Setting Up the Sensor
This chapter contains procedures for the setting up the sensor, such as changing sensor initialization information, adding and deleting users, configuring time and setting up NTP, creating a service account, configuring SSH and TLS, and installing the license key. It contains the following sections:
•Changing Network Settings
•Changing Web Server Settings
•Configuring User Parameters
•Recovering the Password
•Configuring Time
•Configuring SSH
•Configuring TLS
•Installing the License Key
Changing Network Settings
After you initialize your sensor, you may need to change some of the network settings that you configured when you ran the setup command. This section describes how to change basic sensor settings, and contains the following topics:
•Changing the Hostname
•Changing the IP Address, Netmask, and Gateway
•Enabling and Disabling Telnet
•Changing the Access List
•Changing the FTP Timeout
•Adding a Login Banner
Changing the Hostname
Use the host-name host_name command in the service host submode to change the hostname of the sensor after you have run the setup command. The default is sensor.
Note The CLI prompt of the current session and other existing sessions will not be updated with the new hostname. Subsequent CLI login sessions will reflect the new hostname in the prompt.
To change the sensor hostname, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings submode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Change the sensor hostname.
sensor(config-hos-net)# host-name firesafe
Step 4 Verify the new hostname.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1 default:
host-name: firesafe default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 5 To change the hostname back to the default setting, use the default form of the command.
sensor(config-hos-net)# default host-name
Step 6 Verify the change to the default hostname sensor.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1 default:
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
Step 8 Press Enter to apply the changes or enter no to discard them.
For More Information
For the procedure for initializing your sensor, see Chapter 3 "Initializing the Sensor."
Changing the IP Address, Netmask, and Gateway
Use the host-ip ip_address/netmask,default_gateway command in the service host submode to change the IP address, netmask, and default gateway after you have run the setup command. The default is 10.1.9.201/24,10.1.9.1.
The host-ip is in the form of IP Address/Netmask/Gateway: X.X.X.X/nn,Y.Y.Y.Y, where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods where X = 0-255, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods where Y = 0-255.
To change the sensor IP address, netmask, and default gateway, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Change the sensor IP address, netmask, and default gateway.
sensor(config-hos-net)# host-ip 10.89.146.110/24,10.89.146.254
Note The default gateway must be in the same subnet as the IP address of the sensor or the sensor generates an error and does not accept the configuration change.
Step 4 Verify the new information.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.146.110/24,10.89.146.254
default: 10.1.9.201/24,10.1.9.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 5 To change the information back to the default setting, use the default form of the command.
sensor(config-hos-net)# default host-ip
Step 6 Verify that the host IP is now the default of 10.1.9.201/24,10.1.9.1.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.1.9.201/24,10.1.9.1 <defaulted>
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
Step 8 Press Enter to apply the changes or enter no to discard them.
For More Information
For the procedure for initializing your sensor, see Chapter 3 "Initializing the Sensor."
Enabling and Disabling Telnet
Use the telnet-option {enabled | disabled} command in the service host submode to enable Telnet for remote access to the sensor. The default is disabled.
Caution
Telnet is not a secure access service and therefore is disabled by default. However, SSH is always running on the sensor and it is a secure service.
To enable or disable Telnet services, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Enable Telnet services.
sensor(config-hos-net)# telnet-option enabled
Step 4 Verify that Telnet is enabled.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1
default: 10.1.9.201/24,10.1.9.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 5 Exit network settings mode.
sensor(config-hos-net)# exit
Step 6 Press Enter to apply the changes or enter no to discard them.
Note To Telnet to the sensor, you must enable Telnet and configure the access list to allow the Telnet clients to connect.
For More Information
•For the procedure for initializing your sensor, see Chapter 3 "Initializing the Sensor."
•For the procedure for configuring the access list, see Changing the Access List.
Changing the Access List
Use the access-list ip_address/netmask command in the service host submode to configure the access list, the list of hosts or networks that you want to have access to your sensor. Use the no form of the command to remove an entry from the list. The default access list is empty.
The following hosts must have an entry in the access list:
•Hosts that need to Telnet to your sensor.
•Hosts that need to use SSH with your sensor.
•Hosts, such as IDM and IME, that need to access your sensor from a web browser.
•Management stations, such as CSM, that need access to your sensor.
•If your sensor is a master blocking sensor, the IP addresses of the blocking forwarding sensors must have an entry in the list.
To modify the access list, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Add an entry to the access list.
sensor(config-hos-net)# access-list 10.89.146.110/32
The netmask for a single host is 32.
Step 4 Verify the change you made to the access-list.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.1.9.201/24,10.1.9.1 <defaulted>
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 2)
-----------------------------------------------
network-address: 10.1.9.0/24
-----------------------------------------------
network-address: 10.89.146.110/32
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 5 Remove the entry from the access list.
sensor(config-hos-net)# no access-list 10.89.146.110/32
Step 6 Verify the entry has been removed.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.1.9.201/24,10.1.9.1 <defaulted>
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 10.1.9.0/24
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
The host is no longer in the list.
Step 7 Change the value back to the default.
sensor(config-hos-net)# default access-list
Step 8 Verify the value has been set back to the default.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1
default: 10.1.9.201/24,10.1.9.1
host-name: sensor <defaulted>
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 0)
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
There are no hosts or networks in the list.
Step 9 Exit network settings mode.
sensor(config-hos-net)# exit
Step 10 Press Enter to apply the changes or enter no to discard them.
For More Information
For the procedure for initializing your sensor, see Chapter 3 "Initializing the Sensor."
Changing the FTP Timeout
Use the ftp-timeout command in the service host submode to change the number of seconds that the FTP client waits before timing out when the sensor is communicating with an FTP server. The default is 300 seconds.
Note You can use the FTP client for downloading updates and configuration files from your FTP server.
To change the FTP timeout, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Change the number of seconds of the FTP timeout.
sensor(config-hos-net)# ftp-timeout 500
Step 4 Verify the FTP timeout change.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1
default: 10.1.9.201/24,10.1.9.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 500 seconds default: 300
login-banner-text: <defaulted>
-----------------------------------------------
Step 5 Change the value back to the default.
sensor(config-hos-net)# default ftp-timeout
Step 6 Verify the value has been set back to the default.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1
default: 10.1.9.201/24,10.1.9.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: <defaulted>
-----------------------------------------------
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
Step 8 Press Enter to apply the changes or enter no to discard them.
For More Information
For the procedure for initializing your sensor, see Chapter 3 "Initializing the Sensor."
Adding a Login Banner
Use the login-banner-text text_message command to add a login banner that the user sees during login. There is no default.
When you want to start a new line in your message, press Ctrl-V Enter.
To add a login banner, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter network settings mode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# network-settings
Step 3 Add the banner login text.
sensor(config-hos-net)# login-banner-text This is the banner login text message.
Step 4 Verify the banner login text message.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1
default: 10.1.9.201/24,10.1.9.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: This is the banner login text message. default:
-----------------------------------------------
Step 5 To remove the login banner text, use the no form of the command.
sensor(config-hos-net)# no login-banner-text
Step 6 Verify the login text has been removed.
sensor(config-hos-net)# show settings
-----------------------------------------------
host-ip: 10.89.130.108/23,10.89.130.1
default: 10.1.9.201/24,10.1.9.1
host-name: sensor default: sensor
telnet-option: enabled default: disabled
access-list (min: 0, max: 512, current: 1)
-----------------------------------------------
network-address: 0.0.0.0/0
-----------------------------------------------
-----------------------------------------------
ftp-timeout: 300 seconds <defaulted>
login-banner-text: default:
-----------------------------------------------
Step 7 Exit network settings mode.
sensor(config-hos-net)# exit
Step 8 Press Enter to apply the changes or enter no to discard them.
Changing Web Server Settings
After you run the setup command, you can change the following web server settings: the web server port, whether TLS encryption is being used, and the HTTP server header message.
You can also enable RDEP event server subscriptions if you are using a third-party event client that is only able to parse IDS 4.x alerts.
Note The RDEP event interface was deprecated in Cisco IPS 5.0 and replaced by SDEE/CIDEE.
Note The default web server port is 443 if TLS is enabled and 80 if TLS is disabled.
