IDS Device Manager [Cisco IPS 4200 Series Sensors]

Table Of Contents

IDS Device Manager

Advisory

Common Criteria Evaluated Configuration

Introducing IDS Device Manager

Getting Started

System Requirements

Installing IDS Device Manager

Connecting and Logging into IDS Device Manager

IDS Device Manager and Cookies

IDS Device Manager and Certificates

Explaining Certificates

Validating the Certificate Fingerprint for Netscape

Validating the Certificate Fingerprint for Internet Explorer

IDS Device Manager

This chapter provides information for installing and getting started with IDS Device Manager version 4.1.

This chapter contains the following sections:

•Advisory

•Common Criteria Evaluated Configuration

•Introducing IDS Device Manager

•Getting Started

Advisory

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at the following website: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance, contact us by sending email to export@cisco.com.

Common Criteria Evaluated Configuration

Cisco IDS version 4.1 has been evaluated against the Intrusion Detection System Protection Profile, V1.4, February 4, 2002 using the Common Criteria Evaluation and Validation Scheme found at the following site: http://niap.nist.gov/cc-scheme/.

If you intend to use Cisco IDS version 4.1 in the evaluated configuration, you must refer to the Common Criteria notes and guidelines found throughout this document.

Caution The intent of this section is not to fully describe the evaluated configuration or to explain all the steps required to place your sensor in the evaluated configuration. Instead, you should be familiar with the evaluated configuration and know how to place the sensor in that configuration before referring to the notes and guidelines in this section.

Note The evaluated configuration assumes that you have physical access to and control of the sensor.

Introducing IDS Device Manager

IDS Device Manager is a web-based application that allows you to configure and manage your sensor. The web server for IDS Device Manager resides on the sensor. You can access it through Netscape or Internet Explorer web browsers.

The IDS Device Manager user interface consists of a Path Bar, TOC, Options bar, tabs, page, tools, Activity bar, Instructions box, and Object bar.

Tools—found in the upper right corner of each page—has the following options:

•Logout—Logs the current user out of IDS Device Manager allowing other users to log in without forcing the login.

If you have unsaved changes, you are notified and given the option to cancel the operation or continue and discard the changes.

•Help—Opens the online help in a new window.

•NSDB—Opens the Network Security Database in a new window.

•About—Displays the IDS Device Manager version and copyright information in a new window.

To configure the sensor, click each of the four tabs —Device, Configuration, Monitoring, and Administration—and work though the configuration of each tab. Menus for each tab appear in the TOC.

New configurations do not take affect until you click Apply to Sensor on the page you are configuring. Click Reset to discard current changes and return settings to their previous state for the panel.

Getting Started

The following sections describe information that you must know before getting started with IDS Device Manager.

•System Requirements

•Installing IDS Device Manager

•Connecting and Logging into IDS Device Manager

•IDS Device Manager and Cookies

•IDS Device Manager and Certificates

System Requirements

The following web browsers are compatible with IDS Device Manager:

•Netscape (version 4.79 or later)

•Internet Explorer (version 5.5 Service Pack 2 or later)

Note Although other browsers may work with IDS Device Manager 4.0, we only support the listed browsers.

The web browsers run on the following operating systems:

•Windows NT 4.0 Service Pack 6

•Windows 2000 Professional and Server

•Solaris SPARC version 2.7

•Solaris SPARC version 2.8

Installing IDS Device Manager

The IDS Device Manager is part of the version 4.1 sensor. IDS Device Manager is enabled by default to use SSL after you initialize the sensor with the setup command. For the initialization procedure for setting up the sensor to communicate with the IDS Device Manager, refer to the following documents found Cisco.com:

•Quick Start Guide for the Cisco Intrusion Detection System Version 4.1

•Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1

Note See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to obtain Cisco IDS 4.1 documents on Cisco.com.

Connecting and Logging into IDS Device Manager

IDS Device Manager allows a single user to log in at a time.

To connect and log into the IDS Device Manager, follow these steps:

Step 1 Open a web browser and enter the sensor IP address (the IDS Device Manager is already installed on the version 4.1 sensor):
https://sensor_ip_address 
https://10.1.9.201 is the default address, which you change to reflect your network environment when you initialize the sensor. For the procedure for initializing the sensor using the setup command, refer to the following documents found on Cisco.com:

•Quick Start Guide for the Cisco Intrusion Detection System Version 4.1

•Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1

Note See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to obtain Cisco IDS 4.1 documents on Cisco.com.

