Cisco Systems IPS4520K9 User Manual

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

Americas Headquarters

Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-24002-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

CONTENTS

CHAPTER

About This Guide

Contents

Audience

Comply with Local and National Electrical Codes

Organization

Conventions

Related Documentation

Obtaining Documentation and Submitting a Service Request

Introducing the Sensor

Contents

How the Sensor Functions

Capturing Network Traffic Your Network Topology Correctly Deploying the Sensor Tuning the IPS Sensor Interfaces

Understanding Sensor Interfaces Command and Control Interface Sensing Interfaces Interface Support TCP Reset Interfaces Interface Restrictions

Interface Modes

Promiscuous Mode IPv6, Switches, and Lack of VACL Capture Inline Interface Pair Mode Inline VLAN Pair Mode VLAN Group Mode Deploying VLAN Groups

xvi

xvii

xviii

xix

1-1

1-3

1-4

1-5

1-6

1-11

1-12

1-14

1-15

1-16

1-17

1-18

OL-24002-01

Supported Sensors

IPS Appliances

1-19

1-20

Introducing the IPS Appliance Appliance Restrictions

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

1-21

1-22

iii

Contents

CHAPTER

Connecting an Appliance to a Terminal Server

Time Sources and the Sensor

The Sensor and Time Sources

1-23

Synchronizing IPS Module System Clocks with the Parent Device System Clock Verifying the Sensor is Synchronized with the NTP Server Correcting the Time on the Sensor

Preparing the Appliance for Installation

Installation Preparation

Safety Recommendations

Safety Guidelines

2-1

2-2

Electricity Safety Guidelines

1-24

2-1

2-2

Preventing Electrostatic Discharge Damage Working in an ESD Environment

General Site Requirements

Site Environment

2-5

Preventive Site Configuration Power Supply Considerations Configuring Equipment Racks

2-5

2-4

2-5

2-6

1-22

1-23

1-24

2-3

CHAPTER

Installing the IPS 4240 and IPS 4255

Contents

3-1

Installation Notes and Caveats

Product Overview

3-2

Front and Back Panel Features

Specifications

3-4

3-1

3-3

Connecting the IPS 4240 to a Cisco 7200 Series Router

Accessories

Rack Mounting

Installing the IPS 4240 and IPS 4255

Installing the IPS 4240-DC

Installing the IPS 4260

Contents

Installation Notes and Caveats

Product Overview

Supported Interface Cards

3-5

3-6

3-7

3-10

4-1

4-2

4-3

3-5

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Contents

CHAPTER

Hardware Bypass

4GE Bypass Interface Card Hardware Bypass Configuration Restrictions Hardware Bypass and Link Changes and Drops

Front and Back Panel Features

Specifications

Accessories

Rack Mounting

Installing the IPS 4260 in a 4-Post Rack Installing the IPS 4260 in a 2-Post Rack

Installing the IPS 4260

Removing and Replacing the Chassis Cover

Installing and Removing Interface Cards

Installing and Removing the Power Supply

Installing the IPS 4270-20

Contents

5-1

4-4

4-5

4-6

4-7

4-9

4-10

4-11

4-14

4-16

4-19

4-21

4-23

5-1

Installation Notes and Caveats

Product Overview

5-2

Supported Interface Cards

Hardware Bypass

5-5

4GE Bypass Interface Card

5-1

5-4

5-6

Hardware Bypass Configuration Restrictions Hardware Bypass and Link Changes and Drops

Front and Back Panel Features

Diagnostic Panel

Specifications

Accessories

5-14

5-15

5-16

Installing the Rail System Kit

5-8

5-16

Understanding the Rail System Kit Rail System Kit Contents

5-17

Space and Airflow Requirements Installing the IPS 4270-20 in the Rack Extending the IPS 4270-20 from the Rack Installing the Cable Management Arm Converting the Cable Management Arm

5-6

5-7

5-16

5-17

5-18

5-26

5-28

5-32

OL-24002-01

Installing the IPS 4270-20

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

5-35

Contents

CHAPTER

Removing and Replacing the Chassis Cover

Accessing the Diagnostic Panel

5-42

Installing and Removing Interface Cards

Installing and Removing the Power Supply

Installing and Removing Fans

Troubleshooting Loose Connections

Installing the IPS 4345 and IPS 4360

Contents

6-1

Installation Notes and Caveats

Product Overview

Specifications

Accessories

6-2

6-4

Front and Back Panel Features

Rack Mount Installation

Rack-Mounting Guidelines

5-50

5-52

6-1

6-5

6-9

Installing the IPS 4345 in a Rack Mounting the IPS 4345 and IPS 4360 in a Rack with the Slide Rail Mounting System

