Installation Guide
Page 3
... Documentation and Submitting a Service Request xvii Introducing the Sensor 1-1 How the Sensor Functions 1-1 Capturing Network Traffic 1-1 Your Network Topology 1-3 Correctly Deploying the Sensor 1-3 Tuning the IPS 1-3 Sensor Interfaces 1-4 Understanding Sensor Interfaces 1-4 Command and Control Interface 1-5 Sensing Interfaces ... 1-15 Deploying VLAN Groups 1-16 Supported Sensors 1-17 IPS Appliances 1-18 Introducing the IPS Appliance 1-18 Appliance Restrictions 1-19 Connecting an Appliance to a Terminal Server 1-19 Cisco Intrusion Prevention System Appliance and Module Installation Guide ...
... Documentation and Submitting a Service Request xvii Introducing the Sensor 1-1 How the Sensor Functions 1-1 Capturing Network Traffic 1-1 Your Network Topology 1-3 Correctly Deploying the Sensor 1-3 Tuning the IPS 1-3 Sensor Interfaces 1-4 Understanding Sensor Interfaces 1-4 Command and Control Interface 1-5 Sensing Interfaces ... 1-15 Deploying VLAN Groups 1-16 Supported Sensors 1-17 IPS Appliances 1-18 Introducing the IPS Appliance 1-18 Appliance Restrictions 1-19 Connecting an Appliance to a Terminal Server 1-19 Cisco Intrusion Prevention System Appliance and Module Installation Guide ...
Installation Guide
Page 4
... the IPS 4255 2-1 Introducing the IPS 4240 and the IPS 4255 2-1 Front and Back Panel Features 2-2 Specifications 2-4 Connecting the IPS 4240 to a Cisco 7200 Series Router 2-5 Accessories 2-5 Important Safety Instructions 2-5 Rack Mounting 2-6 Installing the IPS 4240 and the IPS 4255 2-7 Installing the IPS 4240-DC 2-10 3 C H A P T E R Installing the IPS 4260 3-1 Introducing the IPS 4260 3-1 Supported Interface Cards 3-2 Hardware Bypass 3-4 4GE Bypass Interface Card 3-4 Cisco Intrusion...
... the IPS 4255 2-1 Introducing the IPS 4240 and the IPS 4255 2-1 Front and Back Panel Features 2-2 Specifications 2-4 Connecting the IPS 4240 to a Cisco 7200 Series Router 2-5 Accessories 2-5 Important Safety Instructions 2-5 Rack Mounting 2-6 Installing the IPS 4240 and the IPS 4255 2-7 Installing the IPS 4240-DC 2-10 3 C H A P T E R Installing the IPS 4260 3-1 Introducing the IPS 4260 3-1 Supported Interface Cards 3-2 Hardware Bypass 3-4 4GE Bypass Interface Card 3-4 Cisco Intrusion...
Installation Guide
Page 7
... In to the AIM IPS 9-5 Logging In to AIP SSM 9-6 Logging In to the IDSM2 9-8 Logging In to the NME IPS 9-9 The NME IPS and the session Command 9-9 Sessioning In to the NME IPS 9-10 Logging In to the Sensor 9-11 Initializing the Sensor 10-1 Understanding Initialization 10-1 Simplified Setup Mode 10-1 Cisco Intrusion Prevention System Appliance and...
... In to the AIM IPS 9-5 Logging In to AIP SSM 9-6 Logging In to the IDSM2 9-8 Logging In to the NME IPS 9-9 The NME IPS and the session Command 9-9 Sessioning In to the NME IPS 9-10 Logging In to the Sensor 9-11 Initializing the Sensor 10-1 Understanding Initialization 10-1 Simplified Setup Mode 10-1 Cisco Intrusion Prevention System Appliance and...