HTTP is the protocol that web clients use to make requests from web servers. The HTTP specification requires a server to identify itself in each response. Attackers sometimes exploit this protocol feature to perform reconnaissance. If the IPS web server identified itself by providing a predictable response, an attacker might learn that an IPS sensor is present.
We recommend that you not reveal to attackers that you have an IPS sensor. Change the server-id to anything that does not reveal any information, especially if your web server is available to the Internet. For example, if you forward a port through a firewall so you can monitor a sensor remotely, you need to set the server-id.
To change the web server settings, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter web server mode,
sensor# configure terminal
sensor(config)# service web-server
Step 3 Change the port number,
sensor(config-web)# port 8080
If you change the port number from the default of 443 to 8080, you receive the following message:
Warning: The web server's listening port number has changed from 443 to 8080. This change
will not take effect until the web server is re-started
Step 4 Enable or disable TLS,
sensor(config-web)# enable-tls {true | false}
If you disable TLS, you receive the following message:
Warning: TLS protocol support has been disabled. This change will not take effect until
the web server is re-started.
Step 5 Change the HTTP server header.
sensor(config-web)# server-id Nothing to see here. Move along.
Step 6 Enable RDEP event server subscriptions if you are using a third-party event client that is only able to parse IDS 4.x alerts.
sensor(config-web)# configurable-service rdep-event-server
sensor(config-web-con)# enabled true
Step 7 Verify the web server changes.
sensor(config-web)# show settings
enable-tls: true default: true
server-id: Nothing to see here. Move along. default: HTTP/1.1 compliant
Step 8 To revert to the defaults, use the default form of the commands.
sensor(config-web)# default port
sensor(config-web)# default enable-tls
sensor(config-web)# default server-id
Step 9 Verify the defaults have been replaced.
sensor(config-web)# show settings
enable-tls: true <defaulted>
server-id: HTTP/1.1 compliant <defaulted>
configurable-service (min: 0, max: 99, current: 1)
-----------------------------------------------
service-name: rdep-event-server
-----------------------------------------------
enabled: true default: false
file-name: event-server <protected>
-----------------------------------------------
-----------------------------------------------
Step 10 Exit web server submode.
Step 11 Press Enter to apply the changes or enter no to discard them.
Note If you change the port or enable TLS settings, you must reset the sensor to make the web server use the new settings.
For More Information
•For the procedure for initializing your sensor, see Chapter 3 "Initializing the Sensor."
•For the procedure for resetting the appliance, see Resetting the Appliance.
•For the procedure for resetting the AIM IPS, see Rebooting, Resetting, and Shutting Down the AIM IPS.
•For the procedure for resetting the AIP SSM, see Reloading, Shutting Down, Resetting, and Recovering the AIP SSM.
•For the procedure for resetting the IDSM2, see Resetting the IDSM2.
•For more information about RDEP and SDEE/CIDEE, see "System Architecture."
Configuring User Parameters
The following section explains how to create the service account, create users, configure and recover passwords, specify privilege level, and view a list of users. It contains the following topics:
•Adding and Removing Users
•Creating the Service Account
•Configuring Passwords
•Changing User Privilege Levels
•Showing User Status
•Configuring the Password Policy
•Configuring Account Locking
Adding and Removing Users
Use the username command to create users on the local system. You can add a new user, set the privilege level—administrator, operator, viewer—and set the password for the new user. Use the no form of this command to remove a user from the system. This removes the user from CLI and web access.
Caution
The
username command provides username and password authentication for login purposes only. You cannot use this command to remove a user who is logged in to the system. You cannot use this command to remove yourself from the system.
If you do not specify a password, the system prompts you for one. Use the password command to change the password for existing users. Use the privilege command to change the privilege for existing users.
The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters. The password must conform to the requirements set by the sensor administrator.
You receive the following error messages if you do not create a valid password:
•Error: setEnableAuthenticationTokenStatus : The password is too short.
•Error: setEnableAuthenticationTokenStatus : Failure setting the account's password: it does not contain enough DIFFERENT characters
Note You cannot use the privilege command to give a user service privileges. To give an existing user service privileges, you must remove that user and then use the username command to create the service account.
Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.
To add and remove users, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter configuration mode.
sensor# configure terminal
Step 3 Specify the parameters for the user.
sensor(config)# username username password password privilege
administrator/operator/viewer
Note The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters. The password must conform to the requirements set by the sensor administrator.
For example, to add the user "tester" with a privilege level of administrator and the password "testpassword," enter the following command:
Note If you do not want to see the password in clear text, wait for the password prompt. Do not enter the password along with the username and privilege.
sensor(config)# username tester privilege administrator
Enter Login Password: ************
Re-enter Login Password: ************
Note If you do not specify a privilege level for the user, the user is assigned the default viewer privilege.
Step 4 Verify that the user has been added.
* 13491 cisco administrator
A list of users is displayed.
Step 5 To remove a user, use the no form of the command.
sensor# configure terminal
sensor(config)# no username jsmith
Note You cannot use this command to remove yourself from the system
Step 6 Verify that the user has been removed.
* 13491 cisco administrator
The user jsmith
has been removed.
For More Information
For the procedure for creating the service account, see Creating the Service Account.
Creating the Service Account
You can create a service account for TAC to use during troubleshooting. Although more than one user can have access to the sensor, only one user can have service privileges on a sensor. The service account is for support purposes only.
Caution
Do not make modifications to the sensor through the service account except under the direction of TAC. If you use the service account to configure the sensor, your configuration is not supported by TAC. Adding services to the operating system through the service account affects proper performance and functioning of the other IPS services. TAC does not support a sensor on which additional services have been added.
Note The root user password is synchronized to the service account password when the service account is created. To gain root access you must log in with the service account and switch to user root with the su - root command.
Caution
You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system.
Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.
To create the service account, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter configuration mode.
sensor# configure terminal
Step 3 Specify the parameters for the service account.
sensor(config)# user username privilege service
The username follows the pattern ^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters.
Step 4 Specify a password when prompted.
The password must conform to the requirements set by the sensor administrator. If a service account already exists for this sensor, the following error is displayed and no service account is created:
Error: Only one service account may exist
Step 5 Exit configuration mode.
When you use the service account to log in to the CLI, you receive the following warning:
************************ WARNING *******************************************************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be
used for support and troubleshooting purposes only. Unauthorized modifications are not
supported and will require this device to be reimaged to guarantee proper operation.
****************************************************************************************
Configuring Passwords
Use the password command to update the password on the local sensor. You can also use this command to change the password for an existing user or to reset the password for a locked account.
A valid password is 8 to 32 characters long. All characters except space are allowed.
To change the password, follow these steps:
Step 1 To change the password for another user or reset the password for a locked account, follow these steps:
a. Log in to the CLI using an account with administrator privileges.
b. Enter configuration mode.
sensor# configure terminal
c. Change the password for a specific user.
sensor(config)# password tester
Enter New Login Password: ******
Re-enter New Login Password: ******
Note This example modifies the password for the user "tester."
Step 2 To change your password, follow these steps:
a. Log in to the CLI.
b. Enter configuration mode.
sensor# configure terminal
c. Change your password.
sensor(config)# password
Enter Old Login Password:************
Enter New Login Password: ************
Re-enter New Login Password: ************
Changing User Privilege Levels
Use the privilege command to change the privilege level—administrator, operator, viewer—for a user.
Note You cannot use the privilege command to give a user service privileges. To give an existing user service privileges, you must remove that user and then use the username command to create the service account. There can only be one person with service privileges.
To change the privilege level for a user, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Verify the current privilege of the user jsmith.
* 13491 cisco administrator
Step 3 Change the privilege level from viewer to operator.
sensor# configure terminal
sensor(config)# privilege user jsmith operator
Warning: The privilege change does not apply to current CLI sessions. It will be applied
to subsequent logins.
Step 4 Verify that the user's privilege has been changed.
* 13491 cisco administrator
The privilege of the user jsmith
has been changed from viewer
to operator
.
Step 5 Display your current level of privilege.
Current privilege level is administrator
For More Information
For the procedure for creating the service account, see Creating the Service Account.
