading updates and configuration files from your FTP server.

Use the ftp-timeout command in the service host submode to change the number of seconds that the FTP client waits before timing out when the sensor is communicating with an FTP server. The default is 300 seconds.

To change the FTP timeout, follow these steps:

Log in to the sensor using an account with administrator privileges.

Enter network settings mode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

3-8

Step 3

Step 4

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Change the number of seconds of the FTP timeout.

sensor(config-hos-net)# ftp-timeout 500

Verify the FTP timeout change.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

OL-29168-01

Chapter 3 Setting Up the Sensor

---------------------------------------------- ftp-timeout: 500 seconds default: 300 login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

Changing Network Settings

Step 5

Step 6

Step 7

Change the value back to the default.

sensor(config-hos-net)# default ftp-timeout

Verify the value has been set back to the default.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted>

----------------------------------------------sensor(config-hos-net)#

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Step 8

Press Enter to apply the changes or enter no to discard them.

Adding a Login Banner

Use the login-banner-text text_message command to add a login banner that the user sees during login. There is no default. When you want to start a new line in your message, press Ctrl-V Enter.

To add a login banner, follow these steps:

Step 1

Step 2

Step 3

Step 4

Log in to the sensor using an account with administrator privileges.

Enter network settings mode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

Add the banner login text.

sensor(config-hos-net)# login-banner-text This is the banner login text message.

Verify the banner login text message.

sensor(config-hos-net)# show settings network-settings

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-9

Changing Network Settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: This is the banner login text message. default:

----------------------------------------------sensor(config-hos-net)#

Chapter 3 Setting Up the Sensor

Step 5

Step 6

Step 7

To remove the login banner text, use the no form of the command.

sensor(config-hos-net)# no login-banner-text

Verify the login text has been removed.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 192.0.2.1/24,192.0.2.2 default: 192.168.1.2/24,192.168.1.1 host-name: sensor default: sensor telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: default:

----------------------------------------------sensor(config-hos-net)#

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Step 8

Press Enter to apply the changes or enter no to discard them.

Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update

Use the http-proxy, dns-primary-server, dns-secondary-server, and dns-tertiary-server commands in network-settings submode to configure servers to support the automatic update and global correlation features.

You must configure either an HTTP proxy server or DNS server to support automatic update and global correlation. You may need a proxy server to download automatic update and global correlation updates if you use proxy in your network. If you are using a DNS server, you must configure at least one DNS

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-10

OL-29168-01

Chapter 3 Setting Up the Sensor

server and it must be reachable for automatic update and global correlation updates to be successful. You can configure other DNS servers as backup servers. DNS queries are sent to the first server in the list. If it is unreachable, DNS queries are sent to the next configured DNS server.

Changing Network Settings

Caution

For automatic and global correlation updates to function, you must have either a DNS server or an HTTP proxy server configured at all times.

DNS resolution is supported for accessing the global correlation update server as well as www.cisco.com for automatic updates.

The following options apply:

•

http-proxy {no-proxy | proxy-sensor}—Configures the HTTP proxy server:

–

address ip_address —Specifies the IP address of the HTTP proxy server.

–

port port_number —Specifies the port number of the HTTP proxy server.

•

dns-primary-server {enabled | disabled}—Enables a DNS primary server:

–

address ip_address —Specifies the IP address of the DNS primary server.

•

dns-secondary-server {enabled | disabled}—Enables a DNS secondary server:

–

address ip_address —Specifies the IP address of the DNS secondary server.

•

dns-tertiary-server {enabled | disabled}—Enables the DNS tertiary server:

–

address ip_address —Specifies the IP address of the DNS tertiary server.

Configuring DNS and Proxy Servers for Automatic Update and Global Correlation

To configure DNS and proxy servers to support automatic update and global correlation, follow these steps:

OL-29168-01

Step 1

Step 2

Step 3

Step 4

Log in to the sensor using an account with administrator privileges.

Enter network settings submode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

Enable a proxy or DNS server to support global correlation:

a.

Enable a proxy server.

sensor(config-hos-net)# http-proxy proxy-server sensor(config-hos-net-pro)# address 10.10.10.1 sensor(config-hos-net-pro)# port 65 sensor(config-hos-net-pro)#

b.

Enable a DNS server.

sensor(config-hos-net)# dns-primary-server enabled sensor(config-hos-net-ena)# address 10.10.10.1 sensor(config-hos-net-ena)#

Verify the settings.

sensor(config-hos-net)# show settings network-settings

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-11

Changing Network Settings

---------------------------------------------- host-ip: 10.89.147.24/25,10.89.147.126 default: 192.168.1.2/24,192.168.1.1 host-name: sensor <defaulted> telnet-option: enabled default: disabled sshv1-fallback: disabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: <defaulted> dns-primary-server

---------------------------------------------- enabled

---------------------------------------------- address: 10.10.10.1

-----------------------------------------------

---------------------------------------------- dns-secondary-server

---------------------------------------------- disabled

-----------------------------------------------

---------------------------------------------- dns-tertiary-server

---------------------------------------------- disabled

-----------------------------------------------

---------------------------------------------- http-proxy

---------------------------------------------- proxy-server

---------------------------------------------- address: 10.10.10.1 port: 65

-----------------------------------------------

----------------------------------------------sensor(config-hos-net)#

Chapter 3 Setting Up the Sensor

3-12

Step 5

Step 6

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for configuring automatic update, see Configuring Automatic Upgrades,

page 21-8.

