Table Of Contents
IDS Device Manager Sensor Setup
Configuring Network Settings
Adding, Editing, or Deleting Allowed Hosts
Enabling Remote Access
Defining Authorized Keys
Generating a New Host Key
Configuring SSH Known Host Keys
Adding Trusted Hosts Certificates
Generating a Host Certificate
Server Certificate
Setting the Time
Correcting the Time
Adding Users
IDS Device Manager Sensor Setup
This chapter provides information for setting up the sensor.
Caution 
You must initialize the sensor before you can use the Device tab to further set up the sensor.
To initialize the sensor for the first time, use the setup command from the CLI. Refer to the following documents found on Cisco.com:
•Quick Start Guide for the Cisco Intrusion Detection System Version 4.1
•Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
Note See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to obtain Cisco IDS 4.1 documents on Cisco.com.
After you have initialized the sensor, you can make any necessary changes from the Device tab.
The following sections describe how to configure system information through the Device tab:
•Configuring Network Settings
•Adding, Editing, or Deleting Allowed Hosts
•Enabling Remote Access
•Defining Authorized Keys
•Generating a New Host Key
•Configuring SSH Known Host Keys
•Adding Trusted Hosts Certificates
•Generating a Host Certificate
•Server Certificate
•Setting the Time
•Correcting the Time
•Adding Users
Configuring Network Settings
After you use the setup command to initialize the sensor, the parameter values appear on the Network Settings page. For the initialization procedure, refer to these documents found on Cisco.com:
•Quick Start Guide for the Cisco Intrusion Detection System Version 4.1
•Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
Note See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to obtain Cisco IDS 4.1 documents on Cisco.com.
If you need to change these parameters, you can do so from the Network Settings page.
Note Only a user with administrator privileges can configure the network settings of the sensor.
To change the communication parameters of a sensor, follow these steps:
Step 1 Select Device > Sensor Setup > Network.
The Network Settings page appears.
Step 2 In the Host Name field, enter the name of the sensor.
The name of the sensor is a case-sensitive character string up to 256 characters. Numbers, "_" and "-" are valid, but spaces are not acceptable.
Step 3 In the IP Address field, enter the IP address of the sensor.
Step 4 In the Netmask field, enter the netmask for the sensor.
Step 5 In the Default Route field, enter the default route IP address for the sensor.
Step 6 Select the Enable TLS/SSL check box to enable TLS/SSL in the web server.
This option is enabled by default.
Note We strongly recommend that you enable TLS/SSL.
Note Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are protocols that enable encrypted communications between a web browser and a web server. When TLS/SSL is enabled, you connect to IDS Device Manager using https://sensor ip address. If you disable TLS/SSL, connect to the IDS Device Manager using http://sensor_ip_address:port_number.
Step 7 In the Web Server Port field, enter the TCP port used by the web server (1 to 65535), or select the Use Default Ports check box to use the default port.
The default port for http is 80. The default port for https is 443.
Note If you change the web server port, you must specify the port in the URL address of your browser when you connect to IDS Device Manager. Use the format https://sensor ip address:port (for example, https://10.1.9.201:1040).
Note To reset the form, click Reset.
Step 8 Click Apply to Sensor to save and apply your changes.
Note Changing the network settings may disrupt your connection to the sensor and force you to reconnect with the new address.
Adding, Editing, or Deleting Allowed Hosts
You can add a host or network that has permission to access this sensor through the network. You must add the management host, such as IDS MC or IDS Device Manager, and the monitoring host, such as IDS Security Monitor or IDS Event Viewer, otherwise they will not be able to communicate with the sensor. You can edit the IP addresses and netmasks of specific hosts and delete hosts from the allowed list.
Note By default, only hosts on the 10.0.0.0 network are permitted access. If you delete the default network and you do not add any hosts to the list, no hosts are permitted.
Caution When adding, editing, or deleting allowed hosts, make sure that you do not delete the IP address used for remote management of the sensor.
To add, edit, or delete allowed hosts, follow these steps:
Step 1 Select Device > Sensor Setup > Allowed Hosts.
The Allowed Hosts page appears.
Step 2 Click Add.
The Adding page appears.
Step 3 In the IP Address field, enter the IP address of the host you are permitting access to the sensor.
Step 4 In the Netmask field, enter the netmask of the network or host you are permitting access to the sensor.
Note To reset the form, click Reset.
Step 5 Click Apply to Sensor to save and apply your changes.
The Allowed Hosts page appears again with the host information you entered.
Step 6 Select the check box next to any host that you want to edit.