Showing User Status
Use the show users command to view information about the username and privilege of all users logged in to the sensor, and all user accounts on the sensor regardless of login status.
An * indicates the current user. If an account is locked, the username is surrounded by parentheses. A locked account means that the user failed to enter the correct password after the configured attempts.
All IPS platforms allow ten concurrent log in sessions.
To show user information, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Verify the users logged in to the sensor.
* 13491 cisco administrator
Step 3 Verify all users.
* 13491 cisco administrator
The account of the user jsmith
is locked.
Step 4 To unlock the account of jsmith, reset the password.
sensor# configure terminal
sensor(config)# password jsmith
Enter New Login Password: ******
Re-enter New Login Password: ******
Configuring the Password Policy
As administrator, you can configure how passwords are created. All user-created passwords must conform to the policy that you set up. For example, you can set a policy where passwords must have at least 10 characters and no more than 40, and must have a minimum of 2 upper case and 2 numeric characters. Once that policy is set, every password configured for each user account must conform to this password policy.
You can set login attempts and the size and minimum characters requirements for a password. The minimum password length is eight characters. If you forget your password, there are various ways to recover the password depending on your sensor platform.
Caution
If the password policy includes minimum numbers of character sets, such as upper case or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.
To set up a password policy, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter password strength authentication submode.
sensor# configure terminal
sensor(config)# service authentication
sensor(config-aut)# password-strength
Step 3 Set the minimum number of numeric digits that must be in a password.
sensor(config-aut-pas)# digits-min 6
The range is 0 to 64.
Step 4 Set the minimum number of nonalphanumeric printable characters that must be in a password.
sensor(config-aut)# other-min 3
The range is 0 to 64.
Step 5 Set the minimum number of uppercase alphabet characters that must be in a password.
sensor(config-aut)# uppercase-min 3
The range is 0 to 64.
Step 6 Set the minimum number of lower-case alphabet characters that must be in a password.
sensor(config-aut)# lowercase-min 3
Step 7 Set the number of old passwords to remember for each account.
sensor(config-aut)# number-old-passwords 3
A new password cannot match any of the old passwords of an account.
Step 8 Check your new setting.
sensor(config-aut-pas)# show settings
-----------------------------------------------
uppercase-min: 3 default: 0
lowercase-min: 3 default: 0
number-old-passwords: 3 default: 0
-----------------------------------------------
Configuring Account Locking
Use the attemptLimit number command in authentication submode to lock accounts so that users cannot keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.
To configure account locking, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter service authentication submode.
sensor# configure terminal
sensor(config)# service authentication
Step 3 Set the number of attempts users will have to log in to accounts.
sensor(config-aut)# attemptLimit 3
Step 4 Check your new setting.
sensor(config-aut)# show settings
attemptLimit: 3 defaulted: 0
Step 5 To set the value back to the system default setting:
sensor(config-aut)# default attemptLimit
Step 6 Check that the setting has returned to the default.
sensor(config-aut)# show settings
attemptLimit: 0 <defaulted>
Step 7 Check to see if any users have locked accounts.
Note When you apply a configuration that contains a non-zero value for attemptLimit, a change is made in the SSH server that may subsequently impact your ability to connect with the sensor. When attemptLimit is non-zero, the SSH server requires the client to support challenge-response authentication. If you experience problems after your SSH client connects but before it prompts for a password, you need to enable challenge-response authentication. Refer to the documentation for your SSH client for instructions.
* 1349 cisco administrator
The account of the user jsmith
is locked as indicated by the parenthesis.
Step 8 To unlock the account of jsmith, reset the password.
sensor# configure terminal
sensor(config)# password jsmith
Enter New Login Password: ******
Re-enter New Login Password: ******
Recovering the Password
For most IPS platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. This section describes how to recover the password for the various IPS platforms. It contains the following topics:
•Understanding Password Recovery
•Password Recovery for Appliances
•Password Recovery for the AIM IPS
•Password Recovery for the AIP SSM
•Password Recovery for the IDSM2
•Password Recovery for the NME IPS
•Disabling Password Recovery
•Verifying the State of Password Recovery
•Troubleshooting Password Recovery
Understanding Password Recovery
Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.
Note Administrators may need to disable the password recovery feature for security reasons.
Table 4-1 lists the password recovery methods according to platform.
Table 4-1 Password Recovery Methods According to Platform
|
|
|
4200 series sensors |
Standalone IPS appliances |
GRUB prompt or ROMMON |
AIM IPS NME IPS |
Router IPS modules |
Bootloader command |
AIP SSM |
ASA 5500 series adaptive security appliance modules |
ASA CLI command |
IDSM2 |
Switch IPS module |
Password recovery image file |
For More Information
For More information on when to disable the password recovery features, see Disabling Password Recovery.
Password Recovery for Appliances
This section describes the two ways to recover the password for appliances. It contains the following topics:
•Using the GRUB Menu
•Using ROMMON
Using the GRUB Menu
For 4200 series appliances, the password recovery is found in the GRUB menu, which appears during bootup. When the GRUB menu appears, press any key to pause the boot process.
Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password.
To recover the password on appliances, follow these steps:
Step 1 Reboot the appliance.
The following menu appears:
GNU GRUB version 0.94 (632K lower / 523264K upper memory)
-------------------------------------------
2: Cisco IPS Clear Password (cisco)
-------------------------------------------
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the
Commands before booting, or 'c' for a command-line.
Step 2 Press any key to pause the boot process.
Step 3 Choose 2: Cisco IPS Clear Password (cisco).
The password is reset to cisco. You can change the password the next time you log in to the CLI.
For More Information
For more information on connecting a terminal server or direct serial connection, see Connecting an Appliance to a Terminal Server.
Using ROMMON
For the IPS 4240 and the IPS 4255 you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.
To recover the password using the ROMMON CLI, follow these steps:
Step 1 Reboot the appliance.
Step 2 To interrupt the boot process, press ESC or Control-R (terminal server) or send a BREAK command (direct connection).
The boot code either pauses for 10 seconds or displays something similar to one of the following:
•Evaluating boot options
•Use BREAK or ESC to interrupt boot
Step 3 Enter the following commands to reset the password:
Sample ROMMON session:
Booting system, please wait...
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17
Evaluating BIOS Options...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
MAC Address:000b.fcfa.d155
Update Config Register (0x7) in NVRAM...
Password Recovery for the AIM IPS
To recover the password for the AIM IPS, use the clear password command. You must have console access to the AIM IPS and administrative access to the router. To recover the password for the AIM IPS, follow these steps:
Step 1 Log in to the router.
Step 2 Enter privileged EXEC mode on the router.
Step 3 Confirm the module slot number in your router.
router# show run | include ids-sensor
Step 4 Session in to the AIM IPS.
router# service-module ids-sensor slot/port session
Example:
router# service-module ids-sensor 0/0 session
Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.
Step 6 Reset the AIM IPS from the router console.
router# service-module ids-sensor 0/0 reset
Step 7 Press Enter to return to the router console.
Step 8 When prompted for boot options, enter *** quickly.
You are now in the bootloader.
Step 9 Clear the password.
ServicesEngine boot-loader# clear password
The AIM IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.
Password Recovery for the AIP SSM
You can reset the password to the default (cisco) for the AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Note To reset the password, you must have ASA 7.2.2 or later.
Use the hw-module module slot_number password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:
ERROR: the module in slot <n> does not support password recovery.
Resetting the Password Using the CLI
To reset the password on the AIP SSM, follow these steps:
Step 1 Log into the adaptive security appliance and enter the following command to verify the module slot number:
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX1135L097
1 ASA 5500 Series Security Services Module-40 ASA-SSM-40 JAF1214AMRL
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 001b.d5e8.e0c8 to 001b.d5e8.e0cc 2.0 1.0(11)2 8.4(3)
1 001e.f737.205f to 001e.f737.205f 1.0 1.0(14)5 7.0(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
Step 2 Reset the password for module 1.
asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
Step 3 Press Enter to confirm.
Password-Reset issued for slot 1.
Step 4 Verify the status of the module. Once the status reads Up, you can session to the AIP SSM.