5-39

5-43

5-45

6-10

6-11

CHAPTER

Installing the Appliance on the Network

Removing and Installing the Power Supply

Understanding the Power Supplies Removing and Installing the AC Power Supply Installing DC Input Power

6-20

Removing and Installing the DC Power Supply

Installing the IPS 4510 and IPS 4520

Contents

7-1

Installation Notes and Caveats

Product Overview

7-2

Front and Back Panel Features

Specifications

Accessories

Memory Configurations

7-8

7-9

7-10

7-1

7-3

Power Supply Module Requirements

Supported SFP/SFP+ Modules

7-10

6-12

6-15

6-17

6-25

7-1

7-10

Installing the IPS 4510 and IPS 4520

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

7-11

OL-24002-01

Contents

CHAPTER

Removing and Installing the Core IPS SSP

Removing and Installing the Power Supply Module

Removing and Installing the Fan Module

Installing the Slide Rail Kit Hardware

Installing and Removing the Slide Rail Kit

Package Contents

7-21

Installing the Chassis in the Rack Removing the Chassis from the Rack

Rack-Mounting the Chassis Using the Fixed Rack Mount

Installing the Cable Management Brackets

Troubleshooting Loose Connections

IPS 4500 Series Sensors and the SwitchApp

Installing and Removing the ASA 5500 AIP SSM

Contents

Installation Notes and Caveats

Product Overview

8-1

8-2

7-14

7-16

7-18

7-19

7-20

7-21

7-27

7-29

7-32

7-33

7-34

8-1

CHAPTER

Specifications

Memory Specifications

Hardware and Software Requirements

Indicators

Installation and Removal Instructions

Installing the ASA 5500 AIP SSM Verifying the Status of the ASA 5500 AIP SSM Removing the ASA 5500 AIP SSM

Installing and Removing the ASA 5585-X IPS SSP

Contents

Installation Notes and Caveats

Introducing the ASA 5585-X IPS SSP

Specifications

Hardware and Software Requirements

Front Panel Features

Memory Requirements

8-4

8-5

8-7

9-1

9-2

9-3

9-4

9-8

OL-24002-01

SFP/SFP+ Modules

9-9

Installing the ASA 5585-X IPS SSP

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

9-9

vii

Contents

APPENDIX

Installing SFP/SFP+ Modules

Verifying the Status of the ASA 5585-X IPS SSP

Removing and Replacing the ASA 5585-X IPS SSP

Logging In to the Sensor

Contents

A-1

Supported User Roles

Logging In to the Appliance

Connecting an Appliance to a Terminal Server

Logging In to the ASA 5500 AIP SSP

Logging In to the ASA 5500-X IPS SSP

Logging In to the ASA 5585-X IPS SSP

Logging In to the Sensor

Initializing the Sensor

Contents

B-1

Understanding Initialization

9-11

9-12

9-13

A-1

A-2

A-3

A-4

A-5

A-6

A-7

B-1

APPENDIX

Simplified Setup Mode

System Configuration Dialog

Basic Sensor Setup

Advanced Setup

Advanced Setup for the Appliance Advanced Setup for the ASA 5500 AIP SSM Advanced Setup for the ASA 5500-X IPS SSP Advanced Setup for the ASA 5585-X IPS SSP

Verifying Initialization

Obtaining Software

Contents

C-1

Obtaining Cisco IPS Software

IPS 7.1 Files

C-2

IPS Software Versioning

IPS Software Release Examples

Accessing IPS Documentation

B-2

B-4

B-7

B-13

B-17

B-21

B-24

C-1

C-3

C-6

C-7

viii

Cisco Security Intelligence Operations

Obtaining a License Key From Cisco.com

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

C-8

OL-24002-01

Contents

APPENDIX

Understanding Licensing Service Programs for IPS Products Obtaining and Installing the License Key Using the IDM or the IME Obtaining and Installing the License Key Using the CLI Obtaining a License for the IPS 4270-20 Licensing the ASA 5500-X IPS SSP Uninstalling the License Key

Upgrading, Downgrading, and Installing System Images

Contents

D-1

System Image Notes and Caveats

Upgrades, Downgrades, and System Images

Supported FTP and HTTP/HTTPS Servers

Upgrading the Sensor

IPS 7.1 Upgrade Files Upgrade Notes and Caveats Manually Upgrading the Sensor Upgrading the Recovery Partition

