You can access the CLI of a sensor appliance in one of three ways:
AIP SSM and AIP SSC-5
Step 1. Log in to the Cisco ASA adaptive security appliance.
Step 2. Create a terminal session to the module:
Step 3. Enter your username and password at the login prompt (username and password are both cisco )
Cisco Catalyst 6500 Series IDSM-2
Step 1. Log in to the Cisco Catalyst 6500 Series switch supervisor running Cisco IOS Software.
Step 2. Create a session to the Cisco Catalyst 6500 Series IDSM-2:
Step 4. Press Ctrl-Shift-6-x or enter exit to escape from a session to the Cisco Catalyst 6500 switch prompt.
AIM-IPS and NME-IPS
Step 1. Log in to the Cisco ISR (generation 1 or 2) router.
Step 2. Check the status of the AIP-IPS module to make sure that it is running:
Step 3. Open a terminal session from the router to the AIM-IPS module:
Step 4. Enter your username and password at the login prompt ( username and password are both cisco)
Step 6. Disconnect from the module by entering the disconnect command:
Step 7. Press Enter to confirm the disconnection:
Command-Line Interface Modes
Example of preparation to connect
Deploying and Configuring Cisco IPS Sensor Interfaces
Basic configuration:
Inline interface pair mode
In this mode, the Cisco IPS is directly in the traffic flow while the sensor receives traffic on one interface and forwards it through the other interface in the interface pair. Traffic through one interface pair is isolated from other interfaces.
Step 1. Choose Configuration > Interfaces > Interface Pairs. The Interface Pairs panel is displayed.
Step 2. Click Add to open the Add Interface Pair window and add an interface pair.
Step 3. Enter a name in the Interface Pair Name field.
Step 4. Select the first interface from the Select Two Interface list, and then hold the Shift key while selecting the second interface of the pair.
Step 5. Optionally, add a description of the interface pair in the Description field.
Step 6. Click OK.
-------------------------------
Inline VLAN pairs mode
You can associate VLANs in pairs on a physical interface, which acts as an 802.1q trunk port. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. The sensor performs VLAN bridging between pairs of VLANs on the trunk. Traffic is isolated by the physical
interfaces of the sensor and 802.1q tagging.
You must configure an interface VLAN pair in the Cisco IDM to use it in inline VLAN pair operational mode. Follow these steps to create an inline VLAN pair:
Step 1. Choose Configuration > Interfaces > VLAN Pairs.
Step 2. Click Add to open the Add Inline VLAN Pair window and add an inline VLAN pair.
Step 3. Choose an interface from Interface Name drop-down list.
Step 4. Enter a subinterface number (1 to 255) for the inline VLAN pair in the Subinterface Number field.
Step 5. Specify the first VLAN (1 to 4096) for this inline VLAN pair in the VLAN A field.
Step 6. Specify the second VLAN (1 to 4096) for this inline VLAN pair in the VLAN B field.
Step 7. Optionally, add a description of the inline VLAN pair in the Description field.
Step 8. Click OK.
-------------------------------
Inline VLAN Groups
You must configure an inline interface pair in Cisco IDM and additional interface VLAN groups to use in inline VLAN group operational mode. Follow these steps to create an inline VLAN group:
Step 1. Choose Configuration > Interfaces > VLAN Groups.
Step 2. Click Add to open the Add VLAN Group window and add a VLAN group.
Step 3. Choose an interface from Interface Name drop-down list.
Step 4. Enter a subinterface number (1 to 255) for the VLAN group in the Subinterface Number field.
Step 5. Under the VLAN Group section, specify the VLAN group for this interface by selecting one of the radio buttons:
Step 6. Optionally, you can add a description of the VLAN group in the Description field.
Step 7. Click OK.
Step 8. Assign the VLAN group to a virtual sensor.
-------------------------------
Configuring a CDP Policy
Protocol policy on the sensor:
Step 1. Choose Configuration > Interfaces > CDP Mode.