Step 2 Type your username and password at the prompt.

Note The default username and password are both cisco. You were prompted to change the password during sensor initialization.

IDS Device Manager and Cookies

IDS Device Manager uses cookies to track sessions, which provides a consistent view. IDS Device Manager uses only session cookies (temporary), not stored cookies.

Caution IDS Device Manager does not work if your browser does not accept IDS Device Manager cookies.

If accepting cookies is an issue for you, we recommend that you try the following procedures:

•Enable only session cookies, but no stored cookies.

Most browsers allow stored and session cookies to be enabled or disabled separately.

•Accept only cookies that originate from IDS Device Manager.

Most cookie filtering products allow you to filter cookies by originator.

•View the IDS Device Manager cookie to verify that no personal information is stored in the cookie.

IDS Device Manager cookies contain only a randomly generated value that is used by the web server to bind your request to your session.

IDS Device Manager and Certificates

This section contains these topics:

•Explaining Certificates

•Validating the Certificate Fingerprint for Netscape

•Validating the Certificate Fingerprint for Internet Explorer

Explaining Certificates

IDS version 4.1 contains a web server that is running the IDS Device Manager. To provide security, this web server uses an encryption protocol known as Transaction Layer Security (TLS), which is closely related to Secure Socket Layer (SSL) protocol. When you enter a URL into the web browser that starts with https://ip_address, the web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the host.

Caution The web browser initially rejects the certificate presented by IDS Device Manager because it does not trust the certification authority (CA).

Note IDS Device Manager is enabled by default to use TLS/SSL. You can disable it by selecting Device > Sensor Setup > Network and deselecting TLS/SSL. See Configuring Network Settings, page 2-2 for more information.

The process of negotiating an encrypted session in TLS is called "handshaking," because it involves a number of coordinated exchanges between client and server. The server sends its certificate to the client. The client performs the following three-part test on this certificate:

1. Is the issuer identified in the certificate trusted?

Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the certificate is among the list of CAs trusted by your browser, the first test is passed.

2. Is the date within the range of dates during which the certificate is considered valid?

Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range of dates, the second test is passed.

3. Does the common name of the subject identified in the certificate match the URL hostname?

The URL hostname is compared with the subject common name. If they match, the third test is passed.

When you direct your web browser to connect with IDS Device Manager, the certificate that is returned fails because the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of CAs trusted by your browser.

When you receive an error message from your browser, you have three options:

•Disconnect from the site immediately.

•Accept the certificate for the remainder of the web browsing session.

•Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires.

The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in your web browser is the same as the one on your sensor.

Caution If you change the organization name or hostname of the sensor, a new certificate is generated the next time the sensor is rebooted. The next time your web browser connects to IDS Device Manager, you will receive the manual override dialog boxes. You must perform the certificate fingerprint validation again for Netscape and Internet Explorer.

Validating the Certificate Fingerprint for Netscape

To use Netscape to validate the certificate fingerprint, follow these steps:

Step 1 Open a web browser and enter the sensor IP address to connect to the IDS Device Manager:
https://sensor ip address 
The New Site Certificate panel appears.

Step 2 Click Next, and then click More Info.

The View A Certificate panel appears.

Step 3 Connect to the sensor in one of the following ways:

•Connect a terminal to the console port of the sensor

•Use a keyboard and monitor directly connected to the sensor

•Telnet to the sensor

•Connect through Secure Shell (SSH)

Step 4 Enter the following command:

# fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer] MD5 fingerprint: 24:7D:10:51:F7:3F:EE:20:2F:8C:91:95:19:A1:E0:6B SHA-1 fingerprint: 26:DA:FD:BF:EE:52:53:EF:56:64:F0:5C:30:D6:82:30:61:1D:A0:DD

Step 5 Compare the MD5 fingerprint with the value displayed in the View A Certificate panel.

You have validated that the certificate that you are about to accept is authentic.

Caution If the fingerprints do not match, you need to determine why. Make sure you are connected to the correct IP address for the sensor. If you are connected to the correct IP address and the fingerprints do not match, this could indicate that your sensor may have been compromised.

