Cisco Intrusion Prevention System
Appliance and Module Installation Guide
for IPS 7.1
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-24002-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,
uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be
determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
Obtaining Documentation and Submitting a Service Request
1
Introducing the Sensor
Contents
How the Sensor Functions
Capturing Network Traffic
Your Network Topology
Correctly Deploying the Sensor
Tuning the IPS
Sensor Interfaces
Understanding Sensor Interfaces
Command and Control Interface
Sensing Interfaces
Interface Support
TCP Reset Interfaces
Interface Restrictions
Interface Modes
Promiscuous Mode
IPv6, Switches, and Lack of VACL Capture
Inline Interface Pair Mode
Inline VLAN Pair Mode
VLAN Group Mode
Deploying VLAN Groups
xv
xv
xv
xvi
xvii
xviii
xviii
xix
1-1
1-1
1-1
1-1
1-3
1-3
1-3
1-4
1-4
1-5
1-6
1-6
1-11
1-12
1-14
1-15
1-15
1-16
1-17
1-18
1-18
OL-24002-01
Supported Sensors
IPS Appliances
1-19
1-20
Introducing the IPS Appliance
Appliance Restrictions
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
1-21
1-22
iii
Contents
CHAPTER
Connecting an Appliance to a Terminal Server
Time Sources and the Sensor
The Sensor and Time Sources
1-23
1-23
Synchronizing IPS Module System Clocks with the Parent Device System Clock
Verifying the Sensor is Synchronized with the NTP Server
Correcting the Time on the Sensor
2
Preparing the Appliance for Installation
Installation Preparation
Safety Recommendations
Safety Guidelines
2-1
2-2
2-2
Electricity Safety Guidelines
1-24
2-1
2-2
Preventing Electrostatic Discharge Damage
Working in an ESD Environment
General Site Requirements
Site Environment
2-5
Preventive Site Configuration
Power Supply Considerations
Configuring Equipment Racks
2-5
2-4
2-5
2-6
2-6
1-22
1-23
1-24
2-3
CHAPTER
CHAPTER
3
4
Installing the IPS 4240 and IPS 4255
Contents
3-1
Installation Notes and Caveats
Product Overview
3-2
Front and Back Panel Features
Specifications
3-4
3-1
3-1
3-3
Connecting the IPS 4240 to a Cisco 7200 Series Router
Accessories
Rack Mounting
Installing the IPS 4240 and IPS 4255
Installing the IPS 4240-DC
Installing the IPS 4260
Contents
Installation Notes and Caveats
Product Overview
Supported Interface Cards
3-5
3-6
3-7
3-10
4-1
4-1
4-1
4-2
4-3
3-5
iv
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Contents
CHAPTER
Hardware Bypass
4GE Bypass Interface Card
Hardware Bypass Configuration Restrictions
Hardware Bypass and Link Changes and Drops
Front and Back Panel Features
Specifications
Accessories
Rack Mounting
Installing the IPS 4260 in a 4-Post Rack
Installing the IPS 4260 in a 2-Post Rack
Installing the IPS 4260
Removing and Replacing the Chassis Cover
Installing and Removing Interface Cards
Installing and Removing the Power Supply
5
Installing the IPS 4270-20
Contents
5-1
4-4
4-5
4-5
4-6
4-7
4-9
4-10
4-10
4-11
4-14
4-16
4-19
4-21
4-23
5-1
Installation Notes and Caveats
Product Overview
5-2
Supported Interface Cards
Hardware Bypass
5-5
4GE Bypass Interface Card
5-1
5-4
5-6
Hardware Bypass Configuration Restrictions
Hardware Bypass and Link Changes and Drops
Front and Back Panel Features
Diagnostic Panel
Specifications
Accessories
5-14
5-15
5-16
Installing the Rail System Kit
5-8
5-16
Understanding the Rail System Kit
Rail System Kit Contents
5-17
Space and Airflow Requirements
Installing the IPS 4270-20 in the Rack
Extending the IPS 4270-20 from the Rack
Installing the Cable Management Arm
Converting the Cable Management Arm
5-6
5-7
5-16
5-17
5-18
5-26
5-28