•

For more information on global correlation features, see Chapter 10, “Configuring Global

Correlation.”

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

Enabling SSHv1 Fallback

Changing Network Settings

Note

Step 1

Step 2

Step 3

Step 4

The IPS supports managing both SSHv1 and SSHv2. The default is SSHv2, but you can configure the sensor to fallback to SSHv1 if the peer client/server does not support SSHv2

Use the sshv1-fallback {enabled | disabled} command in the service host submode to enable the sensor to fall back to SSH protocol version 1. Fallback to SSHv1 is provided in case the peer client/server does not support SSHv2. SSHv2 is the default SSH version.

To enable or disable SSHv1 fallback, follow these steps:

Log in to the sensor using an account with administrator privileges.

Enter network settings mode.

sensor# configure terminal sensor(config)# service host sensor(config-hos)# network-settings

Enable Telnet services.

sensor(config-hos-net)# sshv1-fallback enabled sensor(config-hos-net)#

Verify that SSHv1 fallback is enabled.

sensor(config-hos-net)# show settings network-settings

---------------------------------------------- host-ip: 10.106.164.52/24,10.106.164.1 default: 192.168.1.2/24,192.168.1.1 host-name: p32-ips4240-52 default: sensor telnet-option: enabled default: disabled sshv1-fallback: enabled default: disabled access-list (min: 0, max: 512, current: 1)

---------------------------------------------- network-address: 0.0.0.0/0

-----------------------------------------------

---------------------------------------------- ftp-timeout: 300 seconds <defaulted> login-banner-text: mmmm default: sensor(config-hos-net)#

OL-29168-01

Step 5

Step 6

Exit network settings mode.

sensor(config-hos-net)# exit sensor(config-hos)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

For more information about configuring SSH, see Configuring SSH, page 3-45.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-13

Changing the CLI Session Timeout

Use the cli-inactivity-timeout command in the service authentication submode to change the number of seconds that the CLI waits before timing out. Setting the CLI session timeout increases the security of a CLI session. The default is 0 seconds, which means that it is an unlimited value and thus will never time out. The valid range is 0 to 100,000 minutes.

To change the CLI session timeout, follow these steps:

Chapter 3 Setting Up the Sensor

Step 1

Step 2

Step 3

Step 4

Step 5

Log in to the sensor using an account with administrator privileges.

Enter authentication mode.

sensor# configure terminal sensor(config)# service authentication

Change the number of seconds of the CLI session timeout.

sensor(config-aut)# cli-inactivity-timeout 5000

Verify the CLI session timeout change.

sensor(config-aut)# show settings attemptLimit: 0 <defaulted> password-strength

---------------------------------------------- size: 8-64 <defaulted> digits-min: 0 <defaulted> uppercase-min: 0 <defaulted> lowercase-min: 0 <defaulted> other-min: 0 <defaulted> number-old-passwords: 0 <defaulted>

---------------------------------------------- permit-packet-logging: true <defaulted> cli-inactivity-timeout: 5000 default: 0 sensor(config-aut)#

Change the value back to the default.

sensor(config-aut)# default cli-inactivity-timeout

3-14

Step 6

Step 7

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Verify the value has been set back to the default.

sensor(config-aut)# show settings attemptLimit: 0 <defaulted> password-strength

---------------------------------------------- size: 8-64 <defaulted> digits-min: 0 <defaulted> uppercase-min: 0 <defaulted> lowercase-min: 0 <defaulted> other-min: 0 <defaulted> number-old-passwords: 0 <defaulted>

---------------------------------------------- permit-packet-logging: true <defaulted> cli-inactivity-timeout: 0 <defaulted> sensor(config-aut)#

Exit authentication mode.

sensor(config-aut)# exit Apply Changes:?[yes]:

OL-29168-01

Chapter 3 Setting Up the Sensor

Changing Web Server Settings

Step 8

Press Enter to apply the changes or enter no to discard them.

Changing Web Server Settings

Note

The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.

After you run the setup command, you can change the following web server settings: the web server port, whether TLS encryption is being used, the HTTP server header message, restriction of TLS client ciphers, web session inactivity timeout, and logging of web session inactivity timeouts.

HTTP is the protocol that web clients use to make requests from web servers. The HTTP specification requires a server to identify itself in each response. Attackers sometimes exploit this protocol feature to perform reconnaissance. If the IPS web server identified itself by providing a predictable response, an attacker might learn that an IPS sensor is present.

We recommend that you not reveal to attackers that you have an IPS sensor. Change the server-id to anything that does not reveal any information, especially if your web server is available to the Internet. For example, if you forward a port through a firewall so you can monitor a sensor remotely, you need to set the server-id.

The following options apply:

•

enable-tls {false | true}—Enables encryption (TLSv1) on the system. The default is enabled.

•

enable-websession-inactivity-timeout-logging {false | true}—Enables logging for web session inactivity timeouts. The default is disabled.