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
1 ASA 5500 Series Security Services Module-40 ASA-SSM-40 JAF1214AMRL
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
1 001e.f737.205f to 001e.f737.205f 1.0 1.0(14)5 7.0(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
Step 5 Session to the AIP SSM.
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 6 Enter the default username (cisco) and password (cisco) at the login prompt.
You are required to change your password immediately (password aged)
Changing password for cisco.
(current) password: cisco
Step 7 Enter your new password twice.
New password: new password
Retype new password: new password
This product contains cryptographic features and is subject to United States and local
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic
products does not imply third-party authority to import, export, distribute or use
encryption. Importers, exporters, distributors and users are responsible for compliance
with U.S. and local country laws. By using this product you agree to comply with
applicable laws and regulations. If you are unable to comply with U.S. and local laws,
return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to export@cisco.com.
There is no license key installed on this IPS platform. The system will continue to
operate with the currently installed signature set. A valid license must be obtained in
order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a
new license or install a license.
Using the ASDM
To reset the password in the ASDM, follow these steps:
Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset.
Note This option does not appear in the menu if there is no IPS present.
Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Step 3 Click Close to close the dialog box. The sensor reboots.
Password Recovery for the IDSM2
To recover the password for the IDSM2, you must install a special password recovery image file. This installation only resets the password, all other configuration remains intact. The password recovery image is version-dependent and can be found on the Cisco Download Software site. For IPS 6.x, download WS-SVC-IDSM2-K9-a-6.0-password-recovery.bin.gz. For IPS 7.x, download WS-SVC-IDSM2-K9-a-7.0-password-recovery.bin.gz.
FTP is the only supported protocol for image installations, so make sure you put the password recovery image file on an FTP server that is accessible to the switch. You must have administrative access to the Cisco 6500 series switch to recover the password on the IDSM2.
During the password recovery image installation, the following message appears:
Upgrading will wipe out the contents on the hard disk.
Do you want to proceed installing it [y|n]:
This message is in error. Installing the password recovery image does not remove any configuration, it only resets the login account.
Once you have downloaded the password recovery image file, follow the instructions to install the system image file but substitute the password recovery image file for the system image file. The IDSM2 should reboot into the primary partition after installing the recovery image file. If it does not, enter the following command from the switch:
hw-module module module_number reset hdd:1
Note The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.
For More Information
•For the procedures for reimaging the IDSM2, see Installing the IDSM2 System Image.
•For more information on downloading Cisco IPS software, see Obtaining Cisco IPS Software.
Password Recovery for the NME IPS
To recover the password for the NME IPS, use the clear password command. You must have console access to the NME IPS and administrative access to the router.
To recover the password for the NME IPS, follow these steps:
Step 1 Log in to the router.
Step 2 Enter privileged EXEC mode on the router.
Step 3 Confirm the module slot number in your router.
router# show run | include ids-sensor
Step 4 Session in to the NME IPS.
router# service-module ids-sensor slot/port session
Example:
router# service-module ids-sensor 1/0 session
Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.
Step 6 Reset the NME IPS from the router console.
router# service-module ids-sensor 1/0 reset
Step 7 Press Enter to return to the router console.
Step 8 When prompted for boot options, enter *** quickly.
You are now in the bootloader.
Step 9 Clear the password.
ServicesEngine boot-loader# clear password
The NME IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.
Disabling Password Recovery
Caution
If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.
Password recovery is enabled by default. You can disable password recovery through the CLI, IDM, or IME.
Disabling Password Recovery Using the CLI
To disable password recovery in the CLI, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter global configuration mode.
sensor# configure terminal
Step 3 Enter host mode.
sensor(config)# service host
Step 4 Disable password recovery.
sensor(config-hos)# password-recovery disallowed
Disabling Password Recovery Using IDM
To disable password recovery in IDM or IME, follow these steps:
Step 1 Log in to IDM or IME using an account with administrator privileges.
Step 2 Choose Configuration > sensor_name > Sensor Setup > Network.
Step 3 To disable password recovery, uncheck the Allow Password Recovery check box.
For More Information
•To determine whether password recovery is enabled or disabled, see Verifying the State of Password Recovery.
•For more information on what to do if you forget the password and password recovery is set to disabled, see Troubleshooting Password Recovery.
Verifying the State of Password Recovery
Use the show settings | include password command to verify whether password recovery is enabled.
To verify whether password recovery is enabled, follow these steps:
Step 1 Log in to the CLI.
Step 2 Enter service host submode.
sensor# configure terminal
sensor (config)# service host
Step 3 Verify the state of password recovery by using the include keyword to show settings in a filtered output.
sensor(config-hos)# show settings | include password
password-recovery: allowed <defaulted>
Troubleshooting Password Recovery
When you troubleshoot password recovery, pay attention to the following:
•You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.
•You can disable password recovery in the host configuration. For the platforms that use external mechanisms, such as the AIM IPS and the NME IPS bootloader, ROMMON, and the maintenance partition for the IDSM2, although you can run commands to clear the password, if password recovery is disabled in the IPS, the IPS detects that password recovery is not allowed and rejects the external request.
•To check the state of password recovery, use the show settings | include password command.
•When performing password recovery on the IDSM2, you see the following message: Upgrading will wipe out the contents on the storage media
. You can ignore this message. Only the password is reset when you use the specified password recovery image.
For More Information
•For information on reimaging the sensor, see Chapter 22 "Upgrading, Downgrading, and Installing System Images."
•For more information on disabling password recovery, see Disabling Password Recovery.
•For the procedure for checking the state of password recovery, see Verifying the State of Password Recovery.
Configuring Time
This section describes the importance of having a reliable time source for the sensor. It contains the following topics:
•Time Sources and the Sensor
•Synchronizing IPS Module System Clocks with the Parent Device System Clock
•Correcting Time on the Sensor
•Configuring Time on the Sensor
•Configuring NTP
Time Sources and the Sensor
The sensor requires a reliable time source. All events (alerts) must have the correct UTC and local time stamp, otherwise, you cannot correctly analyze the logs after an attack. When you initialize the sensor, you set up the time zones and summertime settings.
Note We recommend that you use an NTP server. You can use authenticated or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. You can set up NTP during initialization or you can configure NTP through the CLI, IDM, IME, or ASDM.
Here is a summary of ways to set the time on sensors:
•For appliances
–Use the clock set command to set the time. This is the default.
–Use NTP—You can configure the appliance to get its time from an NTP time synchronization source.
•For the IDSM2
–The IDSM2 can automatically synchronize its clock with the switch time. This is the default. The UTC time is synchronized between the switch and the IDSM2. The time zone and summertime settings are not synchronized between the switch and the IDSM2.
Note Be sure to set the time zone and summertime settings on both the switch and the IDSM2 to ensure that the UTC time settings are correct. The local time of the IDSM2 could be incorrect if the time zone and/or summertime settings do not match between the IDSM2 and the switch.
–Use NTP—You can configure the IDSM2 to get its time from an NTP time synchronization source.
•For the AIM IPS and the NME IPS
–The AIM IPS and the NME IPS can automatically synchronize their clock with the clock in the router chassis in which they are installed (parent router). This is the default. The UTC time is synchronized between the parent router and the AIM IPS and the NME IPS. The time zone and summertime settings are not synchronized between the parent router and the AIM IPS and the NME IPS.
Note Be sure to set the time zone and summertime settings on both the parent router and the AIM IPS and the NME IPS to ensure that the UTC time settings are correct. The local time of the AIM IPS and the NME IPS could be incorrect if the time zone and/or summertime settings do not match between the AIM IPS and the NME IPS and the router.
–Use NTP—You can configure the AIM IPS and the NME IPS to get their time from an NTP time synchronization source, such as a Cisco router, other than the parent router.
•For the AIP SSM
–The AIP SSM can automatically synchronize its clock with the clock in the adaptive security appliance in which it is installed. This is the default. The UTC time is synchronized between the adaptive security appliance and the AIP SSM. The time zone and summertime settings are not synchronized between the adaptive security appliance and the AIP SSM.
Note Be sure to set the time zone and summertime settings on both the adaptive security appliance and the AIP SSM to ensure that the UTC time settings are correct. The local time of the AIP SSM could be incorrect if the time zone and/or summertime settings do not match between the AIP SSM and the adaptive security appliance.