5-32
OL-24002-01
Installing the IPS 4270-20
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
5-35
v
Contents
CHAPTER
Removing and Replacing the Chassis Cover
Accessing the Diagnostic Panel
5-42
Installing and Removing Interface Cards
Installing and Removing the Power Supply
Installing and Removing Fans
Troubleshooting Loose Connections
6
Installing the IPS 4345 and IPS 4360
Contents
6-1
Installation Notes and Caveats
Product Overview
Specifications
Accessories
6-2
6-2
6-4
Front and Back Panel Features
Rack Mount Installation
Rack-Mounting Guidelines
5-50
5-52
6-1
6-1
6-5
6-9
6-9
Installing the IPS 4345 in a Rack
Mounting the IPS 4345 and IPS 4360 in a Rack with the Slide Rail Mounting System
5-39
5-43
5-45
6-10
6-11
CHAPTER
Installing the Appliance on the Network
Removing and Installing the Power Supply
Understanding the Power Supplies
Removing and Installing the AC Power Supply
Installing DC Input Power
6-20
Removing and Installing the DC Power Supply
7
Installing the IPS 4510 and IPS 4520
Contents
7-1
Installation Notes and Caveats
Product Overview
7-2
Front and Back Panel Features
Specifications
Accessories
Memory Configurations
7-8
7-9
7-10
7-1
7-3
Power Supply Module Requirements
Supported SFP/SFP+ Modules
7-10
6-12
6-15
6-15
6-17
6-25
7-1
7-10
vi
Installing the IPS 4510 and IPS 4520
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
7-11
OL-24002-01
Contents
CHAPTER
Removing and Installing the Core IPS SSP
Removing and Installing the Power Supply Module
Removing and Installing the Fan Module
Installing the Slide Rail Kit Hardware
Installing and Removing the Slide Rail Kit
Package Contents
7-21
Installing the Chassis in the Rack
Removing the Chassis from the Rack
Rack-Mounting the Chassis Using the Fixed Rack Mount
Installing the Cable Management Brackets
Troubleshooting Loose Connections
IPS 4500 Series Sensors and the SwitchApp
8
Installing and Removing the ASA 5500 AIP SSM
Contents
Installation Notes and Caveats
Product Overview
8-1
8-1
8-2
7-14
7-16
7-18
7-19
7-20
7-21
7-27
7-29
7-32
7-33
7-34
8-1
CHAPTER
Specifications
Memory Specifications
Hardware and Software Requirements
Indicators
Installation and Removal Instructions
Installing the ASA 5500 AIP SSM
Verifying the Status of the ASA 5500 AIP SSM
Removing the ASA 5500 AIP SSM
9
Installing and Removing the ASA 5585-X IPS SSP
Contents
Installation Notes and Caveats
Introducing the ASA 5585-X IPS SSP
Specifications
Hardware and Software Requirements
Front Panel Features
Memory Requirements
8-4
8-4
8-4
8-5
8-5
8-5
8-7
8-7
9-1
9-1
9-1
9-2
9-3
9-4
9-4
9-8
OL-24002-01
SFP/SFP+ Modules
9-9
Installing the ASA 5585-X IPS SSP
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
9-9
vii
Contents
APPENDIX
APPENDIX
Installing SFP/SFP+ Modules
Verifying the Status of the ASA 5585-X IPS SSP
Removing and Replacing the ASA 5585-X IPS SSP
A
Logging In to the Sensor
Contents
A-1
Supported User Roles
Logging In to the Appliance
Connecting an Appliance to a Terminal Server
Logging In to the ASA 5500 AIP SSP
Logging In to the ASA 5500-X IPS SSP
Logging In to the ASA 5585-X IPS SSP
Logging In to the Sensor
B
Initializing the Sensor
Contents
B-1
B-1
Understanding Initialization
9-11
9-12
9-13
A-1
A-1
A-2
A-3
A-4
A-5
A-6
A-7
B-1
APPENDIX
Simplified Setup Mode
System Configuration Dialog
Basic Sensor Setup
Advanced Setup
Advanced Setup for the Appliance
Advanced Setup for the ASA 5500 AIP SSM
Advanced Setup for the ASA 5500-X IPS SSP
Advanced Setup for the ASA 5585-X IPS SSP
Verifying Initialization
C
Obtaining Software
Contents
C-1
Obtaining Cisco IPS Software