C-9

C-10

C-11

C-14

C-15

D-1

D-2

D-3

D-6

APPENDIX

Configuring Automatic Upgrades

Understanding Automatic Upgrades Automatically Upgrading the Sensor

Downgrading the Sensor

D-10

Recovering the Application Partition

Installing System Images

ROMMON TFTP Servers

D-12

D-13

Connecting an Appliance to a Terminal Server Installing the IPS 4270-20 System Image Installing the IPS 4345 and IPS 4360 System Images Installing the IPS 4510 and IPS 4520 System Image Installing the ASA 5500-X IPS SSP System Image Installing the ASA 5585-X IPS SSP System Image

Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command Installing the ASA 5585-X IPS SSP System Image Using ROMMON

Troubleshooting

E-1

D-6

D-7

D-11

D-12

D-13

D-14

D-16

D-19

D-21

D-23

D-25

OL-24002-01

Contents

E-1

Preventive Maintenance

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

E-1

Contents

Understanding Preventive Maintenance Creating and Using a Backup Configuration File

E-2

Backing Up and Restoring the Configuration File Using a Remote Server Creating the Service Account

Disaster Recovery

Recovering the Password

E-6

E-7

Understanding Password Recovery Recovering the Password for the Appliance

Using the GRUB Menu Using ROMMON

E-8

Recovering the ASA 5500-X IPS SSP Password Recovering the ASA 5585-X IPS SSP Password Disabling Password Recovery Verifying the State of Password Recovery Troubleshooting Password Recovery

Time Sources and the Sensor

E-5

E-7

E-8

E-9

E-11

E-13

E-14

Synchronizing IPS Module Clocks with Parent Device Clocks Verifying the Sensor is Synchronized with the NTP Server Correcting Time on the Sensor

E-16

E-3

E-15

Advantages and Restrictions of Virtualization

Supported MIBs

When to Disable Anomaly Detection

Troubleshooting Global Correlation

Analysis Engine Not Responding

E-17

E-18

E-19

Troubleshooting External Product Interfaces

External Product Interfaces Issues

E-20

External Product Interfaces Troubleshooting Tips

Troubleshooting the Appliance

E-21

The Appliance and Jumbo Packet Frame Size Hardware Bypass and Link Changes and Drops Troubleshooting Loose Connections Analysis Engine is Busy Communication Problems

E-23

Cannot Access the Sensor CLI Through Telnet or SSH Correcting a Misconfigured Access List Duplicate IP Address Shuts Interface Down

The SensorApp and Alerting

The SensorApp Is Not Running

E-28

E-16

E-20

E-21

E-22

E-24

E-26

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Contents

Physical Connectivity, SPAN, or VACL Port Issue Unable to See Alerts Sensor Not Seeing Packets

E-31

E-32

Cleaning Up a Corrupted SensorApp Configuration

Blocking

E-35

Troubleshooting Blocking Verifying ARC is Running

E-35

E-36

Verifying ARC Connections are Active Device Access Issues

E-39

E-37

Verifying the Interfaces and Directions on the Network Device Blocking Not Occurring for a Signature

E-41

Verifying the Master Blocking Sensor Configuration

Logging

TCP Reset Not Occurring for a Signature Software Upgrades

E-44

Enabling Debug Logging Zone Names

E-48

E-44

Directing cidLog Messages to SysLog

E-51

Upgrading and Analysis Engine

E-51

E-49

E-50

Which Updates to Apply and Their Prerequisites Issues With Automatic Update

E-52

Updating a Sensor with the Update Stored on the Sensor

E-29

E-34

E-40

E-42

E-52

E-53

Troubleshooting the IDM

Cannot Launch IDM - Loading Java Applet Failed Cannot Launch the IDM-the Analysis Engine Busy

E-54

E-55

The IDM, Remote Manager, or Sensing Interfaces Cannot Access the Sensor Signatures Not Producing Alerts

Troubleshooting the IME

E-56

Time Synchronization on the IME and the Sensor Not Supported Error Message

Troubleshooting the ASA 5500 AIP SSM

Health and Status Information Failover Scenarios

E-60

The ASA 5500 AIP SSM and the Normalizer Engine The ASA 5500 AIP SSM and the Data Plane The ASA 5500 AIP SSM and Jumbo Packet Frame Size The ASA 5500 AIP SSM and Jumbo Packets