Step 2. From the CDP Mode drop-down list, choose either Drop CDP Packets (which is the default value) or Forward CDP Packets.
Step 3. Click Apply to apply changes and save the revised configuration.
-------------------------------
Configuring Traffic Flow Notifications
You can configure the sensor to monitor the flow of packets across an interface and send a notification if that flow changes (starts or stops) during a specified interval. The missed packet threshold can be configured within a specific notification interval and the interface idle delay before a status event is reported. Follow these steps to configure traffic flow notification:
Step 1. Choose Configuration > Interfaces > Traffic Flow Notifications. The Traffic Flow Notifications panel is displayed.
Step 2. In the Missed Packets Threshold field, enter the percent of packets that must be missed during a specified time before a notification is sent.
Step 3. In the Notification Interval field, enter the number of seconds during which you want the sensor to check for the percentage of missed packets.
Step 4. In the Interface Idle Threshold field, enter the number of seconds that an interface must be idle and not receiving packets before a notification is sent.
Step 5. Click Apply to apply the changes and save the revised configuration.
-------------------------------
Troubleshooting the Initial Cisco IPS Sensor Configuration
Step 1. Log in to the sensor CLI through a console or using the session command.
Step 2. Use the show interfaces command to verify that the sensor management interface is enabled.
Step 3. Use the setup command to make sure that the sensor IP address is unique.
Step 4. Use the show interfaces command to make sure that the management port is connected to an active network connection.
Step 5. Use the setup command to make sure that the IP address of the workstation that is trying to connect to the sensor is permitted in the ACL of the sensor.
Step 6. Make sure that the network configuration allows the workstation to connect to the sensor.
■ The sensing interfaces are enabled.
■ Interfaces on neighboring devices are enabled and properly configured.
■ The sensing interfaces are assigned to an inline interface pair, an inline VLAN pair, or an inline VLAN group.
Of course a virtual sensor does not need to be assigned to the interface pair for the traffic to be successfully forwarded.
-------------------------------
Configuring the Default Virtual Sensor
■ To start IPS traffic analysis, apply the default virtual sensor to inline pairs, inline VLAN pairs/groups, or promiscuous interfaces.
■ Each IPS sensor already has a default virtual sensor, vs0.
■ The default virtual sensor (vs0) is comprised of a signature policy (sig0), event actions policy (rules0), and anomaly detection policy (ad0).
■ The default virtual sensor can analyze a combination of traffic sources and still maintain isolation for each. Traffic sources cannot “leak” to another traffic source.
Assigning and Verifying Traffic Sources to the Default Virtual Sensor
Follow these steps to assign traffic sources to the default vs0 virtual sensor:
Step 1. Navigate to Configuration > Policies > IPS Policies. The upper half of the screen displays the list of virtual sensors, and by default, the vs0 is predefined.
Step 2. Select the vs0 virtual sensor.
Step 3. Click Edit to edit the virtual sensor, and the Edit Virtual Sensor window opens.
Step 4. The assignable interfaces or interface pairs are displayed that you can assign to a given virtual sensor. Choose the interface or interface pair from the Interfaces list.
Step 5. Click Assign or click Remove to remove an interface or interface pair from the list.
Step 6. Enter a description for the default virtual sensor in the Description field (optional).
Step 7. Click OK. The Edit Virtual Sensor window closes, and the Virtual Sensor window panel displays the interface(s) or interface pair(s) that you added to the virtual sensor.
Step 8. Click Apply to apply the changes.
Follow these steps to verify that the interfaces are correctly assigned to the virtual sensor:
Step 1. Navigate to Monitoring > Sensor Monitoring > Support Information > Statistics.
Step 2. Scroll down to the Virtual Sensor Statistics section.
Step 3. There is a Virtual Sensor Statistics section and Statistics for Virtual Sensor vs0, where the administrator can verify the interfaces assigned to the Virtual Sensor under the line starting with “List of interfaces monitored by this virtual sensor.” This line lists the interfaces assigned to the virtual sensor.