IPS 7.1 Files
C-2
IPS Software Versioning
IPS Software Release Examples
Accessing IPS Documentation
B-2
B-2
B-4
B-7
B-7
B-13
B-17
B-21
B-24
C-1
C-1
C-3
C-6
C-7
viii
Cisco Security Intelligence Operations
Obtaining a License Key From Cisco.com
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
C-8
C-8
OL-24002-01
Contents
APPENDIX
Understanding Licensing
Service Programs for IPS Products
Obtaining and Installing the License Key Using the IDM or the IME
Obtaining and Installing the License Key Using the CLI
Obtaining a License for the IPS 4270-20
Licensing the ASA 5500-X IPS SSP
Uninstalling the License Key
D
Upgrading, Downgrading, and Installing System Images
Contents
D-1
System Image Notes and Caveats
Upgrades, Downgrades, and System Images
Supported FTP and HTTP/HTTPS Servers
Upgrading the Sensor
IPS 7.1 Upgrade Files
Upgrade Notes and Caveats
Manually Upgrading the Sensor
Upgrading the Recovery Partition
C-9
C-9
C-10
C-11
C-14
C-15
C-15
D-1
D-1
D-2
D-2
D-3
D-3
D-3
D-3
D-6
APPENDIX
Configuring Automatic Upgrades
Understanding Automatic Upgrades
Automatically Upgrading the Sensor
Downgrading the Sensor
D-10
Recovering the Application Partition
Installing System Images
ROMMON
TFTP Servers
D-12
D-13
Connecting an Appliance to a Terminal Server
Installing the IPS 4270-20 System Image
Installing the IPS 4345 and IPS 4360 System Images
Installing the IPS 4510 and IPS 4520 System Image
Installing the ASA 5500-X IPS SSP System Image
Installing the ASA 5585-X IPS SSP System Image
Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command
Installing the ASA 5585-X IPS SSP System Image Using ROMMON
E
Troubleshooting
E-1
D-6
D-7
D-7
D-11
D-12
D-13
D-14
D-16
D-19
D-21
D-23
D-23
D-25
OL-24002-01
Contents
E-1
Preventive Maintenance
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
E-1
ix
Contents
Understanding Preventive Maintenance
Creating and Using a Backup Configuration File
E-2
E-2
Backing Up and Restoring the Configuration File Using a Remote Server
Creating the Service Account
Disaster Recovery
Recovering the Password
E-6
E-7
Understanding Password Recovery
Recovering the Password for the Appliance
Using the GRUB Menu
Using ROMMON
E-8
Recovering the ASA 5500-X IPS SSP Password
Recovering the ASA 5585-X IPS SSP Password
Disabling Password Recovery
Verifying the State of Password Recovery
Troubleshooting Password Recovery
Time Sources and the Sensor
Time Sources and the Sensor
E-5
E-7
E-8
E-8
E-9
E-11
E-13
E-13
E-14
E-14
E-14
Synchronizing IPS Module Clocks with Parent Device Clocks
Verifying the Sensor is Synchronized with the NTP Server
Correcting Time on the Sensor
E-16
E-3
E-15
E-15
Advantages and Restrictions of Virtualization
Supported MIBs
When to Disable Anomaly Detection
Troubleshooting Global Correlation
Analysis Engine Not Responding
E-17
E-18
E-18
E-19
Troubleshooting External Product Interfaces
External Product Interfaces Issues
E-20
External Product Interfaces Troubleshooting Tips
Troubleshooting the Appliance
E-21
The Appliance and Jumbo Packet Frame Size
Hardware Bypass and Link Changes and Drops
Troubleshooting Loose Connections
Analysis Engine is Busy
Communication Problems
E-23
E-23
Cannot Access the Sensor CLI Through Telnet or SSH
Correcting a Misconfigured Access List
Duplicate IP Address Shuts Interface Down
The SensorApp and Alerting
The SensorApp Is Not Running
E-28
E-28
E-16
E-20
E-21
E-22
E-22
E-22
E-24
E-26
E-26
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
x
OL-24002-01
Contents
Physical Connectivity, SPAN, or VACL Port Issue
Unable to See Alerts
Sensor Not Seeing Packets