E-56

E-57

E-58

E-61

E-62

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

Troubleshooting the ASA 5500-X IPS SSP

E-63

E-55

E-62

OL-24002-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

Contents

Failover Scenarios Health and Status Information The ASA 5500-X IPS SSP and the Normalizer Engine The ASA 5500-X IPS SSP and Memory Usage The ASA 5500-X IPS SSP and Jumbo Packet Frame Size The ASA 5500-X IPS SSP and Jumbo Packets

E-63

E-64

E-72

E-73

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

Troubleshooting the ASA 5585-X IPS SSP

Failover Scenarios

E-74

Traffic Flow Stopped on IPS Switchports Health and Status Information The ASA 5585-X IPS SSP and the Normalizer Engine The ASA 5585-X IPS SSP and Jumbo Packet Frame Size The ASA 5585-X IPS SSP and Jumbo Packets

Gathering Information

E-80

Health and Network Security Information Tech Support Information

E-82

Understanding the show tech-support Command Displaying Tech Support Information Tech Support Command Output Version Information

E-85

Understanding the show version Command Displaying Version Information

Statistics Information

E-88

Understanding the show statistics Command Displaying Statistics

Interfaces Information

E-89

E-100

Understanding the show interfaces Command Interfaces Command Output

Events Information

Sensor Events

E-101

E-102

Understanding the show events Command Displaying Events Clearing Events cidDump Script

E-102

E-105

Uploading and Accessing Files on the Cisco FTP Site

E-74

E-76

E-79

E-80

E-81

E-82

E-83

E-86

E-88

E-100

E-101

E-102

E-106

E-74

APPENDIX

xii

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

Cable Pinouts

Contents

F-1

OL-24002-01

Contents

LOSSARY

NDEX

10/100BaseT and 10/100/1000BaseT Connectors

Console Port (RJ-45)

RJ-45 to DB-9 or DB-25

F-2

F-3

F-1

OL-24002-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

xiii

Contents

xiv

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

About This Guide

Published: March 31, 2010

Revised: May 6, 2013, OL-24002-01

Audience

This guide describes how to install appliances and modules that support Cisco IPS 7.1. It includes a glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set for Cisco Intrusion Prevention System 7.1. Use this guide in conjunction with the documents listed in

Comply with Local and National Electrical Codes

Chapter

Warning

Waarschuwing

Varoitus

Attention

Warnung

Avvertenza

Advarsel

Aviso

¡Advertencia!

Varning!

Installation of the equipment must comply with local and national electrical codes.

Bij installatie van de apparatuur moet worden voldaan aan de lokale en nationale elektriciteitsvoorschriften.

Laitteisto tulee asentaa paikallisten ja kansallisten sähkömääräysten mukaisesti.

L'équipement doit être installé conformément aux normes électriques nationales et locales.

Die Installation der Geräte muss den Sicherheitsstandards entsprechen.

L'installazione dell'impianto deve essere conforme ai codici elettrici locali e nazionali.

Installasjon av utstyret må samsvare med lokale og nasjonale elektrisitetsforskrifter.

A instalação do equipamento tem de estar em conformidade com os códigos eléctricos locais e nacionais.

La instalación del equipo debe cumplir con las normativas de electricidad locales y nacionales.

Installation av utrustningen måste ske i enlighet med gällande elinstallationsföreskrifter.

Statement 1074

-xvi

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Chapter

Organization

This guide includes the following sections:

Contents

Section Title Description

1 “Introducing the Sensor” Describes IPS appliances and modules.

2 “Preparing the Appliance for

Installation”

3 “Installing the IPS 4270-20” Describes how to install the IPS 4270-20.

4 “Installing the IPS 4345 and

IPS 4360”

5 “Installing the IPS 4510 and

IPS 4520”

6 “Installing and Removing the

ASA 5585-X IPS SSP”

A “Logging In to the Sensor” Describes how to log in to the various sensors.

B “Initializing the Sensor” Describes how to use the setup command to

C “Obtaining Software” Describes where to go to get the latest IPS

D “Upgrading, Downgrading, and

Installing System Images”

E “Troubleshooting” Contains troubleshooting tips for IPS hardware

F “Cable Pinouts” Describes the appliance cable pinouts.

“Glossary” Contains IPS acronyms and terms.

Describes how to prepare to install appliances.

Describes how to install the IPS 4345 and the IPS 4360.