- SSH (Secure Shell)
- Telnet (disabled by default)
- Serial interface connection
AIP SSM and AIP SSC-5
Step 1. Log in to the Cisco ASA adaptive security appliance.
Step 2. Create a terminal session to the module:
asa# session 1Opening command session with slot 1. Connected to slot 1. Escape character sequence is ‘CRTL-^X’. You have 60 seconds to log in before the session times out.
Step 3. Enter your username and password at the login prompt (username and password are both cisco )
login: ciscoStep 4. Press Ctrl-Shift-6-x or enter exit to escape from a session to the Cisco ASAprompt.
Password:
***NOTICE***
<...part of output omitted...>
Aip-ssm#
Cisco Catalyst 6500 Series IDSM-2
Step 1. Log in to the Cisco Catalyst 6500 Series switch supervisor running Cisco IOS Software.
Step 2. Create a session to the Cisco Catalyst 6500 Series IDSM-2:
switch# session slot 1 process 1Step 3. Enter your username and password at the login prompt.( default username and password are both cisco )
login: cisco
Password:
***NOTICE***
<...part of output omitted...>
idsm-2#
Step 4. Press Ctrl-Shift-6-x or enter exit to escape from a session to the Cisco Catalyst 6500 switch prompt.
AIM-IPS and NME-IPS
Step 1. Log in to the Cisco ISR (generation 1 or 2) router.
Step 2. Check the status of the AIP-IPS module to make sure that it is running:
router# service-module ids-sensor 0/1 status
Service Module is Cisco IDS-Sensor0/1
Service Module supports session via TTY line 322
Service Module is in Steady state
Getting status from the Service Module, please wait...
Cisco Systems Intrusion Prevention system Network Module
Software version: 7.x
<...part of output omitted...>
Step 3. Open a terminal session from the router to the AIM-IPS module:
router# service-module ids-sensor 0/1 session
Trying 10.1.1.2, 2322 ... Open
Step 4. Enter your username and password at the login prompt ( username and password are both cisco)
login: ciscoStep 5. Press Ctrl-Shift-6-x to suspend and close a module session. (Entering exit only logs you out, but you remain in the session.)
Password:
***NOTICE***
<...part of output omitted...>
sensor#
Step 6. Disconnect from the module by entering the disconnect command:
router# disconnect
Step 7. Press Enter to confirm the disconnection:
Closing connection to 10.1.1.2 [confirm] <Enter>
router#
Command-Line Interface Modes
- Servicemode: Thismode is a generic commandmode used to edit the configuration of a service. A service is a related set of functionality provided by an IPS application. An IPS application can providemore than one service. You can enter servicemode from global configurationmode by using the service <service-name> command, where <service-name> identifies the actual service that you are trying to access. The sensor(config-ser)# prompt denotes service mode, where gserh represents the first three characters of the service name. See Table 6-5, later in this chapter, for specific commands.
- Privileged EXEC mode: Privileged EXEC mode is the first level of the CLI. Enter privileged EXEC mode by logging in to the CLI. The sensor# prompt denotes privileged EXEC mode. See Table 6-3 for specific commands.
- Multi-instance service mode: The signature definition service, event action rules service, and anomaly detection service are multi-instance services. Their respective configuration modes are
Anomaly detection mode
Signature definition mode
Event action rules mode
Enter these modes from global configuration mode by using the service <service-name log-instance-name> command. The sensor(config-log)# prompt denotes the multi-instance service mode, where glogh represents the first three characters of the logical instance name.