–Use NTP—You can configure the AIP SSM to get its time from an NTP time synchronization source, such as a Cisco router other than the parent router.
Synchronizing IPS Module System Clocks with the Parent Device System Clock
All IPS modules (AIM IPS, AIP SSM, IDSM2, and NME IPS) synchronize their system clocks to the parent chassis clock (switch, router, or security appliance) each time the module boots up and any time the parent chassis clock is set. The module clock and parent chassis clock tend to drift apart over time. The difference can be as much as several seconds per day. To avoid this problem, make sure that both the module clock and the parent clock are synchronized to an external NTP server. If only the module clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs.
For More Information
•For more information on NTP, see Configuring NTP.
•For More information on verifying that the module and the NTP server are synchronized, see Verifying the Sensor is Synchronized with the NTP Server.
Correcting Time on the Sensor
If you set the time incorrectly, your stored events will have the incorrect time because they are stamped with the time the event was created.
The Event Store time stamp is always based on UTC time. If during the original sensor setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do correct the error, the corrected time will be set backwards. New events might have times older than old events.
For example, if during the initial setup, you configure the sensor as central time with daylight saving time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and has an offset from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m., you discover the error: the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m. and now the clock shows 09:01:33 CDT. Because the offset from UTC has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates the time stamp problem.
To ensure the integrity of the time stamp on the event records, you must clear the event archive of the older events by using the clear events command.
Note You cannot remove individual events.
For More Information
For more information on the clear events command, see Clearing Events from Event Store.
Configuring Time on the Sensor
This section describes how to configure time on the sensor so that your events are time-stamped correctly. It contains the following topics:
•Displaying the System Clock
•Manually Setting the System Clock
•Configuring Recurring Summertime Settings
•Configuring Nonrecurring Summertime Settings
•Configuring Time Zones Settings
Displaying the System Clock
Use the show clock [detail] command to display the system clock. You can use the detail option to indicate the clock source (NTP or system) and the current summertime setting (if any).
The system clock keeps an authoritative flag that indicates whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source, such as NTP, the flag is set.
Table 4-2 lists the system clock flags.
Table 4-2 System Clock Flags
|
|
* |
Time is not authoritative. |
(blank) |
Time is authoritative. |
. |
Time is authoritative, but NTP is not synchronized. |
To display the system clock, follow these steps:
Step 1 Log in to the CLI.
Step 2 Display the system clock.
*19:04:52 UTC Thu Apr 03 2008
Step 3 Display the system clock with details.
sensor# show clock detail
20:09:43 UTC Thu Apr 03 2008
Summer time starts 03:00:00 UTC Sun Mar 09 2008
Summer time stops 01:00:00 UTC Sun Nov 02 2008
This indicates that the sensor is getting its time from NTP and that is configured and synchronized.
sensor# show clock detail
*20:09:43 UTC Thu Apr 03 2008
Summer time starts 03:00:00 UTC Sun Mar 09 2008
Summer time stops 01:00:00 UTC Sun Nov 02 2008
This indicates that no time source is configured.
Manually Setting the System Clock
Use the clock set hh:mm [:ss] month day year command to manually set the clock on the appliance. Use this command if no other time sources are available.
Note You do not need to set the system clock if your sensor is synchronized by a valid outside timing mechanism such as an NTP clock source.
The clock set command does not apply to the following platforms:
•AIM IPS
•AIP SSM
•IDSM2
•NME IPS
To manually set the clock on the appliance, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Set the clock manually.
sensor# clock set 13:21 Mar 29 2008
Note The time format is 24-hour time.
For More Information
•For the procedure for configuring NTP, see Configuring NTP.
•For an explanation of the importance of having a valid time source for the sensor, see Time Sources and the Sensor.
•For an explanation of what to do if you set the clock incorrectly, see Correcting Time on the Sensor.
Configuring Recurring Summertime Settings
Note Summertime is a term for daylight saving time.
Use the summertime-option recurring command to configure the sensor to switch to summertime settings on a recurring basis. The default is recurring.
To configure the sensor to switch to summertime settings on a recurring basis, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter summertime recurring submode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# summertime-option recurring
Step 3 Enter start summertime submode.
sensor(config-hos-rec)# start-summertime
Step 4 Configure the start summertime parameters:
a. Enter the day of the week you want to start summertime settings.
sensor(config-hos-rec-sta)# day-of-week monday
b. Enter the month you want to start summertime settings.
sensor(config-hos-rec-sta)# month april
Enter the time of day you want to start summertime settings. The format is hh:mm:ss.
sensor(config-hos-rec-sta)# time-of-day 12:00:00
c. Enter the week of the month you want to start summertime settings. The values are first through fifth, or last.
sensor(config-hos-rec-sta)# week-of-month first
d. Verify your settings.
sensor(config-hos-rec-sta)# show settings
-----------------------------------------------
month: april default: april
week-of-month: first default: first
day-of-week: monday default: sunday
time-of-day: 12:00:00 default: 02:00:00
-----------------------------------------------
sensor(config-hos-rec-sta)#
Step 5 Enter end summertime submode.
sensor(config-hos-rec-sta)# exit
sensor(config-hos-rec)# end-summertime
Step 6 Configure the end summertime parameters:
a. Enter the day of the week you want to end summertime settings.
sensor(config-hos-rec-end)# day-of-week friday
b. Enter the month you want to end summertime settings.
sensor(config-hos-rec-end)# month october
c. Enter the time of day you want to end summertime settings. The format is hh:mm:ss.
sensor(config-hos-rec-end)# time-of-day 05:15:00
d. Enter the week of the month you want to end summertime settings. The values are first through fifth, or last.
sensor(config-hos-rec-end)# week-of-month last
e. Verify your settings.
sensor(config-hos-rec-end)# show settings
-----------------------------------------------
month: october default: october
week-of-month: last default: last
day-of-week: friday default: sunday
time-of-day: 05:15:00 default: 02:00:00
-----------------------------------------------
sensor(config-hos-rec-end)#
Step 7 Specify the local time zone used during summertime.
sensor(config-hos-rec-end)# exit
sensor(config-hos-rec)# summertime-zone-name CDT
Step 8 Specify the offset.
sensor(config-hos-rec)# offset 60
Note Changing the time zone offset requires the sensor to reboot.
Step 9 Verify your settings.
sensor(config-hos-rec)# show settings
-----------------------------------------------
offset: 60 minutes default: 60
summertime-zone-name: CDT
-----------------------------------------------
month: april default: april
week-of-month: first default: first
day-of-week: monday default: sunday
time-of-day: 12:00:00 default: 02:00:00
-----------------------------------------------
-----------------------------------------------
month: october default: october
week-of-month: last default: last
day-of-week: friday default: sunday
time-of-day: 05:15:00 default: 02:00:00
-----------------------------------------------
-----------------------------------------------
Step 10 Exit recurring summertime submode.
sensor(config-hos-rec)# exit
Step 11 Press Enter to apply the changes or enter no to discard them.
Configuring Nonrecurring Summertime Settings
Note Summertime is a term for daylight saving time.
Use the summertime-option non-recurring command to configure the sensor to switch to summer time settings on a one-time basis. The default is recurring.
To configure the sensor to switch to summertime settings on a one-time basis, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter summertime non-recurring submode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# summertime-option non-recurring
Step 3 Enter start summertime submode.
sensor(config-hos-non)# start-summertime
Step 4 Configure the start summertime parameters:
a. Enter the date you want to start summertime settings. The format is yyyy-mm-dd.
sensor(config-hos-non-sta)# date 2004-05-15
b. Enter the time you want to start summertime settings. The format is hh:mm:ss.
sensor(config-hos-non-sta)# time 12:00:00
c. Verify your settings.
sensor(config-hos-non-sta)# show settings
-----------------------------------------------
-----------------------------------------------
sensor(config-hos-non-sta)#
Step 5 Enter end summertime submode.
sensor(config-hos-non-sta)# exit
sensor(config-hos-non)# end-summertime
Step 6 Configure the end summertime parameters:
a. Enter the date you want to end summertime settings. The format is yyyy-mm-dd.
sensor(config-hos-non-end)# date 2004-10-31
b. Enter the time you want to end summertime settings. The format is hh:mm:ss.
sensor(config-hos-non-end)# time 12:00:00
c. Verify your settings.
sensor(config-hos-non-end)# show settings
-----------------------------------------------
-----------------------------------------------
sensor(config-hos-non-end)#
Step 7 Specify the local time zone used during summertime.
sensor(config-hos-non-end)# exit
sensor(config-hos-non)# summertime-zone-name CDT
Step 8 Specify the offset:
sensor(config-hos-non)# offset 60
Note Changing the time zone offset requires the sensor to reboot.