E-31
E-32
Cleaning Up a Corrupted SensorApp Configuration
Blocking
E-35
Troubleshooting Blocking
Verifying ARC is Running
E-35
E-36
Verifying ARC Connections are Active
Device Access Issues
E-39
E-37
Verifying the Interfaces and Directions on the Network Device
Blocking Not Occurring for a Signature
E-41
Verifying the Master Blocking Sensor Configuration
Logging
TCP Reset Not Occurring for a Signature
Software Upgrades
E-44
Enabling Debug Logging
Zone Names
E-48
E-44
Directing cidLog Messages to SysLog
E-51
Upgrading and Analysis Engine
E-51
E-49
E-50
Which Updates to Apply and Their Prerequisites
Issues With Automatic Update
E-52
Updating a Sensor with the Update Stored on the Sensor
The IDM, Remote Manager, or Sensing Interfaces Cannot Access the Sensor
Signatures Not Producing Alerts
Troubleshooting the IME
E-56
Time Synchronization on the IME and the Sensor
Not Supported Error Message
Troubleshooting the ASA 5500 AIP SSM
Health and Status Information
Failover Scenarios
E-60
The ASA 5500 AIP SSM and the Normalizer Engine
The ASA 5500 AIP SSM and the Data Plane
The ASA 5500 AIP SSM and Jumbo Packet Frame Size
The ASA 5500 AIP SSM and Jumbo Packets
E-56
E-57
E-57
E-57
E-58
E-61
E-62
E-62
E-62
TCP Reset Differences Between IPS Appliances and ASA IPS Modules
Troubleshooting the ASA 5500-X IPS SSP
E-63
E-55
E-62
OL-24002-01
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
xi
Contents
Failover Scenarios
Health and Status Information
The ASA 5500-X IPS SSP and the Normalizer Engine
The ASA 5500-X IPS SSP and Memory Usage
The ASA 5500-X IPS SSP and Jumbo Packet Frame Size
The ASA 5500-X IPS SSP and Jumbo Packets
E-63
E-64
E-72
E-73
E-73
E-73
TCP Reset Differences Between IPS Appliances and ASA IPS Modules
Troubleshooting the ASA 5585-X IPS SSP
Failover Scenarios
E-74
Traffic Flow Stopped on IPS Switchports
Health and Status Information
The ASA 5585-X IPS SSP and the Normalizer Engine
The ASA 5585-X IPS SSP and Jumbo Packet Frame Size
The ASA 5585-X IPS SSP and Jumbo Packets
Gathering Information
E-80
Health and Network Security Information
Tech Support Information
E-82
Understanding the show tech-support Command
Displaying Tech Support Information
Tech Support Command Output
Version Information
E-85
Understanding the show version Command
Displaying Version Information
Statistics Information
E-88
Understanding the show statistics Command
Displaying Statistics
Interfaces Information
E-89
E-100
Understanding the show interfaces Command
Interfaces Command Output
Events Information
Sensor Events
E-101
E-102
Understanding the show events Command
Displaying Events
Clearing Events
cidDump Script
E-102
E-105
E-105
Uploading and Accessing Files on the Cisco FTP Site
E-74
E-76
E-76
E-79
E-80
E-80
E-81
E-82
E-82
E-83
E-86
E-86
E-88
E-100
E-101
E-102
E-106
E-74
APPENDIX
xii
F
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
Cable Pinouts
Contents
F-1
F-1
OL-24002-01
Contents
G
LOSSARY
I
NDEX
10/100BaseT and 10/100/1000BaseT Connectors
Console Port (RJ-45)
RJ-45 to DB-9 or DB-25
F-2
F-3
F-1
OL-24002-01
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
xiii
Contents
xiv
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
About This Guide
Published: March 31, 2010
Revised: May 6, 2013, OL-24002-01
Contents
Audience
This guide describes how to install appliances and modules that support Cisco IPS 7.1. It includes a
glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set
for Cisco Intrusion Prevention System 7.1. Use this guide in conjunction with the documents listed in
Related Documentation, page xviii.
