Guest

Cisco Intrusion Prevention System

Understand How the Cisco IPS Automatic Signature Update Feature Works

Cisco - Understanding How Cisco IPS Automatic Signature Update Feature Works

Document ID: 113674

Updated: Aug 17, 2012

Contributed by Cisco TAC Engineers.

   Print

Introduction

This document provides an overview of the Cisco Intrusion Prevention System (IPS) Automatic Update feature and its operation.

The IPS Automatic Update feature was introduced in IPS version 6.1 and provides administrators with an easy way to update IPS signatures on a regularly scheduled interval.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

The information in this document is based on the IPS version 6.1 and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Network Requirements

  1. The command and control interface of the IPS requires direct access to the Internet using HTTPS (TCP 443) and HTTP (TCP 80).

  2. Network Address Translation (NAT) and Access Control Lists (ACLs) on edge devices such as routers and firewalls need to be configured in order to permit the IPS connectivity to the Internet.

  3. Exclude the command and control interface IP address from all content filters and network traffic shapers.

  4. The Automatic Update feature supports proxy servers in the 7.2(1) FIPS/CC certified release. All other 6.x and 7.x software releases do not support Automatic Update through a proxy server at this time. The 7.2(1) release includes a number of changes to the default SSH and HTTPS settings. Refer to Release Notes for Cisco Intrusion Prevention System 7.2(1)E4 before you upgrade to 7.2(1).

Signature Auto Update Process

This is the process:

ips-automatic-signature-update-01.gif

  1. IPS authenticates to the auto update server at 72.163.4.161 using HTTPS (TCP 443).

  2. IPS sends a client manifest to the auto update server, which includes the platform ID and an encrypted shared secret that the server uses to verify authenticity of the Cisco IPS sensor.

  3. Once authenticated, the update server responds with a server manifest that contains a list of download file options associated with the platform ID. The data contained here includes information related to update version, download location, and supported file transfer protocols. Based on this data, the IPS auto update logic determines if any of the download options are valid and then selects the best update package for download. In preparation for the download, the server provides the IPS with a set of keys to be used to decrypt the update file.

  4. The IPS establishes a new connection to the download server identified in the server manifest. The download server IP address varies, which is dependent on the location. The IPS uses the file transfer protocol defined in the file download data URL learned in the server manifest (currently uses HTTP (TCP 80)).

  5. The IPS uses the previously downloaded keys to decrypt the update package and then applies the signature files to the sensor.

Configuration

The Automatic Update feature can be configured from IPS Device Manager (IDM) or IPS Manager Express (IME). Complete these steps:

  1. From IDM/IME, choose Configuration > Sensor Management > Auto/Cisco.com Update.

    ips-automatic-signature-update-02.gif

  2. Choose the Enable Signature and Engine Updates from Cisco.com check box on the right-hand pane, and click on the blue Cisco.com Server Settings title in order to drop down the configuration pane.

  3. Enter the CCO username and password.

    Note: Do not change the Cisco.com URL. It should not need to be changed from its default setting.

    The URL should look like this:

    https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
    

    Note: Do not edit the URL. The // is intentional and not a typographical error. Ensure the IP address is the same as above.

    ips-automatic-signature-update-03.gif

  4. Configure a start time and frequency in order to schedule the signature update. In this example, the time is set to 23:15:00. The frequency can be configured to support hourly or daily update attempts. Click Apply in order to apply configuration changes.

    Note: It is recommended to set it to a random time that is not on the top of the hour, for example, 8:00, 13:00 and 15:00.

    ips-automatic-signature-update-04.gif

  5. In order to verify that the Auto Update completed successfully, enter the show statistics host command from the IPS CLI as seen in this example:

    IPS# show statistics host
    <Output truncated>
    Auto Update Statistics
       lastDirectoryReadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012
        =   Read directory: http://CCOUser@72.163.7.55//swc/esd/06/273556262/guest/
        =   Success
       lastDownloadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012
        =   Download: 
    http://CCOUser@72.163.7.55//swc/esd/06/273556262/guest/IPS-sig-S654-req-E4.pkg
        =   Success
       nextAttempt = 17:55:00 GMT-06:00 Wed Jun 27 2012
      lastInstallAttempt = 16:55:46 GMT-06:00 Wed Jun 27 2012
       =   Success
    <Output truncated>

Caveats

Some signature updates require the regular expression tables to be recompiled during which time the IPS can go into software bypass mode. For inline sensors with bypass mode set to Auto, the Analysis Engine is bypassed, which allows traffic to flow through the inline interfaces and inline VLAN pairs without inspection. If bypass mode is turned off, the inline sensor stops passing traffic while the update is applied.

