-
Cisco Guard Configuration Guide (Software Version 5.1)
-
Index
-
Preface
-
Product Overview
-
Initializing the Guard
-
Configuring the Guard
-
Configuring Traffic Diversion
-
Configuring Zones
-
Configuring Zone Filters
-
Configuring Policy Templates and Policies
-
Learning the Zone Traffic Characteristics
-
Protecting Zones
-
Using Interactive Protect Mode
-
Understanding Attack Reports
-
Using Guard Diagnostics Tools
-
Performing Maintenance Tasks
-
Analyzing Guard Mitigation
-
Understanding Zone Traffic Diversion
-
Troubleshooting Diversion
-
Table Of Contents
Importing and Updating the Configuration
Rebooting the Guard and Inactivating Zones
Upgrading the Guard Software Version
Resetting the Configuration to Factory Defaults
Performing Maintenance Tasks
This chapter describes how to perform tasks used for general care and maintenance of the Cisco Guard (Guard) and contains the following sections:
•
Importing and Updating the Configuration
•
•
•
Configuring File Servers
Configuring a network server to which to can export the Guard files or from where import files to the Guard allows you to configure the network server attributes such as the IP address, the communication method, and the login details one time, and then use the name of the network server without specifying the network server attributes in later operations.
After you configure the network server, you must configure the export or the import commands. For example, use the export reports commands to configure the Guard to export attack reports to a network server.
To configure a network server, use one of the following commands in configuration mode:
•
•
Because Secure FTP (SFTP) and Secure Copy (SCP) rely on Secure Shell (SSH) for secure communication, you must configure the SSH key that the Guard uses for SFTP and SCP communication. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard uses for secure communication.
Table 13-1 provides the arguments and keywords for the file-server command.
The following example shows how to define an FTP server with the IP address 10.0.0.191:
user@GUARD-conf# file-server CorpFTP-Server "Corp's primary FTP server" ftp 10.0.0.191 /root/ConfigFiles <user> <password>To delete a network server, use the no file-server [file-server-name | *] command in configuration mode.
To display the list of network servers, use the show file-servers command in global or configuration mode.
Exporting the Configuration
You can export the Guard configuration file or a zone configuration file (running-config) to a network server. By exporting the Guard or zone configuration file to a remote server, you can do the following:
•
•
To export the Guard configuration file, use one of the following commands in global mode:
•
•
•
Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Guard uses before you enter the copy command with the sftp or scp option, the Guard prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard uses for secure communication.
Table 13-2 provides the arguments and keywords for the copy running-config ftp command.
Table 13-2 Arguments and Keywords for the copy running-config ftp
Command(Optional) The zone name. If you specify the zone name, the Guard exports the zone configuration file. The default is to export the Guard configuration file.
Exports the complete Guard configuration or the configuration of the specified zone.
ftp
Exports the configuration to a network server using FTP.
sftp
Exports the configuration to a network server using SFTP.
scp
Exports the configuration to a network server using SCP.
server
IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
full-file-name
Complete name of the file. If you do not specify a path, the server saves the file in your home directory.
login
Server login name.
The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password
(Optional) Password for the remote FTP server. If you do not enter the password, the Guard prompts you for one.
file-server-name
Name of a network server to which to export the configuration file. You must configure the network server using the file-server command.
If you configured the network server using SFTP or SCP, you must configure the SSH key that the Guard uses for SFTP and SCP communication.
See the "Configuring File Servers" section for more information.
destination-file-
nameName of the configuration file on the remote server. The Guard saves the configuration file on the network server using the destination filename in the directory that you defined for the network server by using the file-server command.
The following example shows how to export the Guard configuration file to an FTP server:
user@GUARD# copy running-config ftp 10.0.0.191 run-conf.txt <user> <password>The following example shows how to export the Guard configuration file to a network server:
user@GUARD# copy running-config CorpFTP Configuration-12-11-05Importing and Updating the Configuration
You can import a Guard or zone configuration file from an FTP server and reconfigure the Guard according to the newly transferred file. Import the configuration to do one of the following tasks:
•
•
Zone configuration is a partial Guard configuration. To copy both types of configuration files to the Guard and reconfigure it accordingly, use the copy ftp running-config command.
Note
We recommend that you deactivate all zones before you initiate the import process. The Guard deactivates a zone before importing the zone configuration.
The Guard, by default, ignores older versions of self-protection configuration. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.
To import a Guard configuration file, use one of the following commands in global mode:
•
•
•
Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Guard uses before you enter the copy command with the sftp or scp option, the Guard prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard uses for secure communication.
Table 13-3 provides the arguments for the copy ftp running-config command.
Table 13-3 Arguments for the copy ftp running-config
Commandftp
Imports the configuration from a network server using FTP.
sftp
Imports the configuration from a network server using SFTP.
scp
Imports the configuration from a network server using SCP.
server
IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
remote-path
Complete name of the file. If you do not specify a path, the server searches for the file in your home directory.
login
Server login name.
The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password
(Optional) Password for the remote FTP server. If you do not enter the password, the Guard prompts you for one.
file-server-name
Name of a network server. You must configure the network server using the file-server command.
If you configured the network server using SFTP or SCP, you must configure the SSH key that the Guard uses for SFTP and SCP communication.
See the "Configuring File Servers" section for more information.
source-file-name
Name of the file to import. The Guard appends the name of the file to the path that you defined for the network server by using the file-server command.
The following example shows how to import the Guard configuration file from an FTP server:
user@GUARD# copy ftp running-config 10.0.0.191 /root/backup/conf/scannet-conf <user> <password>The following example shows how to import the Guard configuration file from a network server:
user@GUARD# copy CorpFTP running-config scannet-confWhen you import a configuration that was exported from an older version, the Guard displays the following message:
WARNING: The configuration file includes a self-protection definition that is incompatible with the current version and will be ignored.Continue? [yes|no]Enter one of the following options:
•
–
–
•
You can abort the import process or import the old self-protection definition as-is.WARNING: The self-protection definitions are incompatible with the current version.Abort? [yes|no]
Caution
To import the older self-protection configuration, enter no.
To abort the import process, enter yes.
Exporting Files Automatically
You can configure the Guard to export automatically the following files to a network server:
•
The Guard exports the packet-dump capture files when the capture buffer size reaches 50 MB or after 10 minutes have elapsed. See the "Exporting Packet-Dump Capture Files Automatically" section for more information.
•
The Guard exports the reports of any one of the zones when an attack on the zone ends. See the "Exporting Attack Reports Automatically" section for more information.
The Guard exports the packet-dump capture files and the attack reports in Extensible Markup Language (XML) format. The software version is accompanied by xsd files that describe the XML schema. You can download the xsd files from the Cisco website (www.cisco.com).
To export files automatically to a network server, perform the following steps:
Step 1
See the "Configuring File Servers" section for more information.
Step 2
export {packet-dump | reports} file-server-nameTable 13-4 provides the arguments and keywords for the export command.
Table 13-4 Arguments and Keywords for the export Command
packet-dump
Exports packet-dump capture files each time the contents of the packet-dump buffer are saved to a local file. The Guard exports the packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program, with an accompanying file in Extensible Markup Language (XML) that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema. See the "Monitoring Network Traffic and Extracting Attack Signatures" section for more information on packet-dump capture files.
reports
Exports attack reports in XML format at the end of an attack. The Guard exports the reports of any one of the zones when an attack on the zone ends. See the ExportedReports.xsd file that accompanies the version for a description of the XML schema. See the "Exporting Attack Reports" section for more information.
file-server-name
The name of the network server on which you can save files. You must configure the network server using the file-server command.
The following example shows how to define an FTP server with the IP address 10.0.0.191, and then to configure the Guard to automatically export reports (in XML) at the end of an attack to that server:
user@GUARD-conf# file-server CorpFTP-Server "Corp's primary FTP server" ftp 10.0.0.191 /root/ConfigFiles <user> <password>user@GUARD-conf# export reports CorpFTP-ServerTo disable the automatic export of files to a network server, use the no form of the command.
Reloading the Guard
You can reload the Guard configuration without rebooting the machine by using the reload command.
For the following changes to take effect, you must reload the Guard:
•
•
•
•
Rebooting the Guard and Inactivating Zones
To reboot the Guard, enter the following command in global mode:
reboot
The default behavior of the Guard is to load all zones in an inactive operation state. Therefore, the Guard does not enable zone protection or the learning process after reboot, regardless of the zone operation state prior to the reboot.
To change the default behavior so that the Guard automatically activates zones that were active prior to the reboot process, enter the following command in configuration mode:
boot reactivate-zones
Caution
Shutting Down the Guard
A clean shutdown enables the Guard to save vital information.
To shut down the Guard, perform the following steps:
Step 1
poweroffStep 2
Step 3
The green power LED turns off.
Caution
Upgrading the Guard Software Version
To upgrade the Guard software version, perform the following steps:
Step 1
See the "Exporting the Configuration" section for more information.
Step 2
•
•
•
Step 3
Copy the software image to a directory that is accessible to FTP, SFTP or SCP.
Step 4
•
•
Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Guard uses before you enter the copy command with the sftp or scp option, the Guard prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard uses for secure communication.
Table 13-5 provides arguments for the copy new-version command.
Step 5
install new-versionWhen you enter the install new-version command, the learning and the protection processes are deactivated.
Caution
Step 6
The following example shows how to copy a new software version file to the Guard, and then to upgrade the software version:
user@GUARD# copy ftp new-version 10.0.0.191 /home/Versions/R3.i386.rpm user <password>FTP in progress...user@GUARD# install new-version
.
.
.
Press Enter to close this CLI session.When you upgrade the software version, the Guard updates the self-protection configuration with a new one. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.
Burning a New Flash Version
You can burn a new flash version only when there is a mismatch between the current Common Firmware Environment (CFE) and the software release. A mismatch condition can occur when you update the Guard software.
When a CFE mismatch is detected, the Guard displays the following message when you enter the install new-version command (X denotes the old flash version and Y denotes the new flash version): "Bad CFE version (X). This version requires version Y."
Caution
To burn a new flash version, perform the following steps:
Step 1
flash-burnIf you try to burn a new flash version when the CFE and the Guard software versions match, the operation fails.
Step 2
reloadYou must enter the reload command after burning a new flash version. The Guard is not fully functional until you enter the reload command.
The following example shows how to burn a new flash version:
user@GUARD-conf# flash-burnPlease note: DON'T PRESS ANY KEY WHILE IN THE PROCESS!. . .Burned firmware successfullySYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the systemRecovering a Lost Password
The Guard uses the root password to control root access. The root password is encrypted and can be only replaced by a new password.
To recover the root password, perform the following steps:
Step 1
Step 2
Step 3
The Guard displays the following prompt:
Lilo:Step 4
Cisco 1
Note
Step 5
The Guard enters the root prompt.
Step 6
The following example shows how to change the root password:
[root@GUARD root]# passwdChanging password for user root.New password: <new password typed in here>Retype new password: <new password typed in here>passwd: all authentication tokens updated successfully.Step 7
Resetting the Configuration to Factory Defaults
In certain situations, you may want to restore the Guard configuration to the original default factory settings, Resetting the configuration to factory defaults is useful when you want to remove an undesirable configuration in the Guard, if the configuration has become complex, or if you want to move the Guard from one network to another network. You can reset the Guard to the factory defaults and configure it as a new Guard.
We recommend that you back up the Guard configuration by using the copy running-config command before you reset it to the default factory settings. See the "Exporting the Configuration" section.
The inband interface configuration (eth0) is available until you reload the Guard.
Caution
To reset the Guard to the factory defaults settings, use the following command in configuration mode:
clear config all
The configuration change takes effect only after a reset.
The following example shows how to reset the Guard to the factory defaults settings:
user@GUARD-conf# clear config all