This preface contains the following topics:
•
Audience, page xv
•
Comply with Local and National Electrical Codes, page xvi
•
Organization, page xvii
•
Conventions, page xviii
•
Related Documentation, page xviii
•
Obtaining Documentation and Submitting a Service Request, page xix
This guide is for experienced network security administrators who install and maintain Cisco IPS
sensors, including the supported IPS appliances and modules.
OL-24002-01
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
-xv
Contents
Comply with Local and National Electrical Codes
Chapter
Warning
Waarschuwing
Varoitus
Attention
Warnung
Avvertenza
Advarsel
Aviso
¡Advertencia!
Varning!
Installation of the equipment must comply with local and national electrical codes.
Bij installatie van de apparatuur moet worden voldaan aan de lokale en nationale
elektriciteitsvoorschriften.
Laitteisto tulee asentaa paikallisten ja kansallisten sähkömääräysten mukaisesti.
L'équipement doit être installé conformément aux normes électriques nationales et locales.
Die Installation der Geräte muss den Sicherheitsstandards entsprechen.
L'installazione dell'impianto deve essere conforme ai codici elettrici locali e nazionali.
Installasjon av utstyret må samsvare med lokale og nasjonale elektrisitetsforskrifter.
A instalação do equipamento tem de estar em conformidade com os códigos eléctricos locais e
nacionais.
La instalación del equipo debe cumplir con las normativas de electricidad locales y nacionales.
Installation av utrustningen måste ske i enlighet med gällande elinstallationsföreskrifter.
Statement 1074
-xvi
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Chapter
Organization
This guide includes the following sections:
Contents
SectionTitle Description
1“Introducing the Sensor”Describes IPS appliances and modules.
2“Preparing the Appliance for
Installation”
3“Installing the IPS 4270-20”Describes how to install the IPS 4270-20.
4“Installing the IPS 4345 and
IPS 4360”
5“Installing the IPS 4510 and
IPS 4520”
6“Installing and Removing the
ASA 5585-X IPS SSP”
A“Logging In to the Sensor”Describes how to log in to the various sensors.
B“Initializing the Sensor”Describes how to use the setup command to
C“Obtaining Software”Describes where to go to get the latest IPS
D“Upgrading, Downgrading, and
Installing System Images”
E“Troubleshooting”Contains troubleshooting tips for IPS hardware
F“Cable Pinouts”Describes the appliance cable pinouts.
“Glossary”Contains IPS acronyms and terms.
Describes how to prepare to install appliances.
Describes how to install the IPS 4345 and the
IPS 4360.
Describes how to install the IPS 4510 and the
IPS 4520.
Describes how to install the
ASA 5585-X IPS SSP.
initialize sensors.
software and describes the naming conventions.
Describes how to upgrade sensors and reimage the
various sensors.
and software.
OL-24002-01
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
-xvii
Contents
Conventions
This document uses the following conventions:
Chapter
ConventionIndication
bold fontCommands and keywords and user-entered text appear in bold font.
italic fontDocument titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
[ ]Elements in square brackets are optional.
{x | y | z }Required alternative keywords are grouped in braces and separated by
vertical bars.