•

port port_number—Specifies the port on which the web server listens for connections. The valid range is 1 to 65535. The default is 443.

•

server-id server_id—Specifies the textual message the web server returns in the HTTP Server header. The default is HTTP/1.1 compliant configurable-service.

•

tls-client-ciphers-restriction {false | true}—Enables the client to use only restricted mode ciphers; disabling allows all ciphers. The default is enabled. When IPS acts as a TLS client, you can configure restriciton on the TLS ciphers.

Note

Changes take place for the next sessions only. The current web session is not affected.

When enabled, the client can use the following restricted ciphers:

–

TLS_RSA_WITH_AES_128_CBC_SHA

–

TLS_RSA_WITH_AES_256_CBC_SHA

–

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

–

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

When disabled, the client can use the following ciphers:

–

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

OL-29168-01

–

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

–

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-15

Changing Web Server Settings

–

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

–

TLS_RSA_WITH_AES_256_CBC_SHA

–

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

–

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

–

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

–

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

–

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

–

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

–

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

–

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

–

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

–

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

–

TLS_RSA_WITH_3DES_EDE_CBC_SHA

–

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

Chapter 3 Setting Up the Sensor

Step 1

Step 2

Step 3

–

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

–

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

–

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

–

TLS_RSA_WITH_AES_128_CBC_SHA

–

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

–

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

–

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

–

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

•

websession-inactivity-timeout seconds—Specifies the duration in seconds at which inactive web sessions time out. The valid range is 600 to 3600 seconds. The default is 3600 seconds.

To change the web server settings, follow these steps:

Log in to the sensor using an account with administrator privileges.

Enter web server mode.

sensor# configure terminal sensor(config)# service web-server

Change the port number.

sensor(config-web)# port 8080

3-16

If you change the port number from the default of 443 to 8080, you receive this message:

Warning: The web server’s listening port number has changed from 443 to 8080. This change will not take effect until the web server is re-started

Step 4

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Enable TLS.

sensor(config-web)# enable-tls true

OL-29168-01

Chapter 3 Setting Up the Sensor

If you disable TLS, you receive this message:

Warning: TLS protocol support has been disabled. This change will not take effect until the web server is re-started.

Changing Web Server Settings

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Change the HTTP server header.

sensor(config-web)# server-id Nothing to see here. Move along.

Specify the web session inactivity timeout.

sensor(config-web)# websession-inactivity-timeout 800

Turn on logging for web session inactivity timeouts.

sensor(config-web)# enable-websession-inactivity-timeout-logging true

Turn on TLS client ciphers restriction.

sensor(config-web)# tls-client-ciphers-restriction enable

Verify the web server changes.

sensor(config-web)# show settings enable-tls: true default: true port: 8080 default: 443 server-id: Nothing to see here. Move along. default: HTTP/1.1 compliant configurable-service (min: 0, max: 99, current: 0)

-----------------------------------------------

---------------------------------------------- websession-inactivity-timeout: 800 default: 3600 enable-websession-inactivity-timeout-logging: true default: false tls-client-ciphers-restriction: enable default: enable sensor(config-web)#

To revert to the defaults, use the default form of the commands.

sensor(config-web)# default port sensor(config-web)# default enable-tls sensor(config-web)# default server-id

OL-29168-01

Step 11

Step 12

Step 13

Verify the defaults have been replaced.

sensor(config-web)# show settings enable-tls: true <defaulted> port: 443 <defaulted> server-id: HTTP/1.1 compliant <defaulted> configurable-service (min: 0, max: 99, current: 0)

-----------------------------------------------

---------------------------------------------- websession-inactivity-timeout: 3600 <defaulted> enable-websession-inactivity-timeout-logging: false <defaulted> tls-client-ciphers-restriction: enable <defaulted> sensor(config-web)#

Exit web server submode.

sensor(config-web)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-17

Configuring Authentication and User Parameters

Chapter 3 Setting Up the Sensor

Note

If you change the port or enable TLS settings, you must reset the sensor to make the web server uses the new settings.

For More Information

•

For the procedure for enabling SSHv1 fallback, see Enabling SSHv1 Fallback, page 3-13.

•

For the procedure for resetting the appliance, see Resetting the Appliance, page 17-44.

•

For the procedure for resetting the ASA 5500-X IPS SSP, see Reloading, Shutting Down, Resetting,

and Recovering the ASA 5500-X IPS SSP, page 18-11.

•

For the procedure for resetting the ASA 5585-X IPS SSP, see Reloading, Shutting Down, Resetting,

and Recovering the ASA 5585-X IPS SSP, page 19-11.

Configuring Authentication and User Parameters

The following section explains how to create users, configure RADIUS authentication, create the service account, configure passwords, specify privilege level, view a list of users, configure password policy, and lock and unlock user accounts. It contains the following topics:

•

Adding and Removing Users, page 3-18

•

Configuring Authentication, page 3-20

•

Configuring Packet Command Restriction, page 3-26

•

Creating the Service Account, page 3-28

•

The Service Account and RADIUS Authentication, page 3-29

•

RADIUS Authentication Functionality and Limitations, page 3-29

•

Configuring Passwords, page 3-29

•

Changing User Privilege Levels, page 3-30

•

Showing User Status, page 3-31

•

Configuring the Password Policy, page 3-32

•

Locking User Accounts, page 3-33

•

Unlocking User Accounts, page 3-34

Adding and Removing Users

Use the username command to create users on the local system. You can add a new user, set the privilege level—administrator, operator, viewer—and set the password for the new user. Use the no form of this command to remove a user from the system. This removes the user from CLI and web access.