Installation Guide
Page 8
... Automatic Upgrades 12-6 Automatic Upgrades 12-6 auto-upgrade Command and Options 12-7 Using the auto-upgrade Command 12-8 Automatic Upgrade Examples 12-10 Downgrading the Sensor 12-11 Recovering the Application Partition 12-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 viii OL-18504-01
... Automatic Upgrades 12-6 Automatic Upgrades 12-6 auto-upgrade Command and Options 12-7 Using the auto-upgrade Command 12-8 Automatic Upgrade Examples 12-10 Downgrading the Sensor 12-11 Recovering the Application Partition 12-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 viii OL-18504-01
Installation Guide
Page 10
...24 Troubleshooting Loose Connections A-24 Analysis Engine is Busy A-25 Connecting the IPS 4240 to a Cisco 7200 Series Router A-25 Communication Problems A-26 Cannot Access the Sensor CLI Through Telnet or SSH A-26 Correcting a Misconfigured Access List A-28 Duplicate IP Address Shuts Interface Down A-29 SensorApp and Alerting A-30 SensorApp Not Running... Device Access Issues A-41 Verifying the Interfaces and Directions on the Network Device A-43 Enabling SSH Connections to the Network Device A-43 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 x OL-18504-01
...24 Troubleshooting Loose Connections A-24 Analysis Engine is Busy A-25 Connecting the IPS 4240 to a Cisco 7200 Series Router A-25 Communication Problems A-26 Cannot Access the Sensor CLI Through Telnet or SSH A-26 Correcting a Misconfigured Access List A-28 Duplicate IP Address Shuts Interface Down A-29 SensorApp and Alerting A-30 SensorApp Not Running... Device Access Issues A-41 Verifying the Interfaces and Directions on the Network Device A-43 Enabling SSH Connections to the Network Device A-43 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 x OL-18504-01
Installation Guide
Page 11
...Analysis Engine Busy A-57 IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor A-57 Signatures Not Producing Alerts A-58 Troubleshooting IME A-59 Time Synchronization on IME and the Sensor A-59 Not Supported Error Message A-59 Troubleshooting the IDSM2 A-59 Diagnosing IDSM2...and the Normalizer Engine A-69 Troubleshooting the AIM IPS and the NME IPS A-69 Interoperability With Other IPS Network Modules A-69 Gathering Information A-70 Health and Network Security Information A-70 Tech Support Information A-71 Cisco Intrusion Prevention System Appliance and Module Installation Guide for ...
...Analysis Engine Busy A-57 IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor A-57 Signatures Not Producing Alerts A-58 Troubleshooting IME A-59 Time Synchronization on IME and the Sensor A-59 Not Supported Error Message A-59 Troubleshooting the IDSM2 A-59 Diagnosing IDSM2...and the Normalizer Engine A-69 Troubleshooting the AIM IPS and the NME IPS A-69 Interoperability With Other IPS Network Modules A-69 Gathering Information A-70 Health and Network Security Information A-70 Tech Support Information A-71 Cisco Intrusion Prevention System Appliance and Module Installation Guide for ...
Installation Guide
Page 12
... the show interfaces Command A-87 Interfaces Command Output A-87 Events Information A-88 Sensor Events A-88 Understanding the show events Command A-89 Displaying Events A-89 Clearing Events A-92 cidDump Script A-92 Uploading and Accessing Files on the Cisco FTP Site A-93 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 xii OL-18504-01
... the show interfaces Command A-87 Interfaces Command Output A-87 Events Information A-88 Sensor Events A-88 Understanding the show events Command A-89 Displaying Events A-89 Clearing Events A-92 cidDump Script A-92 Uploading and Accessing Files on the Cisco FTP Site A-93 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 xii OL-18504-01
Installation Guide
Page 13
... and maintain Cisco IPS sensors, including the supported IPS appliances and modules. Varoitus Laitteisto tulee asentaa paikallisten ja kansallisten sähkömääräysten mukaisesti. Use this guide in Related Documentation, page xvi. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for Cisco Intrusion Prevention System 7.0. It includes a glossary that support Cisco IPS 7.0. This...
... and maintain Cisco IPS sensors, including the supported IPS appliances and modules. Varoitus Laitteisto tulee asentaa paikallisten ja kansallisten sähkömääräysten mukaisesti. Use this guide in Related Documentation, page xvi. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for Cisco Intrusion Prevention System 7.0. It includes a glossary that support Cisco IPS 7.0. This...
Installation Guide
Page 20
.... Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-2 OL-18504-01 If selected as an action on the manager workstations. Additionally, TCP resets are enabled by default on non-TCP-based services, no action is used to protect the...that the sensor manages. When responding to attacks, the sensor can do the following: • Insert TCP resets via Cisco Etherchannel technology on Cisco Catalyst Switches Attacker Sensor deployed in IDS mode Internet Main campus Sensor deployed in IPS mode Sensor deployed in IPS mode Sensor deployed in IPS mode ...
.... Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-2 OL-18504-01 If selected as an action on the manager workstations. Additionally, TCP resets are enabled by default on non-TCP-based services, no action is used to protect the...that the sensor manages. When responding to attacks, the sensor can do the following: • Insert TCP resets via Cisco Etherchannel technology on Cisco Catalyst Switches Attacker Sensor deployed in IDS mode Internet Main campus Sensor deployed in IPS mode Sensor deployed in IPS mode Sensor deployed in IPS mode ...
Installation Guide
Page 21
...tuning your IPS sensors: • Place your environment. Correctly Deploying the Sensor You should understand the following about unauthorized use to give your network. Proper sensor placement can restore them. If you think that you can use . OL-18504-01 Cisco Intrusion Prevention ... hours on your sensor the highest protection. Chapter 1 Introducing the Sensor How the Sensor Functions • Generate IP session logs, session replay, and trigger packets display. You will help you position the IPS sensor on the edge of your network in place. IP session logs are...