Describes how to install the IPS 4510 and the IPS 4520.

Describes how to install the ASA 5585-X IPS SSP.

initialize sensors.

software and describes the naming conventions.

Describes how to upgrade sensors and reimage the various sensors.

and software.

OL-24002-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

-xvii

Contents

Conventions

This document uses the following conventions:

Chapter

Convention Indication

bold font Commands and keywords and user-entered text appear in bold font.

italic font Document titles, new or emphasized terms, and arguments for which you supply

values are in italic font.

[ ] Elements in square brackets are optional.

{x | y | z } Required alternative keywords are grouped in braces and separated by

vertical bars.

[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by

vertical bars.

string A nonquoted set of characters. Do not use quotation marks around the string or

the string will include the quotation marks.

courier

< > Nonprinting characters such as passwords are in angle brackets.

[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code

font Terminal sessions and information the system displays appear in

indicates a comment line.

courier

font.

Note

Tip

Caution

Timesaver

Warning

Means reader take note.

Means the following information will help you solve a problem.

Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.

Means the described action saves time. You can save time by performing the action described in the paragraph.

Means reader be warned. In this situation, you might perform an action that could result in bodily injury.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

OL-24002-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

-xix

Contents

Chapter

-xx

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

CHA PTER

Introducing the Sensor

This chapter introduces the sensor and provides information you should know before you install the sensor. In this guide, the term sensor refers to all models unless noted otherwise. For a complete list of supported sensors and their model numbers, see Supported Sensors, page 1-19.

This chapter contains the following sections:

•

How the Sensor Functions, page 1-1

•

Supported Sensors, page 1-19

•

IPS Appliances, page 1-20

•

Time Sources and the Sensor, page 1-23

How the Sensor Functions

This section describes how the sensor functions, and contains the following topics:

•

Capturing Network Traffic, page 1-1

•

Your Network Topology, page 1-3

•

Correctly Deploying the Sensor, page 1-3

•

Tuning the IPS, page 1-3

•

Sensor Interfaces, page 1-4

•

Interface Modes, page 1-14

Capturing Network Traffic

The sensor can operate in either promiscuous or inline mode. Figure 1-1 on page 1-2 shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network.

OL-24002-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

1-1

How the Sensor Functions

Sensor deployed

in IDS mode

Public services segment

Campus core

Attacker

Internet

Sensor deployed

in IPS mode

Sensor deployed in IPS mode

Sensor deployed in hybrid mode to deliver IDS services outside router and IPS services inside the firewall

Service provider, partner, or branch office network

Multiple IPS sensors deliver a highly scalable, load-balanced solution via Cisco Etherchannel technology on Cisco Catalyst Switches

148416

Main campus

Figure 1-1 Comprehensive Deployment Solutions

Chapter 1 Introducing the Sensor

The command and control interface is always Ethernet. This interface has an assigned IP address, which allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and firewalls). Because this interface is visible on the network, you should use encryption to maintain data privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager workstation. SSH and TLS/SSL are enabled by default on the manager workstations.

When responding to attacks, the sensor can do the following:

•

Insert TCP resets via the sensing interface.

Note

You should select the TCP reset action only on signatures associated with a TCP-based service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol.

•

Make ACL changes on switches, routers, and firewalls that the sensor manages.

Note

ACLs may block only future traffic, not current traffic.

1-2

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Chapter 1 Introducing the Sensor

•

Generate IP session logs, session replay, and trigger packets display.

IP session logs are used to gather information about unauthorized use. IP log files are written when events occur that you have configured the appliance to look for.

•

Implement multiple packet drop actions to stop worms and viruses.

Your Network Topology

Before you deploy and configure your sensors, you should understand the following about your network:

•

The size and complexity of your network.

•

Connections between your network and other networks (and the Internet).

•

The amount and type of network traffic on your network.

This knowledge will help you determine how many sensors are required, the hardware configuration for each sensor (for example, the size and type of network interface cards), and how many managers are needed.

How the Sensor Functions

Correctly Deploying the Sensor

You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall or adaptive security appliance. The perimeter device filters traffic to match your security policy thus allowing acceptable traffic in to your network. Correct placement significantly reduces the number of alerts, which increases the amount of actionable data you can use to investigate security violations. If you position the IPS sensor on the edge of your network in front of a firewall, your sensor will produce alerts on every single scan and attempted attack even if they have no significance to your network implementation. You will receive hundreds, thousands, or even millions of alerts (in a large enterprise environment) that are not really critical or actionable in your environment. Analyzing this type of data is time consuming and costly.