Step 9 Verify your settings.
sensor(config-hos-non)# show settings
-----------------------------------------------
offset: 60 minutes default: 60
summertime-zone-name: CDT
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
Step 10 Exit non-recurring summertime submode.
sensor(config-hos-non)# exit
Step 11 Press Enter to apply the changes or enter no to discard them.
Configuring Time Zones Settings
Use the time-zone-settings command to configure the time zone settings on the sensor, such as the time zone name the sensor displays whenever summertime settings are not in effect and the offset.
To configure the time zone settings on the sensor, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter time zone settings submode.
sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# time-zone-settings
Step 3 Configure the time zone name that is displayed whenever summertime settings are not in effect:
The default is UTC.
sensor(config-hos-tim)# standard-time-zone-name CST
Step 4 Configure the offset in minutes.
The offset is the number of minutes you add to UTC to get the local time. The default is 0.
sensor(config-hos-tim)# offset -360
Note Changing the time zone offset requires the sensor to reboot.
Step 5 Verify your settings.
sensor(config-hos-tim)# show settings
-----------------------------------------------
offset: -360 minutes default: 0
standard-time-zone-name: CST default: UTC
-----------------------------------------------
Step 6 Exit time zone settings submode.
sensor(config-hos-tim)# exit
Step 7 Press Enter to apply the changes or enter no to discard them.
Configuring NTP
This section describes how to configure a Cisco router to be an NTP server and how to configure the sensor to use an NTP server as its time source. It contains the following topics:
•Configuring a Cisco Router to be an NTP Server
•Configuring the Sensor to Use an NTP Time Source
Configuring a Cisco Router to be an NTP Server
The sensor requires an authenticated connection with an NTP server if it is going to use the NTP server as its time source. The sensor supports only the MD5 hash algorithm for key encryption. Use the following procedure to activate a Cisco router to act as an NTP server and use its internal clock as the time source.
Caution
The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers, but is not tested or supported.
Note Remember the NTP server key ID and key values. You need them along with the NTP server IP address when you configure the sensor to use the NTP server as its time source.
To set up a Cisco router to act as an NTP server, follow these steps:
Step 1 Log in to the router.
Step 2 Enter configuration mode.
router# configure terminal
Step 3 Create the key ID and key value.
router(config)# ntp authentication-key key_ID md5 key_value
The key ID can be a number between 1 and 65535. The key value is text (numeric or character). It is encrypted later.
Example
router(config)# ntp authentication-key 100 md5 attack
Note The sensor only supports MD5 keys.
Note Keys may already exist on the router. Use the show running configuration command to check for other keys. You can use those values for the trusted key in Step 4.
Step 4 Designate the key you just created in Step 3 as the trusted key (or use an existing key).
router(config)# ntp trusted-key key_ID
The trusted key ID is the same number as the key ID in Step 3.
Example
router(config)# ntp trusted-key 100
Step 5 Specify the interface on the router that the sensor will communicate with.
router(config)# ntp source interface_name
Example
router(config)# ntp source FastEthernet 1/0
Step 6 Specify the NTP master stratum number to be assigned to the sensor.
router(config)# ntp master stratum_number
Example
router(config)# ntp master 6
The NTP master stratum number identifies the relative position of the server in the NTP hierarchy. You can choose a number between 1 and 15. It is not important to the sensor which number you choose.
For More Information
For the procedure for using authenticated NTP, see Configuring the Sensor to Use an NTP Time Source.
Configuring the Sensor to Use an NTP Time Source
The sensor requires a consistent time source. We recommend that you use an NTP server. Use the following procedure to configure the sensor to use the NTP server as its time source. You can use authenticated or unauthenticated NTP.
Note For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server.
Caution
The sensor NTP capability is designed to be compatible with Cisco routers acting as NTP servers. The sensor may work with other NTP servers, but is not tested or supported.
To configure the sensor to use an NTP server as its time source, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter configuration mode.
sensor# configure terminal
Step 3 Enter service host mode.
sensor(config)# service host
Step 4 For unauthenticated NTP:
a. Enter NTP configuration mode.
sensor(config-hos)# ntp-option enabled-ntp-unauthenticated
b. Specify the NTP server IP address.
sensor(config-hos-ena)# ntp-server ip_address
c. Verify the unauthenticated NTP settings.
sensor(config-hos-ena)# show settings
enabled-ntp-unauthenticated
-----------------------------------------------
-----------------------------------------------
Step 5 For authenticated NTP:
a. Enter NTP configuration mode.
sensor(config-hos)# ntp-option enable
b. Specify the NTP server IP address and key ID.
sensor(config-hos-ena)# ntp-servers ip_address key-id key_ID
The key ID is a number between 1 and 65535. This is the key ID that you already set up on the NTP server.
Example:
sensor(config-hos-ena)# ntp-servers 10.16.0.0 key-id 100
c. Specify the key value NTP server.
sensor(config-hos-ena)# ntp-keys key_ID md5-key key_value
The key value is text (numeric or character). This is the key value that you already set up on the NTP server.
Example:
sensor(config-hos-ena)# ntp-keys 100 md5-key attack
d. Verify the NTP settings.
sensor(config-hos-ena)# show settings
-----------------------------------------------
ntp-keys (min: 1, max: 1, current: 1)
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
ntp-servers (min: 1, max: 1, current: 1)
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
Step 6 Exit NTP configuration mode.
sensor(config-hos-ena)# exit
Step 7 Press Enter to apply the changes or enter no to discard them.
Configuring SSH
This section describes SSH on the sensor, and contains the following topics:
•Understanding SSH
•Adding Hosts to the SSH Known Hosts List
•Adding SSH Authorized Public Keys
•Generating a New SSH Server Key
Understanding SSH
SSH provides strong authentication and secure communications over channels that are not secure.
SSH encrypts your connection to the sensor and provides a key so you can validate that you are connecting to the correct sensor. SSH also provides authenticated and encrypted access to other devices that the sensor connects to for blocking.
SSH authenticates the hosts or networks using one or both of the following:
•Password
•User RSA public key
SSH protects against the following:
•IP spoofing—A remote host sends out packets pretending to come from another trusted host.
Note SSH even protects against a spoofer on the local network who can pretend he is your router to the outside.
•IP source routing—A host pretends an IP packet comes from another trusted host.
•DNS spoofing—An attacker forges name server records.
•Interception of clear text passwords and other data by intermediate hosts.
•Manipulation of data by those in control of intermediate hosts.
•Attacks based on listening to X authentication data and spoofed connection to the X11 server.
Note SSH never sends passwords in clear text.
Adding Hosts to the SSH Known Hosts List
You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it can communicate with through SSH. These hosts are SSH servers that the sensor needs to connect to for upgrades and file copying, and other hosts, such as Cisco routers, PIX Firewalls, and Catalyst switches that the sensor will connect to for blocking.
Use the ssh host-key ip-address [key-modulus-length public-exponent public-modulus] command to add an entry to the known hosts list. If you do not know the values for the modulus, exponent, and length, the system displays the MD5 fingerprint and bubble babble for the requested IP address. You can then select to add the key to the list.
Caution
When you use the
ssh host-key
ip-address command, the SSH server at the specified IP address is contacted to obtain the required key over the network. The specified host must by accessible at the moment the command is issued. If the host is unreachable, you must use the full form of the command,
ssh host-key
ip-address [
key-modulus-length public-exponent public-modulus], to confirm the fingerprint of the key displayed to protect yourself from accepting a key of an attacker.
Note To modify a key for an IP address, the entry must be removed and recreated. Use the no form of the command to remove the entry.