...tuning your IPS sensors: • Place your environment. Correctly Deploying the Sensor You should understand the following about unauthorized use to give your network. Proper sensor placement can restore them. If you think that you can use . OL-18504-01 Cisco Intrusion Prevention ... hours on your sensor the highest protection. Chapter 1 Introducing the Sensor How the Sensor Functions • Generate IP session logs, session replay, and trigger packets display. You will help you position the IPS sensor on the edge of your network in place. IP session logs are...
Installation Guide
Page 31
... a list of the specified ports. However, you can handle. The most common method for IPS 7.0 1-13 Chapter 1 Introducing the Sensor How the Sensor Functions Figure 1-2 illustrates promiscuous mode. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for copying traffic to a sensor configured in promiscuous mode is valuable when you want to pass.
... a list of the specified ports. However, you can handle. The most common method for IPS 7.0 1-13 Chapter 1 Introducing the Sensor How the Sensor Functions Figure 1-2 illustrates promiscuous mode. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for copying traffic to a sensor configured in promiscuous mode is valuable when you want to pass.
Installation Guide
Page 32
...For more information on promiscuous mode, see Interface Restrictions, page 1-10. 1-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 Note If the paired interfaces are connected to operate inline...protective service. This allows the sensor to stop and/or block attacks that packet is also analyzing the contents and payload of restrictions pertaining to 7). In inline interface pair mode, a packet comes in Catalyst 6500 Series Software Configuration Guide, 8.7: - Note You can configure the AIM IPS, AIP SSM, and NME IPS...
...For more information on promiscuous mode, see Interface Restrictions, page 1-10. 1-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 Note If the paired interfaces are connected to operate inline...protective service. This allows the sensor to stop and/or block attacks that packet is also analyzing the contents and payload of restrictions pertaining to 7). In inline interface pair mode, a packet comes in Catalyst 6500 Series Software Configuration Guide, 8.7: - Note You can configure the AIM IPS, AIP SSM, and NME IPS...
Installation Guide
Page 33
... VLANs are not assigned to the other VLAN in the pair, or drop the packet if an intrusion attempt is that now you apply multiple policies to IPS sensor interfaces, see Interface Restrictions, page 1-10 VLAN Group Mode Note You cannot divide physical interfaces that ...sensing interface acts as inline VLAN pair mode. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-15 The sensor inspects the traffic it had many interfaces. Chapter 1 Introducing the Sensor How the Sensor Functions Inline VLAN Pair Mode Note Inline VLAN pairs are in...
... VLANs are not assigned to the other VLAN in the pair, or drop the packet if an intrusion attempt is that now you apply multiple policies to IPS sensor interfaces, see Interface Restrictions, page 1-10 VLAN Group Mode Note You cannot divide physical interfaces that ...sensing interface acts as inline VLAN pair mode. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-15 The sensor inspects the traffic it had many interfaces. Chapter 1 Introducing the Sensor How the Sensor Functions Inline VLAN Pair Mode Note Inline VLAN pairs are in...
Installation Guide
Page 34
...does not apply to use VLAN groups on a switch as the VLAN tag. How the Sensor Functions Chapter 1 Introducing the Sensor Subinterface 0 is a reserved subinterface number used to IPS sensor interfaces, see Interface Restrictions, page 1-10. You cannot directly specify the VLANs that the native... a trunk port. However, the IDSM2 does not know what VLAN the native packets are in . In this way. 1-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for the two ports differently. Because multiple VLANs are not specifically assigned to 0. Therefore,...
...does not apply to use VLAN groups on a switch as the VLAN tag. How the Sensor Functions Chapter 1 Introducing the Sensor Subinterface 0 is a reserved subinterface number used to IPS sensor interfaces, see Interface Restrictions, page 1-10. You cannot directly specify the VLANs that the native... a trunk port. However, the IDSM2 does not know what VLAN the native packets are in . In this way. 1-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for the two ports differently. Because multiple VLANs are not specifically assigned to 0. Therefore,...
Installation Guide
Page 221
...; Upgrading Cisco IPS Software to 7.0, page 11-7 • Accessing IPS Documentation, page 11-9 • Cisco Security Intelligence Operations, page 11-9 • Obtaining a License Key From Cisco.com, page 11-10 Caution The BIOS on Cisco IPS sensors is specific to Cisco IPS sensors and must be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. OL-18504-01 Cisco Intrusion Prevention...
...; Upgrading Cisco IPS Software to 7.0, page 11-7 • Accessing IPS Documentation, page 11-9 • Cisco Security Intelligence Operations, page 11-9 • Obtaining a License Key From Cisco.com, page 11-10 Caution The BIOS on Cisco IPS sensors is specific to Cisco IPS sensors and must be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. OL-18504-01 Cisco Intrusion Prevention...