Troubleshoot

After correct configuration of Auto Signature Update, complete these steps in order to isolate and correct commonly encountered issues:

  1. For all IPS appliances and modules except for the AIM and IDSM, ensure that the command and control interface is connected to the local network, assigned a valid IP address/subnet mask/gateway, and has IP reachability to the Internet. For the AIM and IDSM modules, the virtual command and control interface are utilized as defined in the configuration. In order to confirm the operational status of the interface from the CLI, enter this show command:

    IPS# show interfaces
    <Output truncated>
    MAC statistics from interface Management0/0
       Interface function = Command-control interface
       Description = 
       Media Type = TX
       Default Vlan = 0
       Link Status = Up  <---
    <Output truncated>
  2. In order to validate whether the CCO user account has necessary privileges to download signature update packages, open a web browser and log in to Cisco.com with this same CCO account. Once authenticated, manually download the latest IPS signature package. The inability to manually download the package is likely due to the lack of association of the user account to a valid Cisco Services for IPS subscription. In addition, access to security software on CCO is restricted to authorized users who have accepted the annual encryption/export agreement. Failure to approve this agreement has been known to prevent signature downloads from IDM/IME/CSM. In order to verify whether this agreement has been accepted, open a browser and log in to Cisco.com with the same CCO account. Once authenticated, attempt to manually download a Cisco IOS® software package with the K9 featureset.

  3. Check if there is a proxy in place for Internet bound traffic (all versions except 7.2(1)). If the traffic from the command and control port goes through this proxy, the Auto Update feature does not work. Reconfigure the network so that the command and control port traffic is not filtered through a proxy and test again.

  4. Check if there are any content filtering or traffic shaping applications or appliances along the path to the Internet. If present, configure an exclusion in order to allow the IP address of the command and control interface to access the Internet without restriction.

  5. If ICMP traffic is permitted towards the Internet, open the CLI of the IPS sensor and try to ping a public IP address. This test can be used to verify if the necessary routing and NAT rules (if used) are configured correctly. If the ICMP test succeeds yet Auto Updates continue to fail, ensure that network devices such as routers and firewalls along the path permit the HTTPS and HTTP sessions from the IPS command and control interface IP. For example, if the command and control IP address is 10.1.1.1, a simple ACL entry on an ASA firewall can look like this example:

    access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq www
    access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq https
  6. The CCO username should not contain any special characters, for example, @ . Refer to Cisco bug ID CSCsq30139 (registered customers only) for more information.

  7. When signature auto-update failures are diagnosed, look at the HTTP error codes.

    IPS# show statistics host
    Auto Update Statistics
    lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010
    = Read directory: https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
    = Error: AutoUpdate exception: HTTP connection failed [1,110]   <--
    lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010
    lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010
    nextAttempt = 19:35:00 CST Thu Nov 18 2010
    Message Meaning
    Error: AutoUpdate exception: HTTP connection failed [1,110] Authentication failed. Check the username and password.
    status=false AutoUpdate exception: Receive HTTP response failed [3,212] The request to the Auto Update server timed out.
    Error: http error response: 400 Make sure the cisco-url setting is defaulted. If the CCO ID is greater than 32 characters in length, try a different CCO ID. This can be a limitation on the Cisco download server.
    Error: AutoUpdate exception: HTTP connection failed [1,0] Network issue prevented download or there is a potential issue with the download servers.

Upcoming Enhancements

These are enhancements:

  • Cisco bug ID CSCsv89560 (registered customers only) —ENH - IDS: Add Proxy Support for Auto/Cisco.com Update Feature.

  • Cisco bug ID CSCtg94422 (registered customers only) —IPS: Add Command in CLI to Allow Immediate AutoUpdate for Signatures

  • Cisco bug ID CSCuf81644 (registered customers only) —Add CLI Command to provide more details about the Auto-update issue

Related Information

Updated: Aug 17, 2012
Document ID: 113674