Step 6 Click OK to close the View A Certificate panel.

Step 7 Click Next and click the Accept this certificate forever (until it expires) radio button.

Step 8 Click Next twice, and then click Finish.

Validating the Certificate Fingerprint for Internet Explorer

To use Internet Explorer to validate the certificate fingerprint, follow these steps:

Step 1 Open a web browser and enter the sensor IP address to connect to the IDS Device Manager:
https://sensor ip address 
The Security Alert panel appears.

Step 2 Click View Certificate.

The Certificate panel appears.

Step 3 Click the Details tab.

Step 4 Scroll down the list to find Thumbprint and select it.

You can see the thumbprint in the text field.

Note Leave the Certificate panel open.

Step 5 Connect to the sensor in one of the following ways:

•Connect a terminal to the console port of the sensor

•Use a keyboard and monitor directly connected to the sensor

•Telnet to the sensor

•Connect through SSH

Step 6 Enter the following command:

# fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer] MD5 fingerprint: 24:7D:10:51:F7:3F:EE:20:2F:8C:91:95:19:A1:E0:6B SHA-1 fingerprint: 26:DA:FD:BF:EE:52:53:EF:56:64:F0:5C:30:D6:82:30:61:1D:A0:DD

Step 7 Compare the SHA-1 fingerprint with the value displayed in the open Certificate thumbprint text field.

You have validated that the certificate that you are about to accept is authentic.

Caution If the fingerprints do not match, you need to determine why. Make sure you are connected to the correct IP address for the sensor. If you are connected to the correct IP address and the fingerprints do not match, this could indicate that your sensor may have been compromised.

Step 8 Click the General tab.

Step 9 Click Install Certificate.

The Certificate Import Wizard appears.

Step 10 Click Next.

The Certificate Store dialog box appears.

Step 11 Select Place all certificates in the following store, and then click Browse.

The Select Certificate Store dialog box appears.

Step 12 Click Trusted Root Certification Authorities, and then click OK.

Step 13 Click Next, and then click Finish.

The Root Certificate Store dialog box appears.

Step 14 Click Yes, and then click OK.

Step 15 Click OK to close the Certificate dialog box.

Step 16 Click Yes to open IDS Device Manager.