The Editing page appears.
Step 7 Edit the IP Address or Netmask field.
Note To reset the form, click Reset.
Step 8 Click Apply to Sensor to save and apply your changes.
The Allowed Hosts page appears again showing the host information you changed.
Step 9 Select the check box next to any host that you want to delete.
Step 10 Click Delete.
The Allowed Hosts page shows that the host you just deleted is no longer in the list.
Caution All future network connections from the host that you deleted will be denied.
Enabling Remote Access
You can enable or disable Telnet for remote access to the sensor.
Note Telnet is not a secure access service and therefore is disabled by default. However, SSH is always running on the sensor and it is a secure service.
To enable or disable Telnet, follow these steps:
Step 1 Select Device > Sensor Setup > Remote Access.
The Remote Access page appears.
Step 2 Select the Telnet check box to enable Telnet. Deselect the check box to disable Telnet.
Note To reset the form, click Reset.
Step 3 Click Apply to Sensor to save your changes.
Defining Authorized Keys
Each user who can log in to the sensor has a list of authorized keys compiled from each client the user logs in with. When using SSH to log in to the sensor, you can use the RSA authentication rather than using passwords.
You can define public keys for a client allowed to use RSA authentication to log in to the local SSH server. These keys are the public keys of all the SSH clients permitted access to the sensor.
Use an RSA key generation tool on the client where the private key is going to reside. Then, display the generated public key as a set of three numbers (Key Modulus Length, Public Exponent, Public Modulus) and enter those numbers in the fields below.
Note You must have operator or administrator privileges to configure SSH authorized keys.
To define public authorized keys, follow these steps:
Step 1 Select Device > Sensor Setup > Authorized Keys.
The SSH Authorized Keys page appears.
Step 2 Click Add.
The Adding page appears.
Step 3 In the ID field, enter a unique ID to identify the key.
Note The ID should be a 1 to 256-character string that uniquely identifies the authorized key. Numbers, "_", and "-" are valid. Spaces are not valid.
Step 4 In the Key Modulus Length field, enter an ASCII decimal integer from 511 to 2048.
The Key Modulus Length is the number of significant bits in the modulus. The strength of an RSA key relies on the size of the modulus. The more bits the modulus has, the stronger the key.
Step 5 In the Public Exponent field, enter an ASCII decimal integer from 3 to 4294967296.
The RSA algorithm uses the Public Exponent to encrypt data.
Step 6 In the Public Modulus field, enter an ASCII decimal integer in the range x, such that (2^ [key-modulus-length-1]) < x < (2^key-modulus-length).
The RSA algorithm uses the Public Modulus to encrypt data.
Note To reset the form, click Reset.
Step 7 Click Apply to Sensor to save your changes.
The SSH Authorized Keys page displays your entry.
Step 8 If you need to edit the values in the fields, select the check box next to the key you want to edit and click Edit.
The Editing page appears.
Step 9 Make your changes and click Apply to Sensor.
Generating a New Host Key
The server uses the SSH host key to prove its identity. Clients know they have contacted the correct server when they see a known key.
The sensor generates an SSH host key the first time it starts up. Use the Generate Key page to replace that key with a new key.
Note You must have administrator privilege to generate new host keys.
To generate a new SSH key for the sensor, follow these steps:
Step 1 Select Device > Sensor Setup > Generate Key.
The Generate Key page appears.
Step 2 Click Apply to Sensor to generate a new SSH key.
The following message appears:
The applied change required a system reset. It is recommended that you reboot the system
now.
Step 3 Click Ok.
The System Control page appears.
Step 4 Select Reset from the menu and click Apply to Sensor.
A new host key is generated and the old host key is deleted.
Note The new key replaces the existing key, which requires you to update the known hosts tables on remote systems with the new host key so that future connections succeed. You can update the known hosts tables on remote systems from the Known Host Keys page. If the sensor is a master blocking sensor, you must update the known hosts table on the remote sensors that are sending blocks to the master blocking sensor.
Configuring SSH Known Host Keys
You must configure the SSH host public keys of the Network Access Controller (NAC) devices that the sensor manages. You must get each device to report its public key so that you have the information you need to configure the SSH Known Host Keys page. If you cannot obtain the public key in the correct format, use the ssh host-key ipaddress command.
Refer to the Cisco Intrusion Detection System Command Reference Version 4.1 found at Cisco.com for more information on the ssh host-key ipaddress command.
Note See the Cisco Intrusion Detection System (IDS) Hardware and Software Version 4.1 Documentation Guide that shipped with your sensor for information on how to obtain Cisco IDS 4.1 documents on Cisco.com.
To configure known host keys, follow these steps:
Step 1 Select Device > Sensor Setup > Known Host Keys.
The SSH Host Keys page appears.
Step 2 Click Add to add known host keys.
The Adding page appears.
Step 3 In the IP Address field, enter the IP address of the host you are adding keys for.
Step 4 In the Key Modulus Length field, enter an ASCII decimal integer from 511 to 2048.
The Key Modulus Length is the number of significant bits in the modulus. The strength of an RSA key relies on the size of the modulus. The more bits the modulus has, the stronger the key.
Step 5 In the Public Exponent field, enter an ASCII decimal integer from 3 to 4294967296.
The RSA algorithm uses the Public Exponent to encrypt data.
Step 6 In the Public Modulus field, enter an ASCII decimal integer in the range x, such that (2^ [key-modulus-length-1]) < x < (2^key-modulus-length).
The RSA algorithm uses the Public Modulus to encrypt data.
Note To reset the form, click Reset.
Step 7 Click Apply to Sensor to save your changes.
The Known Hosts Keys page displays your entry.
Adding Trusted Hosts Certificates
The Trusted Hosts page lists all trusted host certificates. You can add certificates by entering an IP address. IDS Device Manager retrieves the certificate and displays its fingerprint. If you accept the fingerprint, the certificate is trusted.
To add certificates of trusted hosts, follow these steps:
Step 1 Select Device > Sensor Setup > Trusted Host.
The Trusted Certificates page appears.
Step 2 Click Add to add a trusted host.
The Adding page appears.
Step 3 In the IP Address field, enter the IP address of the host you want to trust.
Note To reset the form, click Reset.
Step 4 Click Apply to Sensor to save your changes.
The host certificate is added to the list.
Step 5 Verify that the fingerprint is correct by comparing the displayed values with a securely obtained value, such as through direct terminal connection or on the console.
Step 6 If you find any discrepancies, delete the host certificate immediately by selecting the check box next to it and clicking Delete.
Generating a Host Certificate
You can generate a new server's self-signed X.509 certificate. A certificate is generated when the sensor is first started. Use the Generate Host Certificate page to generate a new host certificate.
Caution The sensor's IP address is included in the certificate. If you change the sensor's IP address, you must generate a new certificate.
To generate a new host certificate, follow these steps:
Step 1 Select Device > Sensor Setup > Generate Host Certificate.
The Generate Server Certificate page appears.
Step 2 Click Apply to Sensor to generate a new certificate.
Step 3 Write down the new fingerprint. Later you will need it to verify what is displayed in your web browser when you connect, or when you are adding the sensor as a trusted host.
Server Certificate
The Server Certificate page shows the server's self-signed X.509 certificate fingerprint.
Setting the Time
You can define the time, time zone, and daylight savings time (DST) for the sensor.
Note In the evaluated configuration the sensor must utilize internal resources for time setting and keeping. You cannot use an NTP server. Use the no ntpServers ipAddress ip_address command (available from the service Host submenu) to disable the NTP server and use the clock set command to set the system time. See Common Criteria Evaluated Configuration for more information. See the Cisco Intrusion Detection System Command Reference Version 4.1 for more information on these commands.
To set the time, follow these steps:
Step 1 Select Device > Sensor Setup > Time.
The Time Settings page appears.
Step 2 In the Time field under Time Settings, enter the current time (hh:mm:ss).
Note Time indicates the time on the local host. To see the current time, click Refresh.
Caution If you accidentally specify the incorrect time, stored events will have the wrong time stamp. You must clear the events. See
Correcting the Time, for more information.
Step 3 In the Date field under Time Settings, enter the current date (mm:dd:yyyy).
Note Date indicates the date on the local host.
Step 4 In the Zone Name field under Standard Timezone, enter the local time zone to be displayed when summer time is not in effect.
The default value is UTC.
Step 5 In the UTC Offset field under Standard Timezone, enter the offset in minutes from UTC (mm).
The default value is 0.
Step 6 If you are using an NTP server to set the sensor's time, enter the NTP server's IP address in the NTP Server Server IP field.
Step 7 In the NTP Server Key field, enter the NTP server's key value.
Step 8 In the NTP Server Key ID field, enter the NTP server's key ID value (1 to 4294967295).
Note If you define an NTP server, the sensor's time is set by the NTP server. The CLI clock set command will produce an error, but time zone and daylight saving time parameters are valid.
Step 9 Select Enabled under Daylight Savings Time to enable daylight savings time.
The default is Off.
Step 10 In the DST Zone Name field, enter the name of the zone (text 1 to 32 characters) to be displayed when summer time is in effect.
Step 11 In the Offset field, enter the number of minutes to add during the summer time (mm).
The default is 60 minutes.
Step 12 In the Start Time field, enter the time (hh:mm) to apply the DST setting.
The default is 02:00.
Step 13 In the Stop Time field, enter the time (hh:mm) to remove the DST setting.
The default is 02:00.
Step 14 Select the Recurring radio button under Daylight Savings Time Duration to indicate that summer time should start and end on the specified days every year.
The default is Off.
Step 15 In the Start Week/Day/Month field under Daylight Savings Time Duration enter the week (1-5, last), day (Sunday-Saturday), and month (January-December) of the year to apply the DST.
The default is 1, Sunday, April.
Step 16 In the End Week/Day/Month field under Daylight Savings Time Duration enter the week (1-5, last), day (Sunday-Saturday), and month (January-December) of the year to remove DST.
The default is last, Sunday, October.
Step 17 Select the Date radio button under Daylight Savings Time Duration to indicate that summer time should start on a specific date.
Step 18 In the Start field enter the month, date, and year (mm:hh:yyyy) to start DST.
Step 19 In the End field enter the month, date, and year (mm:hh:yyyy) to stop DST.
Note To reset the form, click Reset.
Step 20 Click Apply to Sensor to save the settings.
Correcting the Time
If you set the time incorrectly when you first configure the options in the Time page, your stored events will have the incorrect time because they are stamped with the time the event was created.
The event store time stamp is always based on UTC time. If during the original sensor setup, you set the time incorrectly by specifying 8:00 p.m. rather than 8:00 a.m., when you do correct the error, the corrected time will be set backwards. New events might have times older than old events.
For example, if during the initial setup, you configure the sensor as central time with daylight saving time enabled and the local time is 8:04 p.m., the time is displayed as 20:04:37 CDT and has an offset from UTC of -5 hours (01:04:37 UTC, the next day). A week later at 9:00 a.m., you discover the error: the clock shows 21:00:23 CDT. You then change the time to 9:00 a.m. and now the clock shows 09:01:33 CDT. Because the offset from UTC has not changed, it requires that the UTC time now be 14:01:33 UTC, which creates the time stamp problem.
To insure the integrity of the timestamp on the event records, you must clear the event archive of the older events. Use the clear events command. Refer to the Cisco Intrusion Detection System Command Reference Version 4.1 for more information on the clear events command.
Note You cannot remove individual events.
Adding Users
IDS Device Manager permits only one user to log in at a time. If another user tries to log in, a message says the first user is logged in. If the second user has equal or greater privileges than the first user, he or she can force a log in, but this logs out the first user. If the first user is forced out, all unsaved changes are lost. Only a user with higher or equal privileges can force a login.
You can create and remove users from the local sensor. There are four types of users:
•Viewers—Can view configuration and events, but cannot modify any configuration data except their user passwords.
•Operators—Can view everything and can modify the following options:
–Signature tuning (priority, disable or enable)
–Assignment of virtual sensor configuration to interface groups
–Managed routers
–Their user passwords
•Administrators—Can view everything and can modify all options that operators can modify in addition to the following:
–Sensor addressing configuration
–List of hosts allowed to connect as configuring or viewing agents
–Assignment of physical sensing interfaces to interface groups
–Enable or disable control of physical interfaces and interface groups
–Add users and passwords
•Service—Only one user with service privileges can exist on a sensor. The service user cannot log in to IDS Device Manager. The service user logs in to a bash shell rather than the CLI.
Note The service role is a special role that allows you to bypass the CLI if needed. Only one service account is allowed. You should only create an account with the service role at the direction of the TAC for troubleshooting purposes.
To add users, follow these steps:
Step 1 Select Device > Sensor Setup > Users.
The Users page appears.
Step 2 Click Add to add a user.
The Adding page appears.
Step 3 In the User Name field, enter the new username (1 to 16 alphanumeric characters long).
Step 4 In the Password field, enter the password associated with that user.
Passwords must be at least eight characters long and be strong, that is, not be a dictionary word.
Step 5 In the Password Again field, enter the password again.
Step 6 Select one of the following roles for the user from the User Role list box:
•Viewer
•Operator
•Administrator
•Service
Note To reset the form, click Reset.
Step 7 Click Apply to Sensor to save your changes.
Feedback