[ x | y | z ]Optional alternative keywords are grouped in brackets and separated by
vertical bars.
stringA nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
courier
< >Nonprinting characters such as passwords are in angle brackets.
[ ]Default responses to system prompts are in square brackets.
!, #An exclamation point (!) or a pound sign (#) at the beginning of a line of code
fontTerminal sessions and information the system displays appear in
indicates a comment line.
courier
font.
Note
Tip
Caution
Timesaver
Warning
Means reader take note.
Means the following information will help you solve a problem.
Means reader be careful. In this situation, you might perform an action that could result in equipment
damage or loss of data.
Means the described action saves time. You can save time by performing the action described in
the paragraph.
Means reader be warned. In this situation, you might perform an action that could result in
bodily injury.
Related Documentation
For a complete list of the Cisco IPS 7.1 documentation and where to find it, refer to the following URL:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as an RSS feed and set content to be
delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently
supports RSS Version 2.0.
OL-24002-01
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
-xix
Contents
Chapter
-xx
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Contents
CHA PTER
1
Introducing the Sensor
This chapter introduces the sensor and provides information you should know before you install the
sensor. In this guide, the term sensor refers to all models unless noted otherwise. For a complete list of
supported sensors and their model numbers, see Supported Sensors, page 1-19.
This chapter contains the following sections:
•
How the Sensor Functions, page 1-1
•
Supported Sensors, page 1-19
•
IPS Appliances, page 1-20
•
Time Sources and the Sensor, page 1-23
How the Sensor Functions
This section describes how the sensor functions, and contains the following topics:
•
Capturing Network Traffic, page 1-1
•
Your Network Topology, page 1-3
•
Correctly Deploying the Sensor, page 1-3
•
Tuning the IPS, page 1-3
•
Sensor Interfaces, page 1-4
•
Interface Modes, page 1-14
Capturing Network Traffic
The sensor can operate in either promiscuous or inline mode. Figure 1-1 on page 1-2 shows how you can
deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect
your network.
OL-24002-01
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
1-1
How the Sensor Functions
Sensor deployed
in IDS mode
Public services segment
Campus core
Attacker
Internet
Sensor deployed
in IPS mode
Sensor deployed
in IPS mode
Sensor deployed
in IPS mode
Sensor deployed in hybrid
mode to deliver IDS services
outside router and IPS
services inside the firewall
Service provider,
partner, or branch
office network
Multiple IPS sensors
deliver a highly scalable,
load-balanced solution
via Cisco Etherchannel
technology on Cisco
Catalyst Switches
148416
Main campus
Figure 1-1Comprehensive Deployment Solutions
Chapter 1 Introducing the Sensor
The command and control interface is always Ethernet. This interface has an assigned IP address, which
allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and
firewalls). Because this interface is visible on the network, you should use encryption to maintain data
privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager workstation. SSH
and TLS/SSL are enabled by default on the manager workstations.
When responding to attacks, the sensor can do the following:
•
Insert TCP resets via the sensing interface.
Note
You should select the TCP reset action only on signatures associated with a TCP-based
service. If selected as an action on non-TCP-based services, no action is taken. Additionally,
TCP resets are not guaranteed to tear down an offending session because of limitations in
the TCP protocol.
•
Make ACL changes on switches, routers, and firewalls that the sensor manages.
Note
ACLs may block only future traffic, not current traffic.
1-2
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
•
Generate IP session logs, session replay, and trigger packets display.
IP session logs are used to gather information about unauthorized use. IP log files are written when
events occur that you have configured the appliance to look for.
•
Implement multiple packet drop actions to stop worms and viruses.
Your Network Topology
Before you deploy and configure your sensors, you should understand the following about your network:
•
The size and complexity of your network.
•
Connections between your network and other networks (and the Internet).
•
The amount and type of network traffic on your network.
This knowledge will help you determine how many sensors are required, the hardware configuration for
each sensor (for example, the size and type of network interface cards), and how many managers are
needed.