Caution

The username command provides username and password authentication for login purposes only. You cannot use this command to remove a user who is logged in to the system. You cannot use this command to remove yourself from the system.

3-18

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

If you do not specify a password, the system prompts you for one. Use the password command to change the password for existing users. Use the privilege command to change the privilege for existing users.

The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters. A valid password is 8 to 32 characters long. All characters except space are allowed.

You receive the following error messages if you do not create a valid password:

• Error: setEnableAuthenticationTokenStatus : The password is too short.

• Error: setEnableAuthenticationTokenStatus : Failure setting the account’s password:

it does not contain enough DIFFERENT characters

Configuring Authentication and User Parameters

Note

Step 1

Step 2

Step 3

You cannot use the privilege command to give a user service privileges. If you want to give an existing user service privileges, you must remove that user and then use the username command to create the service account.

To add and remove users, follow these steps:

Log in to the CLI using an account with administrator privileges.

Enter configuration mode.

sensor# configure terminal

Specify the parameters for the user.

sensor(config)# username username password password privilege administrator/operator/viewer

For example, to add the user “tester” with a privilege level of administrator and the password “testpassword,” enter the following command:

Note

If you do not want to see the password in clear text, wait for the password prompt. Do not enter the password along with the username and privilege.

sensor(config)# username tester privilege administrator Enter Login Password: ************ Re-enter Login Password: ************ sensor(config)#

OL-29168-01

Step 4

Note

If you do not specify a privilege level for the user, the user is assigned the default viewer privilege.

Verify that the user has been added. A list of users is displayed.

sensor(config)# exit sensor# show users all CLI ID User Privilege * 13491 cisco administrator jsmith operator jtaylor service jroberts viewer sensor#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-19

Configuring Authentication and User Parameters

Chapter 3 Setting Up the Sensor

Step 5

Step 6

To remove a user, use the no form of the command.

sensor# configure terminal sensor(config)# no username jsmith

Note

Verify that the user has been removed. The user

sensor(config)# exit sensor# show users all CLI ID User Privilege * 13491 cisco administrator jtaylor service jroberts viewer sensor#

You cannot use this command to remove yourself from the system.

jsmith

has been removed.

For More Information

•

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

•

For the procedure for configuring local or RADIUS authentication, see Configuring Authentication,

page 3-20.

Configuring Authentication

Caution

Note

Make sure you have a RADIUS server already configured before you configure RADIUS authentication on the sensor. IPS has been tested with CiscoSecure ACS 4.2 and 5.1 servers. Refer to your RADIUS server documentation for information on how to set up a RADIUS server.

You can create and remove users from the local sensor. You can only modify one user account at a time. Each user is associated with a role that controls what that user can and cannot modify. The requirements that must be used for user passwords are set with the password command.

Users are authenticated through AAA either locally or through RADIUS servers. Local authentication is enabled by default. You must configure RADIUS authentication before it is active.

You must specify the user role that is authenticated through RADIUS either by configuring the user role on the RADIUS server or specifying a default user role. The username and password are sent in an authentication request to the configured RADIUS server. The response of the server determines whether the login is authenticated.

If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.

You can configure a primary RADIUS server and a secondary RADIUS server. The secondary RADIUS server authenticates and authorizes users if the primary RADIUS server is unresponsive.

3-20

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are responding. In this case, the sensor authenticates against the locally configured user accounts. The sensor will only use local authentication if the RADIUS servers are not available, not if the RADIUS server rejects the authentication requests of the user. You can also configure how users connected through the console port are authenticated—through local user accounts, through RADIUS first and if that fails through local user accounts, or through RADIUS alone.

To configure a RADIUS server, you must have the IP address, port, and shared secret of the RADIUS server. You must also either have the NAS-ID of the RADIUS server, or have the RADIUS server configured to authenticate clients without a NAS-ID or with the default IPS NAS-ID of cisco-ips.

Configuring Authentication and User Parameters

Note

Enabling RADIUS authentication on the sensor does not disconnect already established connections. RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME connections remain established with the login credentials used prior to configuring RADIUS authentication. To force disconnection of these established connections, you must reset the sensor after RADIUS is configured.

RADIUS Authentication Options

Use the aaa command in service aaa submode to configure either local authentication or authentication using a RADIUS server.

The following options apply:

•

local—Lets you specify local authentication. To continue to create users, use the password command.

•

radius—Lets you specify RADIUS as the method of authentication:

–

nas-id—Identifies the service requesting authentication. The value can be no nas-id, cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.

–

default-user-role—Lets you assign a default user role on the sensor that is only applied when there is NOT a Cisco av pair specifying the user role. The value can be unspecified, viewer, operator, or administrator. Service cannot be the default user role. The default is unspecified.

