Guest

Cisco Intrusion Prevention System

Understand How the Cisco IPS Automatic Signature Update Feature Works

Document ID: 113674

Updated: Dec 04, 2014

Contributed by Cisco TAC Engineers.

   Print

Introduction

This document provides an overview of the Cisco Intrusion Prevention System (IPS) Automatic Update feature and its operation.

The IPS Automatic Update feature was introduced in IPS version 6.1 and provides administrators with an easy way to update IPS signatures on a regularly scheduled interval. 

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Signature updates require a valid Cisco Services for IPS subscription and license key. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service in order to apply for a license key. 

  • A Cisco.com (CCO) user account that is associated with an active Cisco Services for IPS subscription.

  • Privileges to download cryptographic software. Go to: http://tools.cisco.com/legal/k9/controller/do/k9Check.x?eind=Y in order to check if you have access.

Components Used

The information in this document is based on these hardware and software versions:

  • Cisco IPS Versions 6.1 and later

  • Specific features for Cisco IPS Versions 7.2(1), 7.3(1), and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. 

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Network Requirements

  1. The command and control interface of the IPS requires direct access to the Internet using HTTPS (TCP 443) and HTTP (TCP 80).

  2. Network Address Translation (NAT) and Access Control Lists (ACLs) on edge devices such as routers and firewalls need to be configured in order to permit the IPS connectivity to the Internet.

  3. Exclude the command and control interface IP address from all content filters and network traffic shapers.

  4. The Automatic Update feature supports proxy servers in the 7.2(1) FIPS/CC certified release. All other 6.x and 7.x software releases do not support Automatic Update through a proxy server at this time. The 7.2(1) release includes a number of changes to the default Secure Shell (SSH) and HTTPS settings. Refer to Release Notes for Cisco Intrusion Prevention System 7.2(1)E4 before you upgrade to 7.2(1).

Warning: In Cisco IPS Version 7.0(8)E4, the default value for the Cisco server IP address is changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If your sensor is configured for automatic updates, you might need to update the firewall rules in order to allow the sensor to connect to the new IP address. For Cisco IPS Versions 7.2 and later, the hardcoded automatic update server IP address is replaced with a named Fully Qualified Domain Name (FQDN) and Domain Name System (DNS) lookup. Refer to the Configuration section of this document for additional information.

Bypass Caveats

Some signature updates require the regular expression tables to be recompiled during which time the IPS can go into software bypass mode. For inline sensors with bypass mode set to Auto, the Analysis Engine is bypassed allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection.  If bypass mode is set to Off, the inline sensor stops passing traffic while the update is applied.

Signature Auto Update Process 

 

  1. IPS authenticates to the auto update server at 72.163.4.161 using HTTPS (TCP 443).

  2. IPS sends a client manifest to the auto update server, which includes the platform ID and an encrypted shared secret that the server uses to verify authenticity of the Cisco IPS sensor.

  3. Once authenticated, the update server responds with a server manifest that contains a list of download file options associated with the platform ID. The data contained here includes information related to update version, download location, and supported file transfer protocols. Based on this data, the IPS auto update logic determines if any of the download options are valid and then selects the best update package for download. In preparation for the download, the server provides the IPS with a set of keys to be used to decrypt the update file.

  4. The IPS establishes a new connection to the download server identified in the server manifest. The download server IP address varies, which is dependent on the location. The IPS uses the file transfer protocol defined in the file download data URL learned in the server manifest (currently uses HTTP (TCP 80)).

  5. The IPS uses the previously downloaded keys to decrypt the update package and then applies the signature files to the sensor.

Configure

Basic Signature Auto-Update Configuration

The Automatic Update feature can be configured from IPS Device Manager (IDM) or IPS Manager Express (IME). Complete these steps:

  1. From IDM/IME, choose Configuration >  Sensor Management  > Auto/Cisco.com Update.



  2. Choose the Enable Signature and Engine Updates from Cisco.com check box on the right-hand pane, and click on the blue Cisco.com Server Settings title in order to drop down the configuration pane.