How the Sensor Functions
Correctly Deploying the Sensor
You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall or
adaptive security appliance. The perimeter device filters traffic to match your security policy thus
allowing acceptable traffic in to your network. Correct placement significantly reduces the number of
alerts, which increases the amount of actionable data you can use to investigate security violations. If
you position the IPS sensor on the edge of your network in front of a firewall, your sensor will produce
alerts on every single scan and attempted attack even if they have no significance to your network
implementation. You will receive hundreds, thousands, or even millions of alerts (in a large enterprise
environment) that are not really critical or actionable in your environment. Analyzing this type of data
is time consuming and costly.
Tuning the IPS
Tuning the IPS ensures that the alerts you see reflect true actionable information. Without tuning the IPS,
it is difficult to do security research or forensics on your network because you will have thousands of
benign events, also known as false positives. False positives are a by-product of all IPS devices, but they
occur much less frequently in Cisco IPS devices since Cisco IPS devices are stateful, normalized, and
use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which
identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS
signature actions based on risk rating.
Follow these tips when tuning your IPS sensors:
•
Place your sensor on your network behind a perimeter-filtering device. Proper sensor placement can
reduce the number of alerts you need to examine by several thousands a day.
OL-24002-01
•
Deploy the sensor with the default signatures in place.
The default signature set provides you with a very high security protection posture. The Cisco
signature team has spent many hours on testing the defaults to give your sensor the highest
protection. If you think that you have lost these defaults, you can restore them.
•
Make sure that the event action override is set to drop packets with a risk rating greater than 90. This
is the default and ensures that high risk alerts are stopped immediately.
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
1-3
How the Sensor Functions
Chapter 1 Introducing the Sensor
•
Filter out known false positives caused by specialized software, such as vulnerability scanner and
load balancers by one of the following methods:
–
You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load
balancer.
–
You can configure the sensor to allow these alerts and then use the IME to filter out the false
positives.
•
Filter the Informational alerts.
These low priority events notifications could indicate that another device is doing reconnaissance
on a device protected by the IPS. Research the source IP addresses from these Informational alerts
to determine what the source is.
•
Analyze the remaining actionable alerts:
–
Research the alert.
–
Fix the attack source.
–
Fix the destination host.
–
Modify the IPS policy to provide more information.
For More Information
•
For a detailed description of risk rating, refer to Calculating the Risk Rating.
•
For information on Cisco signatures, for the IDM and IME refer to Defining Signatures, and for the
CLI refer to Defining Signatures.
•
For detailed information on event action overrides, for the IDM and IME refer to Configuring Event
Action Overrides, and for the CLI, refer to Configuring Event Action Overrides.
Sensor Interfaces
This section describes the sensor interfaces, and contains the following topics:
•
Understanding Sensor Interfaces, page 1-4
•
Command and Control Interface, page 1-5
•
Sensing Interfaces, page 1-6
•
Interface Support, page 1-6
•
TCP Reset Interfaces, page 1-11
•
Interface Restrictions, page 1-12
Understanding Sensor Interfaces
1-4
The sensor interfaces are named according to the maximum speed and physical location of the interface.
The physical location consists of a port number and a slot number. All interfaces that are built-in on the
sensor motherboard are in slot 0, and the interface card expansion slots are numbered beginning with
slot 1 for the bottom slot with the slot numbers increasing from bottom to top (except for the
IPS 4270-20, where the ports are numbered from top to bottom). Each physical interface can be divided
in to VLAN group subinterfaces, each of which consists of a group of VLANs on that interface.
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Chapter 1 Introducing the Sensor
There are three interface roles:
•
Command and control
•
Sensing
•
Alternate TCP reset
There are restrictions on which roles you can assign to specific interfaces and some interfaces have
multiple roles. You can configure any sensing interface to any other sensing interface as its TCP reset
interface. The TCP reset interface can also serve as an IDS (promiscuous) sensing interface at the same
time. The following restrictions apply:
•
The TCP reset interface that is assigned to a sensing interface has no effect in inline interface or
inline VLAN pair mode, because TCP resets are always sent on the sensing interfaces in those
modes.