To add a host to the SSH known hosts list, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Enter configuration mode.
sensor# configure terminal
Step 3 Add an entry to the known hosts list.
sensor(config)# ssh host-key 10.16.0.0
MD5 fingerprint is F3:10:3E:BA:1E:AB:88:F8:F5:56:D3:A6:63:42:1C:11
Bubble Babble is xucis-hehon-kizog-nedeg-zunom-kolyn-syzec-zasyk-symuf-rykum-sexyx
Would you like to add this to the known hosts table for this host?[yes]
The MD5 fingerprint appears. You are prompted to add it to the known hosts list:
If the host is not accessible when the command is issued, the following message appears:
Error: getHostSshKey : socket connect failed [4,111]
Step 4 Enter yes to have the fingerprint added to the known hosts list.
Step 5 Verify that the host was added.
sensor# show ssh host-keys
Step 6 View the key for a specific IP address.
sensor# show ssh host-keys 10.16.0.0
1024 35
139306213541835240385332922253968814685684523520064131997839905113640120217816869696708721
704631322844292073851730565044879082670677554157937058485203995572114631296604552161309712
601068614812749969593513740598331393154884988302302182922353335152653860589163651944997842
874583627883277460138506084043415861927
MD5: 49:3F:FD:62:26:58:94:A3:E9:88:EF:92:5F:52:6E:7B
Bubble Babble: xebiz-vykyk-fekuh-rukuh-cabaz-paret-gosym-serum-korus-fypop-huxyx
Step 7 Remove an entry.
sensor(config)# no ssh host-key 10.16.0.0
The host is removed from the SSH known hosts list.
Step 8 Verify the host was removed.
sensor# show ssh host-keys
The IP address no longer appears in the list.
Adding SSH Authorized Public Keys
Use the ssh authorized-key command to define public keys for a client allowed to use RSA authentication to log in to the local SSH server.
The following options apply:
•id—1 to 256-character string that uniquely identifies the authorized key. You can use numbers, "_," and "-," but spaces and "?" are not acceptable.
•key-modulus-length—An ASCCI decimal integer in the range[511, 2048].
•public-exponent—An ASCII decimal integer in the range [3, 2^32].
•public-modulus—An ASCII decimal integer, x, such that (2^(key-modulus-length-1)) < x < (2^(key-modulus-length)).
Each user who can log in to the sensor has a list of authorized public keys. An SSH client with access to any of the corresponding RSA private keys can log in to the sensor as the user without entering a password.
Use an RSA key generation tool on the client where the private key is going to reside. Then, display the generated public key as a set of three numbers (modulus length, public exponent, public modulus) and enter those numbers as parameters for the ssh authorized-key command.
Note You configure your own list of SSH authorized keys. An administrator cannot manage the list of SSH authorized keys for other users on the sensor.
Note An SSH authorized key provides better security than passwords if the private key is adequately safeguarded. The best practice is to create the private key on the same host where it will be used and store it with a pass phrase on a local file system. To minimize password or pass phrase prompts, use a key agent.
Note To modify an authorized key, you must remove and recreate the entry. Use the no form of the command to remove the entry. Users can only create and remove their own keys.
To add a key entry to the SSH authorized keys list for the current user, follow these steps:
Step 1 Log in to the CLI.
Step 2 Add a key to the authorized keys list for the current user.
sensor# configure terminal
sensor(config)# ssh authorized-key system1 1023 37
660222729556609833380897067163729433570828686860008172017802434921804214207813035920829509
101701358480525039993932112503147452768378620911189986653716089813147922086044739911341369
642870682319361928148521864094557416306138786468335115835910404940213136954353396163449793
49705016792583146548622146467421997057
Step 3 Verify that the key was added.
sensor# show ssh authorized-keys
Step 4 View the key for a specific ID.
sensor# show ssh authorized-keys system1
1023 37 660222729556609833380897067163729433570828686860008172017802434921804214
20781303592082950910170135848052503999393211250314745276837862091118998665371608
98131479220860447399113413696428706823193619281485218640945574163061387864683351
1583591040494021313695435339616344979349705016792583146548622146467421997057
Step 5 Remove an entry from the list of SSH authorized keys.
sensor# configure terminal
sensor(config)# no ssh authorized-key system1
The key is removed from the SSH authorized keys list.
Step 6 Verify the entry was removed.
sensor# show ssh authorized-keys
The key system1 no longer appears in the list:
If you enter the former ID, you receive an error message:
sensor# show ssh authorized-keys system1
Error: Requested id does not exist for the current user.
Generating a New SSH Server Key
Use the ssh generate-key command to change the SSH server host key. The displayed fingerprint matches the one displayed in the remote SSH client in future connections with this sensor if the remote client is using SSH 1.5.
To generate a new SSH server host key, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Generate the new server host key.
MD5: 93:F5:51:58:C7:FD:40:8C:07:26:5E:29:13:C8:33:AE
Bubble Babble: ximal-sudez-kusot-gosym-levag-fegoc-holez-cakar-kunel-nylis-kyxox
Caution
The new key replaces the existing key, which requires you to update the known hosts tables on remote systems with the new host key so that future connections succeed. You can update the known hosts tables on remote systems using the
ssh host-key command.
Step 3 Display the current SSH server host key.
sensor# show ssh server-key
1024 35
137196765426571419509124895787229630062726389801071715581921573847280637533000158590028798
074385824867184332364758899959675370523879609376174812179228415215782949029183962207840731
771645803509837259475421477212459797170806510716077556010753169312675023860474987441651041
217710152766990480431898217878170000647
MD5: 93:F5:51:58:C7:FD:40:8C:07:26:5E:29:13:C8:33:AE
Bubble Babble: ximal-sudez-kusot-gosym-levag-fegoc-holez-cakar-kunel-nylis-kyxox
For More Information
For the procedure for updating the known hosts table, see Adding Hosts to the SSH Known Hosts List.
Configuring TLS
This section describes TLS on the sensor, and contains the following topics:
•Understanding TLS
•Adding TLS Trusted Hosts
•Displaying and Generating the Server Certificate
Understanding TLS
Cisco IPS 6.1 contains a web server that is running IDM. Management stations connect to this web server. Blocking forwarding sensors also connect to the web server of the master blocking sensor. To provide security, this web server uses an encryption protocol known as TLS, which is closely related to SSL protocol. When you enter a URL into the web browser that starts with https://
ip_address, the web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the host.
Caution
The web browser initially rejects the certificate presented by IDM because it does not trust the CA.
Note IDM is enabled by default to use TLS and SSL.We highly recommend that you use TLS and SSL.
The process of negotiating an encrypted session in TLS is called "handshaking," because it involves a number of coordinated exchanges between client and server. The server sends its certificate to the client. The client performs the following three-part test on this certificate:
1. Is the issuer identified in the certificate trusted?
Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the certificate is among the list of CAs trusted by your browser, the first test is passed.
2. Is the date within the range of dates during which the certificate is considered valid?
Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range of dates, the second test is passed.
3. Does the common name of the subject identified in the certificate match the URL hostname?
The URL hostname is compared with the subject common name. If they match, the third test is passed.
When you direct your web browser to connect with IDM, the certificate that is returned fails because the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of CAs trusted by your browser.
When you receive an error message from your browser, you have three options:
•Disconnect from the site immediately.
•Accept the certificate for the remainder of the web browsing session.
•Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires.
The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in your web browser is the same as the one on your sensor.
Caution
If you change the organization name or hostname of the sensor, a new certificate is generated the next time the sensor is rebooted. The next time your web browser connects to IDM, you will receive the manual override dialog boxes. You must perform the certificate fingerprint validation again for Internet Explorer and Firefox.
Adding TLS Trusted Hosts
In certain situations, the sensor uses TLS/SSL to protect a session it establishes with a remote web server. For these sessions to be secure from man-in-the-middle attacks you must establish trust of the TLS certificates of the remote web servers. A copy of the TLS certificate of each trusted remote host is stored in the trusted hosts list.
Use the tls trusted-host ip-address ip-address [port port] command to add a trusted host to the trusted hosts list. This command retrieves the TLS certificate from the specified host/port and displays its fingerprint. You can accept or reject the fingerprint based on information retrieved directly from the host you are requesting to add. The default port is 443.