  3. Enter the CCO username and password.

    Here is an example URL for Cisco IPS Versions 7.0(8) and 7.1(6):

    https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl

    Here is an example URL for Cisco IPS Versions 7.2(1), 7.3(1), and later:

    https://www.cisco.com//cgi-bin/front.x/ida/locator/locator.pl

    Note: Do not change the Cisco.com URL. It should not need to be changed from its default setting. The // is intentional and not a typographical error. In Cisco IPS Versions 7.2(1), 7.3(1), and later, the sensor queries the DNS server that is defined in the sensor network configuration in order to resolve the www.cisco.com URL to an Internet routable IP address.



  4. Configure a start time and frequency in order to schedule the signature update. It is recommended to set the start time to a random time that is not on the top of the hour.  In this example, the time is set to 23:15:00.  The frequency can be configured to support hourly or daily update attempts. Click Apply in order to apply configuration changes.



Signature Automatic Update Enhancements

Many improvements to the Automatic Update feature are included in Cisco IPS Versions 7.2(1) and later. Additional security improvements are also added to Cisco IPS Versions 7.3(2) and later.  Refer to the configuration options described in this section for additional information.

Update Now Feature

Cisco IPS Version 7.2(1) introduced a new capability to the IPS GUIs and the CLI that allows administrators to initiate a signature Automatic Update immediately, which bypasses the need to wait for the scheduled time to occur.

In order to bypass the automatic update schedule and update immediately, navigate to the IDM/IME and choose Configuration >  Sensor Management  > Auto/Cisco.com Update. As long as the Automatic Update is correctly configured and applied, you can click the Update Now button in the upper right-hand corner of the screen in order to trigger an update attempt.

You can also enter the autoupdatenow command into the sensor CLI in order to trigger an update attempt. Here is an example:

SSP-60# autoupdatenow
Warning: Executing this command will perform an auto-upgrade on the sensor immediately.
Before executing this command, you must have a valid license to apply the Signature
AutoUpdates and auto-upgrade settings configured.After executing this command please
disable user-server/cisco-server inside 'auto-upgrade' settings, if you don't want
scheduled auto-updates
Continue? []: yes
Automatic Update for the sensor has been executed.Use 'show statistics host' command
to check the result of auto-update.Please disable user-server/cisco-server in
auto-upgrade settings, if you don't want scheduled auto-updates

Automatic Update via Internet Proxy

In order to trigger an automatic update via internet proxy, navigate to the IDM/IME and choose Configuration > Sensor Setup > Network. Enter the DNS and (optionally) the HTTP Proxy Server IP address and port:

Validate Trusted Root Certificates

Cisco IPS Version 7.3(2) introduced the ability for the IPS to validate the root certificate chain of the updater server when updates are downloaded. With this feature enabled, the IPS validates whether the root certificate in the certificate chain is signed by a trusted root CA. For example, the TLS root certificates that are obtained in the signature update process from the Cisco server and global correlation server are validated. This feature is currently disabled by default in Cisco IPS Version 7.3(2); however, it might be enabled by default in a future release.  Refer to the IPS Read Me file for more information.

View the Local Trusted Certificate Store

In order to view the current list of installed trusted root certificates in IPS Versions 7.3(2) and later, navigate to Configuration > Sensor Management > Certificates > Trusted Root Certificates:

Enable Strict TLS Server Certificate Validation

Complete these steps in order to enable the Strict TLS Server Validation feature:

  1. Navigate to Configuration > Sensor Setup > Network.

  2. Expand the HTTP, FTP, Telnet, SSH, CLI & Other Options drop down menu.

  3. Check the Enable Strict TLS Server Validation check box.

  4. Click Apply in order to apply the configuration to the sensor. 

Add/Update Root Certificates to the Local Trusted Certificate Store

As certificates expire on the updater servers, Cisco reserves the right to use a root certificate chain other than GeoTrust and Thawte. If the updated certificate does not exist in the current IPS software image, then the updated root certificate chain can be manually installed into the local trusted certificate store of the sensor. The DER-encoded certificates can be positioned on a file server and retrieved by the sensor via SCP or HTTPS. The next example uses SCP in order to demonstrate the certificate installation/update process.