Tuning the IPS

Tuning the IPS ensures that the alerts you see reflect true actionable information. Without tuning the IPS, it is difficult to do security research or forensics on your network because you will have thousands of benign events, also known as false positives. False positives are a by-product of all IPS devices, but they occur much less frequently in Cisco IPS devices since Cisco IPS devices are stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS signature actions based on risk rating.

Follow these tips when tuning your IPS sensors:

•

Place your sensor on your network behind a perimeter-filtering device. Proper sensor placement can reduce the number of alerts you need to examine by several thousands a day.

OL-24002-01

•

Deploy the sensor with the default signatures in place.

The default signature set provides you with a very high security protection posture. The Cisco signature team has spent many hours on testing the defaults to give your sensor the highest protection. If you think that you have lost these defaults, you can restore them.

•

Make sure that the event action override is set to drop packets with a risk rating greater than 90. This is the default and ensures that high risk alerts are stopped immediately.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

1-3

How the Sensor Functions

Chapter 1 Introducing the Sensor

•

Filter out known false positives caused by specialized software, such as vulnerability scanner and load balancers by one of the following methods:

–

You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load balancer.

–

You can configure the sensor to allow these alerts and then use the IME to filter out the false positives.

•

Filter the Informational alerts.

These low priority events notifications could indicate that another device is doing reconnaissance on a device protected by the IPS. Research the source IP addresses from these Informational alerts to determine what the source is.

•

Analyze the remaining actionable alerts:

–

Research the alert.

–

Fix the attack source.

–

Fix the destination host.

–

Modify the IPS policy to provide more information.

For More Information

•

For a detailed description of risk rating, refer to Calculating the Risk Rating.

•

For information on Cisco signatures, for the IDM and IME refer to Defining Signatures, and for the CLI refer to Defining Signatures.

•

For detailed information on event action overrides, for the IDM and IME refer to Configuring Event

Action Overrides, and for the CLI, refer to Configuring Event Action Overrides.

Sensor Interfaces

This section describes the sensor interfaces, and contains the following topics:

•

Understanding Sensor Interfaces, page 1-4

•

Command and Control Interface, page 1-5

•

Sensing Interfaces, page 1-6

•

Interface Support, page 1-6

•

TCP Reset Interfaces, page 1-11

•

Interface Restrictions, page 1-12

Understanding Sensor Interfaces

1-4

The sensor interfaces are named according to the maximum speed and physical location of the interface. The physical location consists of a port number and a slot number. All interfaces that are built-in on the sensor motherboard are in slot 0, and the interface card expansion slots are numbered beginning with slot 1 for the bottom slot with the slot numbers increasing from bottom to top (except for the IPS 4270-20, where the ports are numbered from top to bottom). Each physical interface can be divided in to VLAN group subinterfaces, each of which consists of a group of VLANs on that interface.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Chapter 1 Introducing the Sensor

There are three interface roles:

•

Command and control

•

Sensing

•

Alternate TCP reset

There are restrictions on which roles you can assign to specific interfaces and some interfaces have multiple roles. You can configure any sensing interface to any other sensing interface as its TCP reset interface. The TCP reset interface can also serve as an IDS (promiscuous) sensing interface at the same time. The following restrictions apply:

•

The TCP reset interface that is assigned to a sensing interface has no effect in inline interface or inline VLAN pair mode, because TCP resets are always sent on the sensing interfaces in those modes.

•

There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.

•

On the IPS 4510 and IPS 4520, no interface-related configurations are allowed when the SensorApp is down.

How the Sensor Functions

Command and Control Interface

The command and control interface has an IP address and is used for configuring the sensor. It receives security and status events from the sensor and queries the sensor for statistics. The command and control interface is permanently enabled. It is permanently mapped to a specific physical interface, which depends on the specific model of sensor. You cannot use the command and control interface as either a sensing or alternate TCP reset interface.

Table 1-1 lists the command and control interfaces for each sensor.