- Global configuration mode: This mode is the second level of the CLI. Enter global configuration mode by first logging in to the CLI and then using the configure terminal command
Example of preparation to connect
sensor# conf tOk. Now we can find and run IDM at https://1.1.1.100
sensor(config)#service host
sensor(config-hos)#network-settings
sensor(config-hos-net)#host-ip 1.1.1.100/24,1.1.1.1 (указали ip-адрес IPS для менеджмента и его шлюз)
sensor(config-hos-net)#host-name IPS
sensor(config-hos-net)#access-list 1.1.1.0/24 (сеть из которой можно получить доступ к IPS)
sensor(config-hos-net)#exit
sensor(config-hos)#exit
Apply changes?[yes]:yes
sensor(config)#exit
sensor#exit
Deploying and Configuring Cisco IPS Sensor Interfaces
Basic configuration:
Inline interface pair mode
In this mode, the Cisco IPS is directly in the traffic flow while the sensor receives traffic on one interface and forwards it through the other interface in the interface pair. Traffic through one interface pair is isolated from other interfaces.
Step 1. Choose Configuration > Interfaces > Interface Pairs. The Interface Pairs panel is displayed.
Step 2. Click Add to open the Add Interface Pair window and add an interface pair.
Step 3. Enter a name in the Interface Pair Name field.
Step 4. Select the first interface from the Select Two Interface list, and then hold the Shift key while selecting the second interface of the pair.
Step 5. Optionally, add a description of the interface pair in the Description field.
Step 6. Click OK.
-------------------------------
Inline VLAN pairs mode
You can associate VLANs in pairs on a physical interface, which acts as an 802.1q trunk port. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. The sensor performs VLAN bridging between pairs of VLANs on the trunk. Traffic is isolated by the physical
interfaces of the sensor and 802.1q tagging.
You must configure an interface VLAN pair in the Cisco IDM to use it in inline VLAN pair operational mode. Follow these steps to create an inline VLAN pair:
Step 1. Choose Configuration > Interfaces > VLAN Pairs.
Step 2. Click Add to open the Add Inline VLAN Pair window and add an inline VLAN pair.
Step 3. Choose an interface from Interface Name drop-down list.
Step 4. Enter a subinterface number (1 to 255) for the inline VLAN pair in the Subinterface Number field.
Step 5. Specify the first VLAN (1 to 4096) for this inline VLAN pair in the VLAN A field.
Step 6. Specify the second VLAN (1 to 4096) for this inline VLAN pair in the VLAN B field.
Step 7. Optionally, add a description of the inline VLAN pair in the Description field.
Step 8. Click OK.
-------------------------------
Inline VLAN Groups
You must configure an inline interface pair in Cisco IDM and additional interface VLAN groups to use in inline VLAN group operational mode. Follow these steps to create an inline VLAN group:
Step 1. Choose Configuration > Interfaces > VLAN Groups.
Step 2. Click Add to open the Add VLAN Group window and add a VLAN group.
Step 3. Choose an interface from Interface Name drop-down list.
Step 4. Enter a subinterface number (1 to 255) for the VLAN group in the Subinterface Number field.
Step 5. Under the VLAN Group section, specify the VLAN group for this interface by selecting one of the radio buttons:
■ Unassigned VLANs: This lets you assign all the VLANs that are not already specifically assigned to a subinterface.
■ Specify VLAN Group (for example, 1, 5–8, 10–15): This lets you specify the VLANs that he/she wants to assign to this subinterface. You can assign more than one VLAN (up to 4096) in this pattern: 1, 5–8, 10–15. This option lets you set up different policies based on the VLAN ID (VID). For example, you can make VLANs 1–5 go to one virtual sensor (VS0) and VLANs 6–10 go to another virtual sensor (VS1).
Step 6. Optionally, you can add a description of the VLAN group in the Description field.
Step 7. Click OK.
Step 8. Assign the VLAN group to a virtual sensor.
-------------------------------
Configuring a CDP Policy
Protocol policy on the sensor:
Step 1. Choose Configuration > Interfaces > CDP Mode.
Step 2. From the CDP Mode drop-down list, choose either Drop CDP Packets (which is the default value) or Forward CDP Packets.