•
There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM,
ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset
interface.
•
On the IPS 4510 and IPS 4520, no interface-related configurations are allowed when the SensorApp
is down.
How the Sensor Functions
Command and Control Interface
The command and control interface has an IP address and is used for configuring the sensor. It receives
security and status events from the sensor and queries the sensor for statistics. The command and control
interface is permanently enabled. It is permanently mapped to a specific physical interface, which
depends on the specific model of sensor. You cannot use the command and control interface as either a
sensing or alternate TCP reset interface.
Table 1-1 lists the command and control interfaces for each sensor.
Table 1-1Command and Control Interfaces
SensorCommand and Control Interface
ASA 5500 AIP SSM-10GigabitEthernet 0/0
ASA 5500 AIP SSM-20GigabitEthernet 0/0
ASA 5500 AIP SSM-40GigabitEthernet 0/0
ASA 5512-X IPS SSPManagement 0/0
ASA 5515-X IPS SSPManagement 0/0
ASA 5525-X IPS SSPManagement 0/0
ASA 5545-X IPS SSPManagement 0/0
ASA 5555-X IPS SSPManagement 0/0
ASA 5585-X IPS SSP-10Management 0/0
ASA 5585-X IPS SSP-20Management 0/0
ASA 5585-X IPS SSP-40Management 0/0
ASA 5585-X IPS SSP-60Management 0/0
IPS 4240Management 0/0
IPS 4255Management 0/0
OL-24002-01
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
1-5
How the Sensor Functions
Sensing Interfaces
Chapter 1 Introducing the Sensor
Table 1-1Command and Control Interfaces (continued)
SensorCommand and Control Interface
IPS 4260Management 0/0
IPS 4270-20Management 0/0
IPS 4345Management 0/0
IPS 4360Management 0/0
IPS 4510Management 0/0
IPS 4520Management 0/0
1. The 4500 series sensors have two management ports, Management 0/0 and
Management 0/1, but Management 0/1 is reserved for future use.
Sensing interfaces are used by the sensor to analyze traffic for security violations. A sensor has one or
more sensing interfaces depending on the sensor. Sensing interfaces can operate individually in
promiscuous mode or you can pair them to create inline interfaces.
1
1
Note
On appliances, all sensing interfaces are disabled by default. You must enable them to use them. On
modules, the sensing interfaces are permanently enabled.
Some appliances support optional interface cards that add sensing interfaces to the sensor. You must
insert or remove these optional cards while the sensor is powered off. The sensor detects the addition or
removal of a supported interface card. If you remove an optional interface card, some of the interface
configuration is deleted, such as the speed, duplex, description string, enabled/disabled state of the
interface, and any inline interface pairings. These settings are restored to their default settings when the
card is reinstalled. However, the assignment of promiscuous and inline interfaces to the Analysis Engine
is not deleted from the Analysis Engine configuration, but is ignored until those cards are reinserted and
you create the inline interface pairs again.
Interface Support
Table 1-2 describes the interface support for appliances and modules running Cisco IPS.
Interfaces Not
Supporting Inline
(Command and Control
Port)
Management 0/0
Management 0/1
6
Management 0/0
Management 0/1
6
GigabitEthernet 0/2
GigabitEthernet 0/3
GigabitEthernet 0/4
GigabitEthernet 0/5
TenGigabitEthernet 0/6
TenGigabitEthernet 0/7
TenGigabitEthernet 0/8
TenGigabitEthernet 0/9
1. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).
2. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).
3. Reserved for future use.
4. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).
5. Does not currently support hardware bypass.
6. Reserved for future use.
Note
The IPS 4260 supports a mixture of 4GE-BP, 2SX, and 10GE cards. The IPS 4270-20 supports a mixture
of 4GE-BP, 2SX, and 10GE cards up to a total of either six cards, or sixteen total ports, which ever is
reached first, but is limited to only two 10GE card in the mix of cards.
1-10
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1
OL-24002-01
Loading...
+ 430 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.