Table 1-1 Command and Control Interfaces

Sensor Command and Control Interface

ASA 5500 AIP SSM-10 GigabitEthernet 0/0

ASA 5500 AIP SSM-20 GigabitEthernet 0/0

ASA 5500 AIP SSM-40 GigabitEthernet 0/0

ASA 5512-X IPS SSP Management 0/0

ASA 5515-X IPS SSP Management 0/0

ASA 5525-X IPS SSP Management 0/0

ASA 5545-X IPS SSP Management 0/0

ASA 5555-X IPS SSP Management 0/0

ASA 5585-X IPS SSP-10 Management 0/0

ASA 5585-X IPS SSP-20 Management 0/0

ASA 5585-X IPS SSP-40 Management 0/0

ASA 5585-X IPS SSP-60 Management 0/0

IPS 4240 Management 0/0

IPS 4255 Management 0/0

OL-24002-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

1-5

How the Sensor Functions

Sensing Interfaces

Chapter 1 Introducing the Sensor

Table 1-1 Command and Control Interfaces (continued)

Sensor Command and Control Interface

IPS 4260 Management 0/0

IPS 4270-20 Management 0/0

IPS 4345 Management 0/0

IPS 4360 Management 0/0

IPS 4510 Management 0/0

IPS 4520 Management 0/0

1. The 4500 series sensors have two management ports, Management 0/0 and Management 0/1, but Management 0/1 is reserved for future use.

Sensing interfaces are used by the sensor to analyze traffic for security violations. A sensor has one or more sensing interfaces depending on the sensor. Sensing interfaces can operate individually in promiscuous mode or you can pair them to create inline interfaces.

Note

On appliances, all sensing interfaces are disabled by default. You must enable them to use them. On modules, the sensing interfaces are permanently enabled.

Some appliances support optional interface cards that add sensing interfaces to the sensor. You must insert or remove these optional cards while the sensor is powered off. The sensor detects the addition or removal of a supported interface card. If you remove an optional interface card, some of the interface configuration is deleted, such as the speed, duplex, description string, enabled/disabled state of the interface, and any inline interface pairings. These settings are restored to their default settings when the card is reinstalled. However, the assignment of promiscuous and inline interfaces to the Analysis Engine is not deleted from the Analysis Engine configuration, but is ignored until those cards are reinserted and you create the inline interface pairs again.

Interface Support

Table 1-2 describes the interface support for appliances and modules running Cisco IPS.

Table 1-2 Interface Support

Added Interface

Base Chassis

Cards

ASA 5500 AIP SSM-10 — GigabitEthernet 0/1 by

ASA 5500 AIP SSM-20 — GigabitEthernet 0/1 by

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

security context instead of VLAN pair or inline interface pair

Combinations Supporting Inline Interface Pairs

GigabitEthernet 0/1 by security context instead of VLAN pair or inline interface pair

Interfaces Not Supporting Inline (Command and Control Port)

GigabitEthernet 0/0

1-6

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Chapter 1 Introducing the Sensor

Table 1-2 Interface Support (continued)

Added Interface

Base Chassis

Cards

ASA 5500 AIP SSM-40 — GigabitEthernet 0/1 by

ASA 5512-X IPS SSP — PortChannel 0/0 by security

ASA 5515-X IPS SSP — PortChannel 0/0 by security

ASA 5525-X IPS SSP — PortChannel 0/0 by security

ASA 5545-X IPS SSP — PortChannel 0/0 by security

ASA 5555-X IPS SSP — PortChannel 0/0 by security

ASA 5585-X IPS SSP-10 — PortChannel 0/0 by security

ASA 5585-X IPS SSP-20 — PortChannel 0/0 by security

ASA 5585-X IPS SSP-40 — PortChannel 0/0 by security

ASA 5585-X IPS SSP-60 — PortChannel 0/0 by security

IPS 4240 — GigabitEthernet 0/0

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

security context instead of VLAN pair or inline interface pair

context instead of VLAN pair or inline interface pair

GigabitEthernet 0/1 GigabitEthernet 0/2 GigabitEthernet 0/3

Combinations Supporting Inline Interface Pairs

GigabitEthernet 0/1 by security context instead of VLAN pair or inline interface pair

PortChannel 0/0 by security context instead of VLAN pair or inline interface pair

0/0<->0/1 0/0<->0/2 0/0<->0/3 0/1<->0/2 0/1<->0/3 0/2<->0/3

How the Sensor Functions

Interfaces Not Supporting Inline (Command and Control Port)

GigabitEthernet 0/0

Management 0/0

OL-24002-01

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

1-7

Chapter 1 Introducing the Sensor

How the Sensor Functions

Table 1-2 Interface Support (continued)