Step 3. Click Apply to apply changes and save the revised configuration.
-------------------------------
Configuring Traffic Flow Notifications
You can configure the sensor to monitor the flow of packets across an interface and send a notification if that flow changes (starts or stops) during a specified interval. The missed packet threshold can be configured within a specific notification interval and the interface idle delay before a status event is reported. Follow these steps to configure traffic flow notification:
Step 1. Choose Configuration > Interfaces > Traffic Flow Notifications. The Traffic Flow Notifications panel is displayed.
Step 2. In the Missed Packets Threshold field, enter the percent of packets that must be missed during a specified time before a notification is sent.
Step 3. In the Notification Interval field, enter the number of seconds during which you want the sensor to check for the percentage of missed packets.
Step 4. In the Interface Idle Threshold field, enter the number of seconds that an interface must be idle and not receiving packets before a notification is sent.
Step 5. Click Apply to apply the changes and save the revised configuration.
-------------------------------
Troubleshooting the Initial Cisco IPS Sensor Configuration
Step 1. Log in to the sensor CLI through a console or using the session command.
Step 2. Use the show interfaces command to verify that the sensor management interface is enabled.
Step 3. Use the setup command to make sure that the sensor IP address is unique.
Step 4. Use the show interfaces command to make sure that the management port is connected to an active network connection.
Step 5. Use the setup command to make sure that the IP address of the workstation that is trying to connect to the sensor is permitted in the ACL of the sensor.
Step 6. Make sure that the network configuration allows the workstation to connect to the sensor.
■ The sensing interfaces are enabled.
■ Interfaces on neighboring devices are enabled and properly configured.
■ The sensing interfaces are assigned to an inline interface pair, an inline VLAN pair, or an inline VLAN group.
Of course a virtual sensor does not need to be assigned to the interface pair for the traffic to be successfully forwarded.
-------------------------------
Configuring the Default Virtual Sensor
■ To start IPS traffic analysis, apply the default virtual sensor to inline pairs, inline VLAN pairs/groups, or promiscuous interfaces.
■ Each IPS sensor already has a default virtual sensor, vs0.
■ The default virtual sensor (vs0) is comprised of a signature policy (sig0), event actions policy (rules0), and anomaly detection policy (ad0).
■ The default virtual sensor can analyze a combination of traffic sources and still maintain isolation for each. Traffic sources cannot “leak” to another traffic source.
Assigning and Verifying Traffic Sources to the Default Virtual Sensor
Follow these steps to assign traffic sources to the default vs0 virtual sensor:
Step 1. Navigate to Configuration > Policies > IPS Policies. The upper half of the screen displays the list of virtual sensors, and by default, the vs0 is predefined.
Step 2. Select the vs0 virtual sensor.
Step 3. Click Edit to edit the virtual sensor, and the Edit Virtual Sensor window opens.
Step 4. The assignable interfaces or interface pairs are displayed that you can assign to a given virtual sensor. Choose the interface or interface pair from the Interfaces list.
Step 5. Click Assign or click Remove to remove an interface or interface pair from the list.
Step 6. Enter a description for the default virtual sensor in the Description field (optional).
Step 7. Click OK. The Edit Virtual Sensor window closes, and the Virtual Sensor window panel displays the interface(s) or interface pair(s) that you added to the virtual sensor.
Step 8. Click Apply to apply the changes.
Follow these steps to verify that the interfaces are correctly assigned to the virtual sensor:
Step 1. Navigate to Monitoring > Sensor Monitoring > Support Information > Statistics.
Step 2. Scroll down to the Virtual Sensor Statistics section.
Step 3. There is a Virtual Sensor Statistics section and Statistics for Virtual Sensor vs0, where the administrator can verify the interfaces assigned to the Virtual Sensor under the line starting with “List of interfaces monitored by this virtual sensor.” This line lists the interfaces assigned to the virtual sensor.
Комментариев нет:
Отправить комментарий