Installation Guide
Page 330
... sensor(config)# service signature-definition sig0 sensor(config-sig)# signatures 1000 0 sensor(config-sig-sig)# engine atomic-ip sensor(config-sig-sig-ato)# event-action reset-tcp-connection|produc-alert sensor(config-sig-sig-ato)# show settings atomic-ip event-action: produce-alert|reset-tcp-connection default: produce-alert fragment-status: any specify-l4-protocol no A-52 Cisco Intrusion...
... sensor(config)# service signature-definition sig0 sensor(config-sig)# signatures 1000 0 sensor(config-sig-sig)# engine atomic-ip sensor(config-sig-sig-ato)# event-action reset-tcp-connection|produc-alert sensor(config-sig-sig-ato)# show settings atomic-ip event-action: produce-alert|reset-tcp-connection default: produce-alert fragment-status: any specify-l4-protocol no A-52 Cisco Intrusion...
Installation Guide
Page 332
...upgrade again. When it is not running : sensor# upgrade scp://[email protected]/upgrades/IPS-K9-7.0-1-E3.pkg Password: ******** Warning: Executing this command will apply a major version upgrade to see IPS Software Versioning, page 11-2. Try rebooting the sensor, and after reboot, run the setup command and... you receive this time. A-54 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 Or you can upgrade at this error, you want. For More Information • For more information on the Sensor, page A-55 Upgrading and Analysis Engine...
...upgrade again. When it is not running : sensor# upgrade scp://[email protected]/upgrades/IPS-K9-7.0-1-E3.pkg Password: ******** Warning: Executing this command will apply a major version upgrade to see IPS Software Versioning, page 11-2. Try rebooting the sensor, and after reboot, run the setup command and... you receive this time. A-54 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 Or you can upgrade at this error, you want. For More Information • For more information on the Sensor, page A-55 Upgrading and Analysis Engine...
Installation Guide
Page 380
...the packet. A module that of IP fragments when the sensor is sent out all devices. For more information, refer to fiber interfaces. The IPS sensor shares information with other methods to the local global correlation databases. GL-8 Cisco Intrusion Prevention System Appliance and Module Installation ... switches and bridges in RFC 959. Fiber-ready switches and NICs generally provide GBIC and/or SFP slots. Reassembles fragmented IP datagrams. It is defined in which the information was received originally. G GBIC Gigabit Ethernet global correlation global correlation client ...
...the packet. A module that of IP fragments when the sensor is sent out all devices. For more information, refer to fiber interfaces. The IPS sensor shares information with other methods to the local global correlation databases. GL-8 Cisco Intrusion Prevention System Appliance and Module Installation ... switches and bridges in RFC 959. Fiber-ready switches and NICs generally provide GBIC and/or SFP slots. Reassembles fragmented IP datagrams. It is defined in which the information was received originally. G GBIC Gigabit Ethernet global correlation global correlation client ...
Installation Guide
Page 381
... relevant to IP packet processing. H H.225.0 H.245 H.323 half duplex handshake hardware bypass host block HTTP HTTPS An ITU standard that governs H.245 endpoint control. H.323 defines a common set of a half-duplex protocol. OL-18504-01 Cisco Intrusion Prevention System ...mechanism is the first software program that directly connects the physical interfaces and allows traffic to communicate with collaborative devices such as IPS sensors. Denial of RTP. I ICMP ICMP flood Internet Control Message Protocol. Greenwich Mean Time. Boot loader is engaged that runs...
... relevant to IP packet processing. H H.225.0 H.245 H.323 half duplex handshake hardware bypass host block HTTP HTTPS An ITU standard that governs H.245 endpoint control. H.323 defines a common set of a half-duplex protocol. OL-18504-01 Cisco Intrusion Prevention System ...mechanism is the first software program that directly connects the physical interfaces and allows traffic to communicate with collaborative devices such as IPS sensors. Denial of RTP. I ICMP ICMP flood Internet Control Message Protocol. Greenwich Mean Time. Boot loader is engaged that runs...
Installation Guide
Page 388
...application image and installer used between the VoIP gateway and the gatekeeper. It enables the installed base of IPS sensors in the field to mounting a sensor in the range of the risk associated with reputation is designed to perform management functions. Regular expressions ...RBCP Router Blade Control Protocol. reassembly The putting back together of characters in the packaging or the installer. GL-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for recovery on SCP, but not any arbitrary pattern. reputation Similar to human...
...application image and installer used between the VoIP gateway and the gatekeeper. It enables the installed base of IPS sensors in the field to mounting a sensor in the range of the risk associated with reputation is designed to perform management functions. Regular expressions ...RBCP Router Blade Control Protocol. reassembly The putting back together of characters in the packaging or the installer. GL-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for recovery on SCP, but not any arbitrary pattern. reputation Similar to human...