	IDS Device Manager
	Download this chapter IDS Device Manager Feedback Table Of Contents IDS Device Manager Advisory Common Criteria Evaluated Configuration Introducing IDS Device Manager Getting Started System Requirements Installing IDS Device Manager Connecting and Logging into IDS Device Manager IDS Device Manager and Cookies IDS Device Manager and Certificates Explaining Certificates Validating the Certificate Fingerprint for Netscape Validating the Certificate Fingerprint for Internet Explorer IDS Device Manager This chapter provides information for installing and getting started with IDS Device Manager version 4.1. This chapter contains the following sections: •Advisory •Common Criteria Evaluated Configuration •Introducing IDS Device Manager •Getting Started Advisory This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at the following website: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance, contact us by sending email to export@cisco.com. Common Criteria Evaluated Configuration Cisco IDS version 4.1 has been evaluated against the Intrusion Detection System Protection Profile, V1.4, February 4, 2002 using the Common Criteria Evaluation and Validation Scheme found at the following site: http://niap.nist.gov/cc-scheme/. If you intend to use Cisco IDS version 4.1 in the evaluated configuration, you must refer to the Common Criteria notes and guidelines found throughout this document. Caution The intent of this section is not to fully describe the evaluated configuration or to explain all the steps required to place your sensor in the evaluated configuration. Instead, you should be familiar with the evaluated configuration and know how to place the sensor in that configuration before referring to the notes and guidelines in this section. Note The evaluated configuration assumes that you have physical access to and control of the sensor. Introducing IDS Device Manager IDS Device Manager is a web-based application that allows you to configure and manage your sensor. The web server for IDS Device Manager resides on the sensor. You can access it through Netscape or Internet Explorer web browsers. The IDS Device Manager user interface consists of a Path Bar, TOC, Options bar, tabs, page, tools, Activity bar, Instructions box, and Object bar. Tools—found in the upper right corner of each page—has the following options: •Logout—Logs the current user out of IDS Device Manager allowing other users to log in without forcing the login. If you have unsaved changes, you are notified and given the option to cancel the operation or continue and discard the changes. •Help—Opens the online help in a new window. •NSDB—Opens the Network Security Database in a new window. •About—Displays the IDS Device Manager version and copyright information in a new window. To configure the sensor, click each of the four tabs —Device, Configuration, Monitoring, and Administration—and work though the configuration of each tab. Menus for each tab appear in the TOC. New configurations do not take affect until you click Apply to Sensor on the page you are configuring. Click Reset to discard current changes and return settings to their previous state for the panel. Getting Started The following sections describe information that you must know before getting started with IDS Device Manager. •System Requirements •Installing IDS Device Manager •Connecting and Logging into IDS Device Manager •IDS Device Manager and Cookies •IDS Device Manager and Certificates System Requirements The following web browsers are compatible with IDS Device Manager: •Netscape (version 4.79 or later) •Internet Explorer (version 5.5 Service Pack 2 or later) Note Although other browsers may work with IDS Device Manager 4.0, we only support the listed browsers. The web browsers run on the following operating systems: •Windows NT 4.0 Service Pack 6 •Windows 2000 Professional and Server •Solaris SPARC version 2.7 •Solaris SPARC version 2.8 Installing IDS Device Manager The IDS Device Manager is part of the version 4.1 sensor. IDS Device Manager is enabled by default to use SSL after you initialize the sensor with the setup command. For the initialization procedure for setting up the sensor to communicate with the IDS Device Manager, refer to the following documents found Cisco.com: •Quick Start Guide for the Cisco Intrusion Detection System Version 4.1 •Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 Note See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to obtain Cisco IDS 4.1 documents on Cisco.com. Connecting and Logging into IDS Device Manager IDS Device Manager allows a single user to log in at a time. To connect and log into the IDS Device Manager, follow these steps: Step 1 Open a web browser and enter the sensor IP address (the IDS Device Manager is already installed on the version 4.1 sensor): https://sensor_ip_address `https://10.1.9.201` is the default address, which you change to reflect your network environment when you initialize the sensor. For the procedure for initializing the sensor using the setup command, refer to the following documents found on Cisco.com: •Quick Start Guide for the Cisco Intrusion Detection System Version 4.1 •Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1 Note See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to obtain Cisco IDS 4.1 documents on Cisco.com. Step 2 Type your username and password at the prompt. Note The default username and password are both cisco. You were prompted to change the password during sensor initialization. IDS Device Manager and Cookies IDS Device Manager uses cookies to track sessions, which provides a consistent view. IDS Device Manager uses only session cookies (temporary), not stored cookies. Caution IDS Device Manager does not work if your browser does not accept IDS Device Manager cookies. If accepting cookies is an issue for you, we recommend that you try the following procedures: •Enable only session cookies, but no stored cookies. Most browsers allow stored and session cookies to be enabled or disabled separately. •Accept only cookies that originate from IDS Device Manager. Most cookie filtering products allow you to filter cookies by originator. •View the IDS Device Manager cookie to verify that no personal information is stored in the cookie. IDS Device Manager cookies contain only a randomly generated value that is used by the web server to bind your request