  1. From the IDM/IME, navigate to Configuration > Sensor Management > SSH > Known Host RSA Keys.

  2. Click Add and enter the IP address of the SCP server.

  3. Click Retrieve Host Key in order to have the sensor automatically retrieve the public key from the server.

  4. Click OK twice and then Apply in order to apply the configuration to the sensor. 

    Note: A warning appears if the key size presented by the SCP server is smaller than 2,048 bits.



  5. Click Yes in order to add the key to the known hosts table or No in order to return to the Add Known Host RSA Key screen.



  6. Navigate to Configuration > Sensor Management > Trusted Root Certificates.

  7. Click Add/Update in order to add a new DER-encoded certificate file from the SCP server. Ensure that the certificate file is prepositioned on the server and available for remote retrieval via SSH.

  8. Select SCP as the protocol and enter the URL, username, and password.

  9. Click OK in order to begin the certificate file transfer and installation.

  10. Click Yes in order to add the certificate to the IPS local trusted root store and then OK in order to exit.



Verify

From the IDM/IME, choose Configuration >  Sensor Management  > Auto/Cisco.com Update. Expand the Auto Update info section in order to review the status of the last download attempt. Click Refresh in order to refresh the Auto Update info data.

In order to verify the status of the Automatic Update process via the CLI, enter the show statistics host command:

IPS# show statistics host
<Output truncated>
Auto Update Statistics
lastDirectoryReadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012
= Read directory: http://CCOUser@72.163.7.55//swc/esd/06/273556262/guest/
= Success
lastDownloadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012
= Download: http://CCOUser@72.163.7.55//swc/esd/06/273556262/guest/
IPS-sig-S654-req-E4.pkg
= Success
nextAttempt = 17:55:00 GMT-06:00 Wed Jun 27 2012
lastInstallAttempt = 16:55:46 GMT-06:00 Wed Jun 27 2012
= Success
<Output truncated>

From the IDM/IME, refer to the Licensing gadget on the Home dashboard in order to view the License Status and currently installed signature version. The same information can be obtained via the CLI with the show version command.

SSP-60# show version
Application Partition:

Cisco Intrusion Prevention System, Version 7.3(2)E4

Host:
Realm Keys key1.0
Signature Definition:
Signature Update S805.0 2014-06-03
Threat Profile Version 7
OS Version: 2.6.29.1
Platform: ASA5585-SSP-IPS60
Serial Number: JAF1527CPNK
Licensed, expires: 21-Jun-2014 UTC
Sensor up-time is 39 days.
Using 46548M out of 48259M bytes of available memory (96% usage)
system is using 32.4M out of 160.0M bytes of available disk space (20% usage)
application-data is using 86.6M out of 377.5M bytes of available disk space (24% usage)
boot is using 63.4M out of 70.5M bytes of available disk space (95% usage)
application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage)

MainApp C-2014_04_14_22_11_7_3_1_48 (Release) 2014-04-14T22:15:32-0500
Running
AnalysisEngine C-2014_04_14_22_11_7_3_1_48 (Release) 2014-04-14T22:15:32-0500
Running
CollaborationApp C-2014_04_14_22_11_7_3_1_48 (Release) 2014-04-14T22:15:32-0500
Running
CLI C-2014_04_14_22_11_7_3_1_48 (Release) 2014-04-14T22:15:32-0500

Upgrade History:

* IPS-sig-S802-req-E4 16:07:23 UTC Thu May 29 2014
IPS-sig-S805-req-E4.pkg 16:18:51 UTC Mon Jun 09 2014

Recovery Partition Version 1.1 - 7.3(2)E4

Host Certificate Valid from: 15-Jul-2013 to 16-Jul-2015

Troubleshoot

After correct configuration of Auto Signature Update, complete these steps in order to isolate and correct commonly encountered issues:

  1. For all IPS appliances and modules except for the AIM and IDSM, ensure that the command and control interface is connected to the local network, assigned a valid IP address/subnet mask/gateway, and has IP reachability to the Internet. For the AIM and IDSM modules, the virtual command and control interface are utilized as defined in the configuration. In order to confirm the operational status of the interface from the CLI, enter this show command:

    IPS# show interfaces
    <Output truncated>
    MAC statistics from interface Management0/0
    Interface function = Command-control interface
    Description = Media Type = TX
    Default Vlan = 0
    Link Status = Up <---
    <Output truncated>


  2. In order to validate whether the CCO user account has necessary privileges to download signature update packages, open a web browser and log in to Cisco.com with this same CCO account. Once authenticated, manually download the latest IPS signature package. The inability to manually download the package is likely due to the lack of association of the user account to a valid Cisco Services for IPS subscription. In addition, access to security software on CCO is restricted to authorized users who have accepted the annual encryption/export agreement. Failure to approve this agreement has been known to prevent signature downloads from IDM/IME/CSM. In order to verify whether this agreement has been accepted, open a browser and log in to Cisco.com with the same CCO account. Once authenticated, attempt to manually download a Cisco IOS? software package with the K9 feature set.

  3. Check if there is a proxy in place for Internet bound traffic (all versions except 7.2(1) and later). If the traffic from the command and control port goes through this proxy, the Auto Update feature does not work. Reconfigure the network so that the command and control port traffic is not filtered through a proxy and test again.

  4. For sensors that run Versions 7.2 or 7.3 software, ensure that one or more DNS servers are configured. This is required so that the sensor is able to resolve the www.cisco.com updater FQDN to an Internet-routable IP address.

  5. Check if there are any content filtering or traffic shaping applications or appliances in the path to the Internet. If present, configure an exclusion in order to allow the IP address of the command and control interface to access the Internet without restriction.

  6. If ICMP traffic is permitted towards the Internet, open the CLI of the IPS sensor and try to ping a public IP address.

    This test can be used to verify if the necessary routing and NAT rules (if used) are configured correctly. If the ICMP test succeeds yet Auto Updates continue to fail, ensure that network devices such as routers and firewalls along the path permit the HTTPS and HTTP sessions from the IPS command and control interface IP. For example, if the command and control IP address is 10.1.1.1, a simple ACL entry on an ASA firewall can look like this example:

    access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq www
    access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq https


  7. The CCO username should not contain any special characters, for example, @ . Refer to Cisco bug ID CSCsq30139 for more information.

  8. When signature auto-update failures occur, use the next table in order to match the associated HTTP error codes.

    IPS# show statistics host
    Auto Update Statistics
    lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010
    = Read directory: https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
    = Error: AutoUpdate exception: HTTP connection failed [1,110] <--
    lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010
    lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010
    nextAttempt = 19:35:00 CST Thu Nov 18 2010
MessageMeaning
Error: AutoUpdate exception: HTTP connection failed [1,110]Authentication failed. Check the username and password.
status=false AutoUpdate exception: Receive HTTP response failed [3,212]The request to the Auto Update server timed out.
Error: http error response: 400Make sure the cisco-url setting is defaulted. If the CCO ID is greater than 32 characters in length, try a different CCO ID. This can be a limitation on the Cisco download server.
Error: AutoUpdate exception: HTTP connection failed [1,0]Network issue prevented download or there is a potential issue with the download servers.
Updated: Dec 04, 2014
Document ID: 113674