If you do not want to configure a default user role on the sensor that is applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001] cisco-av-pair under the group or user profile with one of the following options:

ips-role=viewer, ips-role=operator, ips-role=administrator, ips-role=service, or ips-role=unspecified. The default is ips-role=unspecified.

OL-29168-01

Note

If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.

Note

The default user role is used only when the user has not been configured with a specific role on the ACS server. Local users are always configured with a specific role so the default user role will never apply to locally authenticated users.

–

local-fallback {enabled | disabled}—Lets you default to local authentication if the RADIUS servers are not responding. The default is enabled.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-21

Configuring Authentication and User Parameters

•

primary-server—Lets you configure the main RADIUS server:

–

server-address—IP address of the RADIUS server.

–

server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

–

timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a RADIUS server before it considers the server to be unresponsive.

–

shared-secret—The secret value configured on the RADIUS server. You must obtain the secret value of the RADIUS server to enter with the shared-secret command.

Chapter 3 Setting Up the Sensor

Note

You must have the same secret value configured on both the RADIUS server and the IPS sensor so that the server can authenticate the requests of the client and the client can authenticate the responses of the server.

•

secondary-server {enabled | disabled}— (Optional) Lets you configure a secondary RADIUS server:

–

server-address—IP address of the RADIUS server.

–

server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

–

timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a RADIUS server before it considers the server to be unresponsive.

–

shared-secret—The secret value configured on the RADIUS server. You must obtain the secret value of the RADIUS server to enter with the shared-secret command.

Note

You must have the same secret value configured on both the RADIUS server and the IPS sensor so that the server can authenticate the requests of the client and the client can authenticate the responses of the server.

•

console-authentication—Lets you choose how users connected through the console port are authenticated:

–

local—Users connected through the console port are authenticated through local user accounts.

–

radius-and-local—Users connected through the console port are authenticated through RADIUS first. If RADIUS fails, local authentication is attempted. This is the default.

3-22

–

radius—Users connected through the console port are authenticated by RADIUS. If you also have local-fallback enabled, users can also be authenticated through the local user accounts.

Configuring Local or RADIUS Authentication

Caution

Make sure you have a RADIUS server already configured before you configure RADIUS authentication on the sensor. IPS has been tested with CiscoSecure ACS 4.2 and 5.1 servers. Refer to your RADIUS server documentation for information on how to set up a RADIUS server.

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Note

Step 1

Step 2

Step 3

Step 4

Step 5

Enabling RADIUS authentication on the sensor does not disconnect already established connections. RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME connections remain established with the login credentials used prior to configuring RADIUS authentication. To force disconnection of these established connections, you must reset the sensor after RADIUS is configured.

To configure local or RADIUS AAA authentication on the sensor, follow these steps:

Log in to the CLI using an account with administrator privileges.

Enter configuration mode.

sensor# configure terminal

Enter AAA submode.

sensor(config)# service aaa sensor(config-aaa)#

Configure local authentication. To continue to create users on the local system, enter

yes

to save your configuration, and use the username command in configure terminal mode. To configure AAA RADIUS authentication, go to Step 5.

sensor(config-aaa)# aaa local sensor(config-aaa)# exit Apply Changes?[yes]:yes

Configure AAA RADIUS authentication:

a.

Enter RADIUS authentication submode.

sensor(config-aaa)# aaa radius sensor(config-aaa-rad)#

b.

Enter the Network Access ID. The NAS-ID is an identifier that clients send to servers to communicate the type of service they are attempting to authenticate. The value can be no nas-id, cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.

sensor(config-aaa-rad)# nas-id cisco-ips sensor(config-aaa-rad)#

c.

(Optional) Configure a default user role if you are not configuring a Cisco av pair. You can configure a default user role on the sensor that is only applied when there is NOT a Cisco av pair specifying the user role. The values are unspecified, viewer, operator, or administrator. The default is unspecified.

sensor(config-aaa-rad)# default-user-role operator sensor(config-aaa-rad)#

Note

d.

Configure a Cisco av pair. If you do not want to configure a default user role on the sensor that is

Service cannot be the default role.

applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001] cisco-av-pair under the group or user profile with one of the following options:

–

ips-role=viewer

OL-29168-01

–

ips-role=operator

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-23

Configuring Authentication and User Parameters

–

ips-role=administrator

–

ips-role=service

Chapter 3 Setting Up the Sensor

Step 6

Note

If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.

Note

The default user role is used only when the user has not been configured with a specific role on the ACS server. Local users are always configured with a specific role so the default user role will never apply to locally authenticated users.

e.

Configure the sensor to switch over to local authentication if the RADIUS server becomes unresponsive.

sensor(config-aaa-rad)# local-fallback enabled sensor(config-aaa-rad)#

Configure the primary RADIUS server:

a.

Enter primary server submode.

sensor(config-aaa-rad)# primary-server sensor(config-aaa-rad-pri)#

b.

Enter the RADIUS server IP address.

sensor(config-aaa-rad-pri)# server-address 10.1.2.3 sensor(config-aaa-rad-pri)#

Step 7

c.

Enter the RADIUS server port. If not specified, the default RADIUS port is used.

sensor(config-aaa-rad-pri)# server-port 1812 sensor(config-aaa-rad-pri)#

d.

Enter the amount of time in seconds you want to wait for the RADIUS server to respond.

sensor(config-aaa-rad-pri)# time-out 5 sensor(config-aaa-rad-pri)#

e.

Enter the secret value that you obtained from the RADIUS server. The shared secret is a piece of data known only to the parties involved in a secure communication.

sensor(config-aaa-rad-pri)# shared-secret kkkk sensor(config-aaa-rad-pri)#

Note

You must have the same secret value configured on both the RADIUS server and the IPS sensor so that the server can authenticate the requests of the client and the client can authenticate the responses of the server.

(Optional) Enable a secondary RADIUS server to perform authentication in case the primary RADIUS server is not responsive:

a.

Enter secondary server submode.

sensor(config-aaa-rad)# secondary-server enabled sensor(config-aaa-rad-sec)#

3-24

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

b.

Enter the IP address of the second RADIUS server.

sensor(config-aaa-rad-sec)# server-address 10.4.5.6 sensor(config-aaa-rad-sec)#

c.

Enter the RADIUS server port. If not specified, the default RADIUS port is used.

sensor(config-aaa-rad-sec)# server-port 1812 sensor(config-aaa-rad-sec)#

d.

Enter the amount of time in seconds you want to wait for the RADIUS server to respond.

sensor(config-aaa-rad-sec)# time-out 8 sensor(config-aaa-rad-sec)#

e.

Enter the secret value you obtained for this RADIUS server. The shared secret is a piece of data known only to the parties involved in a secure communication.

sensor(config-aaa-rad-sec)# shared-secret yyyyy sensor(config-aaa-rad-sec)#

Configuring Authentication and User Parameters

Step 8

Step 9

Note

You must have the same secret value configured on both the RADIUS server and the IPS sensor so that the server can authenticate the requests of the client and the client can authenticate the responses of the server.

Specify the type of console authentication.

sensor(config-aaa-rad)# console-authentication radius-and-local sensor(config-aaa-rad)#

You can choose local, local and RADIUS, or RADIUS.

Verify the settings:

sensor(config-aaa-rad)# show settings radius

---------------------------------------------- primary-server

---------------------------------------------- server-address: 10.1.2.3 server-port: 1812 <defaulted> shared-secret: kkkk timeout: 3 <defaulted>

---------------------------------------------- secondary-server

---------------------------------------------- enabled

---------------------------------------------- server-address: 10.4.5.6 server-port: 1816 default: 1812 shared-secret: yyyyy timeout: 8 default: 3

-----------------------------------------------

---------------------------------------------- nas-id: cisco-ips default: cisco-ips local-fallback: enabled default: enabled console-authentication: radius-and-local <defaulted> default-user-role: operator default: unspecified

----------------------------------------------sensor(config-aaa-rad)#

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-25

Configuring Authentication and User Parameters

Chapter 3 Setting Up the Sensor

Step 10

Step 11

Exit AAA mode.

sensor(config-aaa-rad)# exit sensor(config-aaa)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

For More Information

•

For the procedure for adding and removing users, see Adding and Removing Users, page 3-18.

•

For the procedure for configuring passwords, see Configuring Passwords, page 3-29.

•

For the procedure for specifying password requirements, see Configuring the Password Policy,

page 3-32.

•

For detailed information on RADIUS and the service account, see The Service Account and

RADIUS Authentication, page 3-29.

Configuring Packet Command Restriction

Use the permit-packet-logging command to restrict the use of packet capture-related commands—packet capture/display and IP logging—for local and AAA RADIUS users. The default is to permit packet capture/display and IP log commands. Local users with the correct permissions can use the packet capture/display and IP log commands. AAA RADIUS users with the correct av-pair can use the packet capture/display and IP log commands.

Note

IP log actions configured for signatures are not impacted by the packet command restriction feature.

When you modify the packet command restriction option, you receive the following warning:

Modified packet settings would take effect only for new sessions, existing sessions will continue with previous settings.

The following options apply:

•

permit-packet-logging true—Allows users to execute packet-related commands based on privilege level.

•

permit-packet-logging false—Restricts all users from executing any packet-related commands.

AAA RADIUS Users

AAA RADIUS users with the correct av-pair are authorized to execute packet capture/display and IP logging commands. RADIUS users with no av-pair value are restricted. The correct av-pair, permit-packet-logging=true, allows users to execute packet-related commands based on privilege level. This av-pair is in addition to the authentication role related av-pair:

•

ips-role=viewer

•

ips-role=operator

•

ips-role=administrator

•

ips-role=service

3-26

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

Status Events

As part of the packet command restriction option, status events are triggered for the following actions:

•

When an administrator enables or disables the packet command restriction.

•

When an authorized user executes any of the restricted commands.

•

When an unauthorized user executes any of the restricted commands.

To permit or restrict packet command restrictions, follow these steps:

Configuring Authentication and User Parameters

Step 1

Step 2

Step 3

Step 4

Log in to the sensor using an account with administrator privileges.