Each certificate is stored with an identifier field (id). For the IP address and default port, the identifier field is ipaddress. For the IP address and specified port, the identifier field is ipaddress:port.
Caution
TLS at the specified IP address is contacted to obtain the required fingerprint over the network. The specified host must by accessible at the moment the command is issued. Use an alternate method to confirm the fingerprint to protect yourself from accepting a certificate of an attacker.
To add a trusted host to the trusted hosts list, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Add the trusted host.
sensor# configure terminal
sensor(config)# tls trusted-host ip-address 10.16.0.0
Certificate MD5 fingerprint is 4F:BA:15:67:D3:E6:FB:51:8A:C4:57:93:4D:F2:83:FE
Certificate SHA1 fingerprint is B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:
Would you like to add this to the trusted certificate table for this host?[yes]:
The MD5 and SHA1 fingerprints appear. You are prompted to add the trusted host.
If the connection cannot be established, the transaction fails:
sensor(config)# tls trusted-host ip-address 10.89.146.110 port 8000
Error: getHostCertificate : socket connect failed [4,111]
Step 3 Enter yes to accept the fingerprint.
Certificate ID: 10.89.146.110 successfully added to the TLS trusted host table.
The host has been added to the TLS trusted host list. The Certificate ID stored for the requested certificate is displayed when the command is successful.
Step 4 Verify that the host was added.
sensor# show tls trusted-hosts
Step 5 View the fingerprint for a specific host.
sensor# show tls trusted-hosts 10.89.146.110
MD5: 4F:BA:15:67:D3:E6:FB:51:8A:C4:57:93:4D:F2:83:FE
SHA1: B1:6F:F5:DA:F3:7A:FB:FB:93:E9:2D:39:B9:99:08:D4:47:02:F6:12
Step 6 Remove an entry from the trusted hosts list.
sensor# configure terminal
sensor(config)# no tls trusted-host 10.89.146.110
The host is removed from the trusted hosts list.
Step 7 Verify the entry was removed from the trusted host list.
sensor# show tls trusted-hosts
The IP address no longer appears in the list:
Displaying and Generating the Server Certificate
A TLS certificate is generated when the sensor is first started. Use the tls generate-key command to generate a new server self-signed X.509 certificate.
Note The IP address of the sensor is included in the certificate. If you change the sensor IP address, the sensor automatically generates a new certificate.
Caution
The new certificate replaces the existing certificate, which requires you to update the trusted hosts lists on remote systems with the new certificate so that future connections succeed. You can update the trusted hosts lists on remote IPS sensors using the
tls trusted-host command. If the sensor is a master blocking sensor, you must update the trusted hosts lists on the remote sensors that are sending block requests to the master blocking sensor.
To generate a new TLS certificate, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Generate the new certificate.
MD5 fingerprint is FD:83:6E:41:D3:88:48:1F:44:7F:AF:5D:52:60:89:DE
SHA1 fingerprint is 4A:2B:79:A0:82:8B:65:3A:83:B5:D9:50:C0:8E:F6:C6:B0:30:47:BB
Step 3 Verify that the key was generated.
sensor# show tls fingerprint
MD5: FD:83:6E:41:D3:88:48:1F:44:7F:AF:5D:52:60:89:DE
SHA1: 4A:2B:79:A0:82:8B:65:3A:83:B5:D9:50:C0:8E:F6:C6:B0:30:47:BB
For More Information
For the procedure for updating the trusted hosts lists on remote sensors, see Adding TLS Trusted Hosts.
Installing the License Key
This section describes the IPS license key and how to install it. It contains the following topics:
•Understanding the License Key
•Service Programs for IPS Products
•Obtaining and Installing the License Key
Understanding the License Key
Although the sensor functions without the license key, you must have a license key to obtain signature updates. To obtain a license key, you must have the following:
•Cisco Service for IPS service contract
Contact your reseller, Cisco service or product sales to purchase a contract.
•Your IPS device serial number
To find the IPS device serial number in IDM or IME, for IDM choose Configuration > Sensor Management > Licensing, and for IME choose Configuration > sensor_name > Sensor Management > Licensing, or in the CLI use the show version command.
•Valid Cisco.com username and password
Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.
You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license key.
You can view the status of the license key in these places:
•IDM Home window Licensing section on the Health tab
•IDM Licensing pane (Configuration > Licensing)
•IME Home page in the Device Details section on the Licensing tab
•License Notice at CLI login
Whenever you start IDM, IME, or the CLI, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use IDM, IME, and the CLI, but you cannot download signature updates.
If you already have a valid license on the sensor, you can click Download on the License pane to download a copy of your license key to the computer that IDM or IME is running on and save it to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have reimaged the sensor.
For More Information
•For information on Cisco service programs, see Service Programs for IPS Products.
•For the procedure for obtaining and installing the license key, see Obtaining and Installing the License Key.
Service Programs for IPS Products
You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.
When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract:
•IPS 4240
•IPS 4255
•IPS 4260
•IPS 4270-20
•AIM IPS
•IDSM2
•NME IPS
When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract.
Note SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.
When you purchase an ASA 5500 series adaptive security appliance product that ships with the AIP SSM installed, or if you purchase the AIP SSM to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract.
Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.
For example, if you purchased an ASA 5510 and then later wanted to add IPS and purchased an ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.
Caution
If you ever send your product for RMA, the serial number will change. You must then get a new license key for the new serial number.
Obtaining and Installing the License Key
Use the copy source-url license_file_name license-key command to copy the license key to your sensor.
The following options apply:
•source-url—The location of the source file to be copied. It can be a URL or keyword.
•destination-url—The location of the destination file to be copied. It can be a URL or a keyword.
•license-key—The subscription license file.
•license_file_name—The name of the license file you receive.
Note You cannot install an older license key over a newer license key.
The exact format of the source and destination URLs varies according to the file. Here are the valid types:
•ftp:—Source URL for an FTP network server. The syntax for this prefix is:
ftp://[[username@]location][/relativeDirectory]/filename
ftp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password.
•scp:—Source URL for the SCP network server. The syntax for this prefix is:
scp://[[username@]location][/relativeDirectory]/filename
scp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password. You must add the remote host to the SSH known hosts list.
•http:—Source URL for the web server. The syntax for this prefix is:
http://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file.
•https:—Source URL for the web server. The syntax for this prefix is:
https://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.
Installing the License Key
To install the license key, follow these steps:
Step 1 Apply for the license key at this URL: www.cisco.com/go/license.
Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.
Step 2 Fill in the required fields.
Note You must have the correct IPS device serial number because the license key only functions on the device with that number.
Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified.
Step 3 Save the license key to a system that has a web server, FTP server, or SCP server.
Step 4 Log in to the CLI using an account with administrator privileges.
Step 5 Copy the license key to the sensor.
sensor# copy scp://user@10.89.147.3://tftpboot/dev.lic license-key
Step 6 Verify the sensor is licensed.
Cisco Intrusion Prevention System, Version 6.1(1)E1
Signature Update S391.0 2008-04-16
Virus Update V1.2 2005-11-24
OS Version: 2.4.30-IDS-smp-bigphys
Serial Number: P300000220
Sensor up-time is 3 days.
Using 1031888896 out of 2093682688 bytes of available memory (49% usage)
system is using 17.8M out of 29.0M bytes of available disk space (61% usage)
application-data is using 52.4M out of 166.6M bytes of available disk space (33% usage)
boot is using 37.8M out of 68.5M bytes of available disk space (58% usage)
MainApp N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Running
AnalysisEngine N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Running
CLI N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500
IPS-K9-6.1-1-E1 15:36:05 UTC Thu Apr 24 2008
Recovery Partition Version 1.1 - 6.1(1)E1
Host Certificate Valid from: 25-Apr-2008 to 26-Apr-2010
Step 7 Copy your license key from a sensor to a server to keep a backup copy of the license.
sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic
For More Information
•For the procedure for adding remote hosts to the SSH known hosts list, see Adding Hosts to the SSH Known Hosts List.
•For the procedure for making a remote host a TLS trusted host, see Adding TLS Trusted Hosts.