Interfaces Not Added Interface

Base Chassis

Cards

IPS 4255 — GigabitEthernet 0/0

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

GigabitEthernet 0/1 GigabitEthernet 0/2 GigabitEthernet 0/3

Combinations Supporting Inline Interface Pairs

0/0<->0/1 0/0<->0/2 0/0<->0/3 0/1<->0/2 0/1<->0/3 0/2<->0/3

IPS 4260 — GigabitEthernet 0/1 N/A Management 0/0

IPS 4260 4GE-BP

GigabitEthernet 0/1

Supporting Inline

(Command and Control

Port)

Management 0/0

Slot 1

GigabitEthernet 2/0 GigabitEthernet 2/1

2/0<->2/1 2/2<->2/3

GigabitEthernet 2/2 GigabitEthernet 2/3

Slot 2

GigabitEthernet 3/0 GigabitEthernet 3/1

3/0<->3/1

3/2<->3/3 GigabitEthernet 3/2 GigabitEthernet 3/3

IPS 4260 2SX

GigabitEthernet 0/1

All sensing ports can be

Management 0/0

paired together

Slot 1

GigabitEthernet 2/0 GigabitEthernet 2/1

Slot 2

GigabitEthernet 3/0 GigabitEthernet 3/1

IPS 4260 10GE

Slot 1

GigabitEthernet 0/1

TenGigabitEthernet 2/0

2/0<->2/1

Management 0/0

TenGigabitEthernet 2/1

IPS 4270-20 — — N/A Management 0/0

Management 0/1

IPS 4270-20 4GE-BP

Slot 1

GigabitEthernet 3/0 GigabitEthernet 3/1

3/0<->3/1

3/2<->3/3

Management 0/0 Management 0/1

GigabitEthernet 3/2 GigabitEthernet 3/3

1-8

Slot 2

GigabitEthernet 4/0 GigabitEthernet 4/1

4/0<->4/1

4/2<->4/3 GigabitEthernet 4/2 GigabitEthernet 4/3

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Chapter 1 Introducing the Sensor

Table 1-2 Interface Support (continued)

Base Chassis

Added Interface Cards

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

IPS 4270-20 2SX

Slot 1

GigabitEthernet 3/0 GigabitEthernet 3/1

Combinations Supporting Inline Interface Pairs

All sensing ports can be paired together

How the Sensor Functions

Interfaces Not Supporting Inline (Command and Control Port)

Management 0/0 Management 0/1

Slot 2

GigabitEthernet 4/0 GigabitEthernet 4/1

IPS 4270-20 10GE

Slot 1

TenGigabitEthernet 5/0 TenGigabitEthernet 5/1

Slot 2

TenGigabitEthernet 7/0 TenGigabitEthernet 7/1

IPS 4345 — GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

Gigabitethernet 0/6

GigabitEthernet 0/7

IPS 4360 — GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

All sensing ports can be paired together

Management 0/0 Management 0/1

OL-24002-01

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

GigabitEthernet 0/6

GigabitEthernet 0/7

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

1-9

How the Sensor Functions

Table 1-2 Interface Support (continued)

Base Chassis

Added Interface Cards

Interfaces Supporting Inline VLAN Pairs (Sensing Ports)

IPS 4510 — GigabitEthernet 0/0

GigabitEthernet 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

TenGigabitEthernet 0/6

TenGigabitEthernet 0/7

TenGigabitEthernet 0/8

TenGigabitEthernet 0/9

IPS 4520 —TX GigabitEthernet 0/0

GigabitEthernet 0/1

Combinations Supporting

Inline Interface Pairs

All sensing ports can be

paired together

All sensing ports can be

paired together

Chapter 1 Introducing the Sensor

Interfaces Not Supporting Inline (Command and Control Port)

Management 0/0 Management 0/1

GigabitEthernet 0/2

GigabitEthernet 0/3

GigabitEthernet 0/4

GigabitEthernet 0/5

TenGigabitEthernet 0/6

TenGigabitEthernet 0/7

TenGigabitEthernet 0/8

TenGigabitEthernet 0/9

1. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).

2. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).

3. Reserved for future use.

4. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example).

5. Does not currently support hardware bypass.

6. Reserved for future use.

Note

The IPS 4260 supports a mixture of 4GE-BP, 2SX, and 10GE cards. The IPS 4270-20 supports a mixture of 4GE-BP, 2SX, and 10GE cards up to a total of either six cards, or sixteen total ports, which ever is reached first, but is limited to only two 10GE card in the mix of cards.

1-10

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

+ 430 hidden pages