Enter authentication submode.

sensor# configure terminal sensor(config)# service authentication sensor(config-aut)#

Allow AAA RADIUS users with the correct av-pair (permit-packet-logging=true) and local users with the correct privilege levels to execute all packet capture/display and IP log commands.

sensor(config-aut)# permit-packet-logging true

Note

Existing CLI sessions are not affected by the changes made in restriction settings.

Check your new setting.

sensor(config-aut)# show settings attemptLimit: 0 <defaulted> password-strength

---------------------------------------------- size: 8-64 <defaulted> digits-min: 0 <defaulted> uppercase-min: 0 <defaulted> lowercase-min: 0 <defaulted> other-min: 0 <defaulted> number-old-passwords: 0 <defaulted>

---------------------------------------------- permit-packet-logging: true default: true cli-inactivity-timeout: 0 <defaulted> sensor(config-aut)#

OL-29168-01

Step 5

Step 6

Restrict all users from executing packet capture/display and IP log commands.

sensor(config-aut)# permit-packet-logging false

Check your new setting.

sensor(config-aut)# show settings attemptLimit: 0 <defaulted> password-strength

---------------------------------------------- size: 8-64 <defaulted> digits-min: 0 <defaulted> uppercase-min: 0 <defaulted> lowercase-min: 0 <defaulted> other-min: 0 <defaulted> number-old-passwords: 0 <defaulted>

---------------------------------------------- permit-packet-logging: false default: true cli-inactivity-timeout: 0 <defaulted> sensor(config-aut)#

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-27

Configuring Authentication and User Parameters

Chapter 3 Setting Up the Sensor

Step 7

Step 8

Exit authentication mode.

sensor(config-aut)# exit Apply Changes:?[yes]:

Press Enter to apply the changes or enter no to discard them.

Creating the Service Account

You can create a service account for TAC to use during troubleshooting. Although more than one user can have access to the sensor, only one user can have service privileges on a sensor. The service account is for support purposes only.

The root user password is synchronized to the service account password when the service account is created. To gain root access you must log in with the service account and switch to user root with the su - root command.

Caution

Do not make modifications to the sensor through the service account except under the direction of TAC. If you use the service account to configure the sensor, your configuration is not supported by TAC. Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added.

Caution

Note

Step 1

Step 2

Step 3

You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system.

For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.

To create the service account, follow these steps:

Log in to the CLI using an account with administrator privileges.

Enter configuration mode.

sensor# configure terminal

Specify the parameters for the service account. The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters.

sensor(config)# user username privilege service

3-28

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 4

Specify a password when prompted. A valid password is 8 to 32 characters long. All characters except space are allowed. If a service account already exists for this sensor, the following error is displayed and no service account is created.

Error: Only one service account may exist

Step 5

Exit configuration mode.

sensor(config)# exit sensor#

When you use the service account to log in to the CLI, you receive this warning.

************************ WARNING ******************************************************* UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be reimaged to guarantee proper operation. ****************************************************************************************

The Service Account and RADIUS Authentication

If you are using RADIUS authentication and want to create and use a service account, you must create the service account both on your sensor and on the RADIUS server. You must use local authentication to access the service account on the sensor. The service account must be created manually as a local account on the sensor. Then when you configure RADIUS authentication, the service account must also be configured manually on the RADIUS server with the accept message set to ip-role=service.

When you log in to the service account, you are authenticated against both the sensor account and the RADIUS server account. By whatever method you use to access the service account—serial console port, direct monitor/keyboard (for sensors that support it), or a network connection, such as SSH or Telnet—you have to log in using local authentication.

RADIUS Authentication Functionality and Limitations

The current AAA RADIUS implementation has the following functionality and limitations:

•

Authentication with a RADIUS server—However, you cannot change the password of the RADIUS server from the IPS.

•

Authorization—You can perform role-based authorization by specifying the IPS role of the user on the RADIUS server.

•

Accounting—The login attempts of the user and the configuration changes are logged as events locally on the IPS. However, these account messages are not communicated to the RADIUS server.

Configuring Passwords

Use the password command to update the password on the local sensor. You can also use this command to change the password for an existing user or to reset the password for a locked account. A valid password is 8 to 32 characters long. All characters except space are allowed.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-29

Configuring Authentication and User Parameters

To change the password, follow these steps:

Chapter 3 Setting Up the Sensor

Step 1

Step 2

To change the password for another user or reset the password for a locked account, follow these steps:

a.

Log in to the CLI using an account with administrator privileges.

b.

Enter configuration mode.

sensor# configure terminal

c.

Change the password for a specific user. This example modifies the password for the user “tester.”

sensor(config)# password tester Enter New Login Password: ****** Re-enter New Login Password: ******

To change your password, follow these steps:

a.

Log in to the CLI.

b.

Enter configuration mode.

sensor# configure terminal

c.

Change your password.

sensor(config)# password Enter Old Login Password:************ Enter New Login Password: ************ Re-enter New Login Password: ************

For More Information

For the procedures for recovering sensor passwords, see Recovering the Password, page 17-2.

Changing User Privilege Levels

Note

Step 1

Step 2

You cannot use the privilege command to give a user service privileges. If you want to give an existing user service privileges, you must remove that user and then use the username command to create the service account. There can only be one person with service privileges.

Use the privilege command to change the privilege level—administrator, operator, viewer—for a user.

To change the privilege level for a user, follow these steps:

Log in to the CLI using an account with administrator privileges.

Verify the current privilege of the user

sensor# show users all CLI ID User Privilege * 13491 cisco administrator jsmith viewer operator operator service service viewer viewer sensor#

jsmith

.

3-30

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

Step 3

Step 4

Step 5

Change the privilege level from viewer to operator.

sensor# configure terminal sensor(config)# privilege user jsmith operator Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)#

Verify that the privilege of the user has been changed. The privilege of the user from

viewer

to

operator

sensor(config)# exit sensor# show users all

CLI ID User Privilege * 13491 cisco administrator jsmith operator operator operator service service viewer viewer sensor#

.

jsmith

has been changed

Display your current level of privilege.

sensor# show privilege Current privilege level is administrator

For More Information

For the procedure for creating the service account, see Creating the Service Account, page 3-28.

Showing User Status

Note

Step 1

Step 2

Step 3

All IPS platforms allow ten concurrent log in sessions.

Use the show users command to view information about the username and privilege of all users logged in to the sensor, and all user accounts on the sensor regardless of login status. An asterisk (*) indicates the current user. If an account is locked, the username is surrounded by parentheses. A locked account means that the user failed to enter the correct password after the configured attempts.

To show user information, follow these steps:

Log in to the CLI using an account with administrator privileges.

Verify the users logged in to the sensor.

sensor# show users CLI ID User Privilege * 13491 cisco administrator sensor#

Verify all users. The account of the user

sensor# show users all CLI ID User Privilege * 13491 cisco administrator 5824 (jsmith) viewer

jsmith

is locked.

OL-29168-01

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

3-31

Configuring Authentication and User Parameters

9802 tester operator sensor#

Chapter 3 Setting Up the Sensor

Step 4

To unlock the account of jsmith, reset the password.

sensor# configure terminal sensor(config)# password jsmith Enter New Login Password: ****** Re-enter New Login Password: ******

Configuring the Password Policy

As sensor administrator, you can configure how passwords are created. All user-created passwords must conform to the policy that you set up. You can set login attempts and the size and minimum characters requirements for a password. The minimum password length is eight characters. If you forget your password, there are various ways to recover the password depending on your sensor platform.

Caution

If the password policy includes minimum numbers of character sets, such as upper case or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.

Example

For example, you can set a policy where passwords must have at least 10 characters and no more than 40, and must have a minimum of 2 upper case and 2 numeric characters. Once that policy is set, every password configured for each user account must conform to this password policy.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

To set up a password policy, follow these steps:

Log in to the sensor using an account with administrator privileges.

Enter password strength authentication submode.

sensor# configure terminal sensor(config)# service authentication sensor(config-aut)# password-strength

Set the minimum number of numeric digits that must be in a password. The range is 0 to 64.

sensor(config-aut-pas)# digits-min 6

Set the minimum number of nonalphanumeric printable characters that must be in a password. The range is 0 to 64.

sensor(config-aut-pas)# other-min 3

Set the minimum number of uppercase alphabet characters that must be in a password. The range is 0 to

64.

sensor(config-aut-pas)# uppercase-min 3

Set the minimum number of lower-case alphabet characters that must be in a password.

sensor(config-aut-pas)# lowercase-min 3

3-32

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

OL-29168-01

Cisco Systems IPS4510K9 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

Contents

Preface

Audience

Organization

Conventions

Related Documentation

Obtaining Documentation and Submitting a Service Request

Logging In to the Sensor

Logging In Notes and Caveats

Supported User Roles

Logging In to the Appliance

Connecting an Appliance to a Terminal Server

Logging In to the ASA 5500-X IPS SSP

Logging In to the ASA 5585-X IPS SSP

Logging In to the Sensor

Introducing the CLI Configuration Guide

Supported IPS Platforms

IPS CLI Configuration Guide

Sensor Configuration Sequence

User Roles

CLI Behavior

Command Line Editing

IPS Command Modes

Regular Expression Syntax

Generic CLI Commands

CLI Keywords

Initializing the Sensor

Initializing Notes and Caveats

Understanding Initialization

Simplified Setup Mode

System Configuration Dialog

Basic Sensor Setup

Advanced Setup

Advanced Setup for the Appliance

Advanced Setup for the ASA 5500-X IPS SSP

Advanced Setup for the ASA 5585-X IPS SSP

Verifying Initialization

Setting Up the Sensor

Setup Notes and Caveats

Understanding Sensor Setup

Changing Network Settings

Changing the Hostname

Changing the IP Address, Netmask, and Gateway

Enabling and Disabling Telnet

Changing the Access List

Changing the FTP Timeout

Adding a Login Banner

Configuring the DNS and Proxy Servers for Global Correlation and Automatic Update

Enabling SSHv1 Fallback

Changing the CLI Session Timeout

Changing Web Server Settings

Configuring Authentication and User Parameters

Adding and Removing Users

Configuring Authentication

Configuring Packet Command Restriction

Creating the Service Account

The Service Account and RADIUS Authentication

RADIUS Authentication Functionality and Limitations

Configuring Passwords

Changing User Privilege Levels

Showing User Status

Configuring the Password Policy