to your session. IDS Device Manager and Certificates This section contains these topics: •Explaining Certificates •Validating the Certificate Fingerprint for Netscape •Validating the Certificate Fingerprint for Internet Explorer Explaining Certificates IDS version 4.1 contains a web server that is running the IDS Device Manager. To provide security, this web server uses an encryption protocol known as Transaction Layer Security (TLS), which is closely related to Secure Socket Layer (SSL) protocol. When you enter a URL into the web browser that starts with `https://`ip_address, the web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the host. Caution The web browser initially rejects the certificate presented by IDS Device Manager because it does not trust the certification authority (CA). Note IDS Device Manager is enabled by default to use TLS/SSL. You can disable it by selecting Device > Sensor Setup > Network and deselecting TLS/SSL. See Configuring Network Settings, page 2-2 for more information. The process of negotiating an encrypted session in TLS is called "handshaking," because it involves a number of coordinated exchanges between client and server. The server sends its certificate to the client. The client performs the following three-part test on this certificate: 1. Is the issuer identified in the certificate trusted? Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the certificate is among the list of CAs trusted by your browser, the first test is passed. 2. Is the date within the range of dates during which the certificate is considered valid? Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range of dates, the second test is passed. 3. Does the common name of the subject identified in the certificate match the URL hostname? The URL hostname is compared with the subject common name. If they match, the third test is passed. When you direct your web browser to connect with IDS Device Manager, the certificate that is returned fails because the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of CAs trusted by your browser. When you receive an error message from your browser, you have three options: •Disconnect from the site immediately. •Accept the certificate for the remainder of the web browsing session. •Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires. The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in your web browser is the same as the one on your sensor. Caution If you change the organization name or hostname of the sensor, a new certificate is generated the next time the sensor is rebooted. The next time your web browser connects to IDS Device Manager, you will receive the manual override dialog boxes. You must perform the certificate fingerprint validation again for Netscape and Internet Explorer. Validating the Certificate Fingerprint for Netscape To use Netscape to validate the certificate fingerprint, follow these steps: Step 1 Open a web browser and enter the sensor IP address to connect to the IDS Device Manager: https://sensor ip address The New Site Certificate panel appears. Step 2 Click Next, and then click More Info. The View A Certificate panel appears. Step 3 Connect to the sensor in one of the following ways: •Connect a terminal to the console port of the sensor •Use a keyboard and monitor directly connected to the sensor •Telnet to the sensor •Connect through Secure Shell (SSH) Step 4 Enter the following command: # fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer] MD5 fingerprint: 24:7D:10:51:F7:3F:EE:20:2F:8C:91:95:19:A1:E0:6B SHA-1 fingerprint: 26:DA:FD:BF:EE:52:53:EF:56:64:F0:5C:30:D6:82:30:61:1D:A0:DD Step 5 Compare the MD5 fingerprint with the value displayed in the View A Certificate panel. You have validated that the certificate that you are about to accept is authentic. Caution If the fingerprints do not match, you need to determine why. Make sure you are connected to the correct IP address for the sensor. If you are connected to the correct IP address and the fingerprints do not match, this could indicate that your sensor may have been compromised. Step 6 Click OK to close the View A Certificate panel. Step 7 Click Next and click the Accept this certificate forever (until it expires) radio button. Step 8 Click Next twice, and then click Finish. Validating the Certificate Fingerprint for Internet Explorer To use Internet Explorer to validate the certificate fingerprint, follow these steps: Step 1 Open a web browser and enter the sensor IP address to connect to the IDS Device Manager: https://sensor ip address The Security Alert panel appears. Step 2 Click View Certificate. The Certificate panel appears. Step 3 Click the Details tab. Step 4 Scroll down the list to find Thumbprint and select it. You can see the thumbprint in the text field. Note Leave the Certificate panel open. Step 5 Connect to the sensor in one of the following ways: •Connect a terminal to the console port of the sensor •Use a keyboard and monitor directly connected to the sensor •Telnet to the sensor •Connect through SSH Step 6 Enter the following command: # fingerprint[/usr/nr/idsRoot/etc/cert/mytestca.cer] MD5 fingerprint: 24:7D:10:51:F7:3F:EE:20:2F:8C:91:95:19:A1:E0:6B SHA-1 fingerprint: 26:DA:FD:BF:EE:52:53:EF:56:64:F0:5C:30:D6:82:30:61:1D:A0:DD Step 7 Compare the SHA-1 fingerprint with the value displayed in the open Certificate thumbprint text field. You have validated that the certificate that you are about to accept is authentic. Caution If the fingerprints do not match, you need to determine why. Make sure you are connected to the correct IP address for the sensor. If you are connected to the correct IP address and the fingerprints do not match, this could indicate that your sensor may have been compromised. Step 8 Click the General tab. Step 9 Click Install Certificate. The Certificate Import Wizard appears. Step 10 Click Next. The Certificate Store dialog box appears. Step 11 Select Place all certificates in the following store, and then click Browse. The Select Certificate Store dialog box appears. Step 12 Click Trusted Root Certification Authorities, and then click OK. Step 13 Click Next, and then click Finish. The Root Certificate Store dialog box appears. Step 14 Click Yes, and then click OK. Step 15 Click OK to close the Certificate dialog box. Step 16 Click Yes to open IDS Device Manager.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks