User Guide for Cisco IPS Manager 3.0 - Using Update Files [Cisco Security Manager]

Table Of Contents

Using Update Files

Determining Sensor Version and Signature Level of the IPS MC Server

Determining Your Sensor Software Version

About Signature License Management

Displaying Signature License Information

Updating Signature License Information

Setting the General Settings for License Manager

Procedures for File Updating

Manually Determining the Availability of and Downloading New Signature Files

Downloading Update Files Automatically

Administering Automatic Application of Update Files

Manually Applying Updates

Verifying Signature Updates

Comparing Signature Versions

Using Update Files

Using update files involves updating IPS sensor software versions and signature release levels; it encompasses updating both servers and sensors and it extends to updates that include minor update files, service pack update files, update patch files, and signature update files. Management Center for IPS Sensors (IPS MC) provides a choice of manual and automatic methods for obtaining and updating files on your servers and sensors as newer files become available:

•Manual download with manual update

•Automatic download with manual update

•Automatic download with automatic update

Note The automatic update feature operates only when you also have the automatic download feature configured to operate.

Cisco Systems periodically releases updates of sensor software versions and signature release levels for all types of its Cisco Intrusion Prevention System sensors, which include sensor appliances, IPS modules, network modules, and IOS IPS devices. Cisco Systems recommends that you check for new releases and perform regular updates of sensor software versions and signature release levels on sensors that you have deployed. This also applies to your IPS MC and Monitoring Center for Security (Security Monitor) servers.

When using IPS MC, you can update the server and any sensors, or group of sensors, that you select. When using Security Monitor, you can use the information contained in this section to update the Security Monitor server but not the sensors; sensors are not (and cannot be) updated through Security Monitor.

Caution We strongly discourage updating sensor software versions and signature release levels in a direct session to an individual sensor if you manage that sensor with IPS MC. Instead, you should use the procedures found here to perform updates through the IPS MC. If you have changed the configuration of a sensor, or updated a sensor, outside IPS MC, we recommend that you delete that sensor from your configuration and then add it to your configuration from within IPS MC. Updating sensor software in a direct session to an individual sensor (instead of by performing an update through the IPS MC) results in the rejection of the SSH fingerprint for that sensor because IPS MC is not involved in a session to an individual sensor. For more information on detecting and addressing sensor changes made outside of the IPS MC (out-of-band or OOB changes) see Chapter 7, "Monitoring Sensor Health".

Tip Check the time on your IPS sensor if you are having trouble updating your IPS sensor software. If the time on the sensor is ahead of the time on the associated certificate, the certificate is rejected, and the sensor software update may fail.

You should understand the numbering system used for sensor software versions and signature release levels. For example:

•4.1(4)S117—A 4.x sensor appliance or switch module or network module is operating with sensor software version 4.1, service pack 4, signature release level 117.

•5.0(2)S135.0—A 5.x sensor appliance is operating with sensor software version 5.0, service pack 2, signature release level 135.0.

•S117—An IOS IPS device is operating with signature release level 117.

You should also understand the sensor and signature update files:

•Cisco periodically releases updates of sensor software versions and signature release levels for its IPS sensors in the form of update files that are compressed (.zip). IPS MC works with these compressed files directly; you should not extract anything from them.

Update files with the extension of .zip are used by IPS MC to update 4.x sensors and 5.x sensors.

•There are four types of sensor and signature update files:

–Major update files—In major update files, used for 5.x devices, "maj" is contained in the filename. You can not use the automatic update feature to update major update files.

–Minor update files—In minor update files, used for 5.x devices, "min" is used in the filename.

–Service pack update files—In service pack update files, the letters "sp" precede the version number for 4.x devices. When these update files are applied, they change the version number of a sensor. Service pack update files contain executable code; they affect the actual micro-engine software on the sensor. They also contain signature updates.

Service pack update files are not available for IOS IPS devices; instead, you should install Cisco IOS updates as required.

–Signature update files—Signature update filenames contain the letters "sig" before the version number for 4.x devices. Signature update files contain newly released signatures but not executable code. Signature update files contain signature updates for IOS IPS devices.

Note The four file types listed above refer only to sensor and signature update file types and are distinct from other update files, such as a patch or upgrade to the IPS MC software.

•By inspecting the name of an update file, you can identify the device type (sensor appliance or IDSM), type of update (service pack or signature), version number, and signature release level. For example, the file IDS-K9-sp-4.1-4-S91.zip has the following characteristics:

–IDS-K9—Applies to a sensor appliance.

–sp—Contains a service pack update. Service pack updates include signature updates.

–4.1—Applies to sensor software version 4.1.

–4—Applies to Service Pack 4.

–S91—Contains signature release level 91.

–zip—The file is compressed but should not be extracted.

•Update files are applied in different ways:

–Service pack update files must be applied individually and sequentially. For 4.x devices, service pack update files can move major and minor version numbers. But for 5.x devices, service pack update files change the service pack number.

–Signature update files do not need to be applied individually because they are cumulative. That is, a given revision level contains all signatures from previous levels. Signature update files can be applied only to sensors operating with the same version number, or with the same version number plus service pack designation. Signature update files can be applied only to sensors that are not already operating at that file's signature revision level.

To perform updates, you must have access to the appropriate server:

•You must have access to the IPS MC server if you want to update IPS MC or a sensor.

•You must have access to the Security Monitor server if you want to update Security Monitor.

•If you have installed IPS MC and Security Monitor on the same server, you must have access to that server if you want to update IPS MC, a sensor, or Security Monitor.

Note After updating sensor software versions and signature release levels, you cannot revert to the previous version or level using the IPS MC.

For information on using Signature Definition Files (SDFs) to update IOS IPS devices, see Using Signature Definition Files (SDFs) in IOS IPS Devices, page 5-127.

This chapter contains the following topics:

•Determining Sensor Version and Signature Level of the IPS MC Server

•Determining Your Sensor Software Version

•About Signature License Management

–Displaying Signature License Information

–Updating Signature License Information

–Setting the General Settings for License Manager

•Procedures for File Updating

–Manually Determining the Availability of and Downloading New Signature Files

–Downloading Update Files Automatically

–Administering Automatic Application of Update Files

–Manually Applying Updates

–Verifying Signature Updates

•Comparing Signature Versions

Determining Sensor Version and Signature Level of the IPS MC Server

Use this procedure to determine the sensor software version and signature release level that your IPS MC server is operating with. For a Security Monitor server, this procedure is not available but it is not necessary.

To determine your sensor version and signature level on the IPS MC server, follow these steps:

Step 1 In IPS MC, select Devices.

The Devices page appears.

Step 2 Refer to the last four lines on the Devices page to determine the sensor software version and signature release level that your IPS MC server is operating with. For example, the last four lines may appear as follows:

Latest signature level of IDS 4.x   4.1(4)S117

Latest signature level of IPS 5.x   S181.0

Latest signature level of IOS IPS   S117

Latest secondary signature level   v1.0

The versions listings correspond to your IPS MC server and, therefore, all four may not appear.

Determining Your Sensor Software Version

Use this procedure to determine the sensor software version that a sensor is operating with.

To determine the software version on a sensor, follow these steps:

Step 1 In IPS MC, select Devices > Sensor.

The Sensor page appears.

Step 2 In the Sensor page, position your mouse over the sensor whose sensor software version you want to determine.

The sensor software version of the sensor appears in the tool tip.

About Signature License Management

Cisco Intrusion Prevention System 5.x sensors require a valid signature subscription license key to be present; without such a key, signature updates cannot be performed. The signature subscription license key is available to you on Cisco.com. It is indexed by the serial number of the 5.x device.

You must have a valid/current service contract to retrieve a license key. If you do not have a valid contract you can obtain a trail license key (by email only). You can update the signature subscription license key manually or automatically.

Manually, you can update the key by logging in to Cisco.com, supplying the serial number of the device, copying the license key that is supplied to you, and then pasting the key to the device.

Automatic update of the key is available in IPS MC, along with related signature license management tasks: (1) a display of the current license status of the device and (2) an automatic check for a new license on Cisco.com when the installed license is near expiration. During an automatic update, IPS MC connects to Cisco.com and transfers the key to the 5.x device.

Whether you update your keys manually or automatically, you can display signature license information in IPS MC on the License Management page.

This section contains the following topics:

•Displaying Signature License Information

•Updating Signature License Information

•Setting the General Settings for License Manager

Displaying Signature License Information

The License Information page displays signature license information.

Also on the License Information page, you can update signature license information. For more information, see Updating Signature License Information.

To display signature license information, follow these steps:

Step 1 Select Admin > License Management.

Step 2 In the Object Selector, select the 5.x device, or group of 5.x devices, for which you want to display signature license information.

The Objector Selector closes, and the Object bar displays the 5.x device that you selected in the Object Selector.

Step 3 In the TOC, select License Information.

The License Information page appears.

The License Manager supports only 5.x devices, but you can hide other devices on the License Information page by selecting the Hide non-supported sensors by License Manager check box. IOS IPS and 4.x devices are not supported.

For the 5.x device or 5.x group that you selected in Step 2, the License Information page displays the following fields:

•Sensor IP—The IP address to the sensor.

•Sensor Version—The full identification of the sensor software version and signature release level. For example, 5.0(0)S129.

•Serial Number—The product serial number for the device that you selected in Step 2.

•Status—The status of the license for the device that you selected in Step 2. For example, expiredLicense.

•Expires—Expiration date of the license. for example, Fri Dec 31 18:00:00 CST 2004.

Updating Signature License Information

On the License Information page, you can configure IPS MC to update signature subscription license keys automatically, instead of manually, and to perform additional tasks for you.

You can update one or more keys. Email or HTTPS, depending on the option that you choose, is used to transfer the keys.

You must store the key or keys in a specific directory: For Windows 2000 and 2003 platforms, this directory is CSCOpx\MDC\etc\ids\license.

The file used to store the key or keys must be named according to a specific convention: For Windows 2000 and 2003 platforms, the convention is <ip_address>.email.key.

Also on the License Information page, you can view signature license information. For more information, see Displaying Signature License Information.

To update signature license information, follow these steps:

Step 1 Select Admin > License Management.

Step 2 In the Object Selector, select the 5.x device, or group of 5.x devices, for which you want to update signature license information.

The Objector Selector closes, and the Object bar displays the 5.x device that you selected in the Object Selector

Step 3 In the TOC, select License Information.

Note The License Manager supports only 5.x devices. You can hide other devices on the License Information page by selecting the Hide non-supported sensors by License Manager check box. IOS IPS and 4.x devices are not supported.

The License Information page appears.

Step 4 Select the check box of each 5.x device for which you want to update license information.

Step 5 Do one of the following:

a. To obtain updated license information by email, click the Update key(s) via email check box.

Note You must save the email attached key(s) in the format: <ip_address>.email.key to the directory <CSCOpx>\MDC\etc\ids\license before updating key(s) via email.

b. To obtain updated license information by Cisco Connection Online (CCO), click the Get new key(s) via CCO check box.

The IPS MC License Manager connects to CCO to obtain new keys and update the 5.x devices that you selected. The process will take some time, depending on the speed of your connection to Cisco.com and the complexity of your network.

Note Email can be used to put license keys into the special directory by using the first option in this step. However, Get new key(s) via CCO does not use email; it uses HTTPS.

Step 6 To verify that your update was successful, view your signature license information. For more information, see Displaying Signature License Information.

Setting the General Settings for License Manager

You can set general settings for the IPS MC License Manager that apply to all License Manager operations, rather than to specific devices or groups.

To set the general settings for License Manager, follow these steps:

Step 1 Select Admin > License Management.

Step 2 On the License Management page, select General Settings.

The General Settings page appears displaying the License General Settings box.

Step 3 Choose how you want to handle automatic retrieval of a new signature subscription license key if the license expires during the next 30 days. Either select or deselect the Enable automatic retrieval for new license on CCO (with license expiring within 30 days) check box.

Step 4 Choose how you want to handle automatic retrieval of a signature subscription license key if the license is invalid. Either select or deselect the Enable automatic retrieval for license on CCO (with invalid license) check box.

Step 5 If you selected the check box in Step 4, select a corresponding Retrieval Interval—one day, one week, or one month— from the list box.

Step 6 Click Apply.

If you enabled automatic retrieval in Step 3, the IPS MC License Manager performs automatic retrieval at 12:00 midnight local time every day. (You cannot change the retrieval time.)

If you enabled automatic retrieval in Step 4, the IPS MC License Manager performs automatic retrieval as follows:

•If you selected one day in the Retrieval Interval list box, the IPS MC License Manager performs automatic retrieval at 2:00 a.m. local time every day. (You cannot change the retrieval time.)

•If you selected one week in the Retrieval Interval list box, the IPS MC License Manager performs automatic retrieval at 2:00 a.m. local time every Sunday. (You cannot change the retrieval time or day.)

•If you selected one month in the Retrieval Interval list box, the IPS MC License Manager performs automatic retrieval at 2:00 a.m. local time on the first day of each calendar month. (You cannot change the retrieval time or date.)

Procedures for File Updating

This section details the variety of manual and automatic methods IPS MC provides to determine availability of update files, download the update files, and apply them to your sensors.

This section contains the following topics:

•Manually Determining the Availability of and Downloading New Signature Files

•Downloading Update Files Automatically

•Administering Automatic Application of Update Files

•Manually Applying Updates

•Verifying Signature Updates

Manually Determining the Availability of and Downloading New Signature Files

We recommend that you regularly check the Cisco Systems Software Center (Downloads) for updates of sensor software versions and signature release levels.

Tip You can subscribe to the Cisco IDS Active Update Notification to receive emails informing you of the most recent update files.

Update files are explained in detail earlier in this chapter,Chapter 8 "Using Update Files". Each update file has a readme file associated with it to provide additional details.

To manually determine the availability of, and download, new signature files, follow these steps:

Step 1 If you are not already registerted with Cisco.com and authorized for Cisco Secure IDS Strong Crypto software, register with Cisco.com at http://www.cisco.com and log in.

Step 2 Navigate to www.cisco.com > [log in] > Technical Support > Downloads > CiscoWorks Software > VPN/Security Management Solution > Management Center for IDS Sensors > IPS MC Application Files.)

Tip Use this download location for both IPS MC and Security Monitor.

Step 3 Click the name of an update file to download it.

If you are not already authorized to download Cisco Secure IDS Strong Crypto Software, you are prompted to submit an application. The approval process typically takes a few hours.

The Software Download page appears.

Step 4 Download the update file to ~CSCOpx/mdc/etc/ids/updates on the server.

Note Do not change the name of the update file. Also, do not extract (unzip) or otherwise perform operations on the update file.

Downloading Update Files Automatically

Cisco Systems periodically releases updates of sensor software versions and signature release levels for all types of its Cisco Intrusion Prevention System sensors—sensor appliances, IPS modules, network modules, and IOS IPS devices. Cisco Systems recommends that you check for and perform regular updates of sensor software versions and signature release levels on sensors that you have deployed. This also applies to your IPS MC and Security Monitor servers. Using this procedure, you can download signature updates automatically.

For information on the automatically applying signature updates and other update files, see Administering Automatic Application of Update Files.

To download update files automatically, follow these steps:

Step 1 Select Admin > System Configuration.

Step 2 In the TOC, select Auto Download IPS Updates.

The Auto Download IPS Updates page appears.

Step 3 Select the radio button corresponding to the location that you want to download from:

•Cisco.com

The Cisco.com download option requires that you understand the following information: Normally, for security reasons, your network operation center does not have direct access to the Internet. This means that IPS MC and Security Monitor servers in your NOC cannot connect to Cisco.com unless you use a proxy server. The Automatic Signature Download page allows you to specify the IP address, port, username and password for a proxy server. You must point to a server that provides access to the Internet and to Cisco.com.

Tip The proxy server sits between the IPS MC and Security Monitor servers and the Internet. HTTP traffic sent between the IPS MC and Security Monitor servers and Cisco.com must pass through it.

•Local Server

The Local Server download option has a caveat: The Apache server specified as the local server must include the mod_autoindexing module.

Note If you select the Local Server download option, all files with the extension of .zip are downloaded, even if they are not valid signature update files.

Step 4 Enter the CCO username and CCO password that are to be used as credentials for downloading the signature update file.

Tip To import the Cisco.com credentials that are associated with your CiscoWorks username, click Import My Ciscoworks CCO Login at the bottom of the page. Doing so retrieves the Cisco.com username, password, and email address from the CiscoWorks database for the logged-in user.

Step 5 If you want to check for available downloads daily, select the Check every day at (HH:mm:ss) check box and enter a time in 24-hour format.

Step 6 Select the radio button corresponding to how you want to configure the server connection: Check and Download or Check only.

Step 7 Review the Last Checked at and Last time downloaded fields to determine when IPS MC last checked for, and when it last downloaded, available downloads.

Step 8 If you want to enable the IPS MC to automatically apply updates to its database, select the Enable auto update MC: checkbox.

Step 9 Complete the Proxy Server area:

a. If you want to use a proxy server, select the Enable check box and proceed Step B. Otherwise, skip to Step 9.

b. In the Address field, enter the IP address of the proxy server.

c. In the Port field, enter the port that IPS MC uses to connect to the proxy server.

d. In the User Name field, enter a username that is valid on the proxy server.

e. In the Password field, enter the password corresponding to the username entered in the previous step.

Step 10 To save your changes, click Apply.

Step 11 To check for available downloads immediately, click Check Now.

Administering Automatic Application of Update Files

IPS MC enables you to automatically apply update files to selected sensors and groups of sensors. There are two levels of automatic file updating:

•Signature Updates—Automatically applies updated signature files to selected sensors and groups.

•All Updates—Automatically applies all update files (with the exception of major updates) to selected sensors and groups. These update files may include signature files, patches, service packs, and minor updates.

Note You can not use the Auto Apply IPS Update feature if you have not configured Automatic downloading. For information on the automatic downloading of signature updates and other update files, see Downloading Update Files Automatically.

To administer the settings for the application of automatic updates, follow these steps:

Step 1 Select Admin > System Configuration.

Step 2 In the TOC, select Auto Apply IPS Updates.

The Auto Apply IPS Updates page appears.

Step 3 Select the checkbox to the left of the group(s) or sensor(s) for which you want to set automatic update settings.

Tip You can click the Selection tab to view only the groups and sensors you currently have selected.

Step 4 Do one of the following:

a. To enable automatic signature updates for the selected group(s) or sensor(s), click Apply SigUpdate. (This choice activates the automatic application of signature file updates only.)

b. To enable all automatic updates (including signatures, patches, service packs, and minor upgrades) for the selected group(s) or sensor(s), click Apply All Other Updates.

Note Major updates can not be handled through automatic updates.

c. To turn off automatic updates for the selected group(s) or sensor(s), click Disable.

Automatic file updates are applied as configured. The status (as Disabled, Enable Sigupdate, or Enable All Updates) of each group or sensor you've changed is updated and displayed to the right of its icon.

Manually Applying Updates

IPS MC enables you to apply signature update files to your sensors either manually or automatically. For information on the automatic updating process, see TBD. You can use this procedure, part of the overall the manual update process, to apply the update(s), previously downloaded to your server, to one or more sensors.

Note If you don't have automatic updating configured, you should periodically check the Cisco Systems Software Center (Downloads) regularly to determine whether a new signature update file is available. For more information, see Manually Determining the Availability of and Downloading New Signature Files.

Tip If you have installed IPS MC and Security Monitor on the same host, your Security Monitor server will be updated when you update your IPS MC server.

To manually apply signature update files, follow these steps:

Step 1 In IPS MC, select Configuration > Updates.

Step 2 From the TOC, select Update Network IDS/IPS Signatures > Submit.

The Update Network IDS/IPS Signatures page appears, showing all update files, if any, that have been downloaded to ~CSCOpx/mdc/etc/ids/updates on the server where you have installed IPS MC.

Note You can select Update Network IDS/IPS Signatures > Pending in the TOC to edit or delete pending signature updates.

Step 3 Select an update file from the Update File list, and then click Apply.

If the update file does not apply to any devices in your IPS MC installation, the Update Summary page appears and states that the update file will be applied to IPS MC only, and not to any devices.

If the update file does apply to at least one device in your IPS MC installation, the Select Sensors to Update page appears. The Select Sensors to Update page displays all the sensors (in any group) that can be updated using the update file you selected, presuming that your server has established communications with them; however, you must select only devices that follow a prescribed update path.

Step 4 Click Next.

The Enter Root Password Page appears.

Step 5 Enter the valid root password for each sensor. Enter each password a second time to confirm it.

Step 6 Click Next.

The Update Summary page appears. This page describes the update that is about to be applied.

Step 7 Click Finish.

The sensors you selected, if any, are updated using the update file that you chose earlier. In addition, the server where you installed IPS MC is updated. If you have installed Security Monitor on the server where you have installed IPS MC, this procedure updates the server operations that apply to Security Monitor; more specifically, this procedure supplies Security Monitor with the names of new signatures and an NSDB reference for them; sensors are not (and cannot be) updated through Security Monitor. The update process may take several minutes, depending upon the size and complexity of your network and its traffic. However, the update process is performed by a separate thread, so the Update Network IDS/IPS Signatures page appears again almost immediately.

Step 8 Verify that the update was successful. For more information, see Verifying Signature Updates. The update process may take several minutes, depending upon the size and complexity of your network and its traffic.

Verifying Signature Updates

Use this procedure to verify that your signature update was successful.

To verify a signature update, follow these steps:

Step 1 For a server, see Determining Sensor Version and Signature Level of the IPS MC Server or use the Progress Viewer, an icon for which is available on every page of IPS MC.

Step 2 For a sensor, see Determining Your Sensor Software Version or use the Progress Viewer, an icon for which is available on every page of IPS MC.

Comparing Signature Versions

Beginning with version 2.0 of the IPS MC, you can compare signature versions that are on two different devices.

The following field is found on the Compare Signature Versions page:

•Signature Version—A valid Cisco IPS signature version. The IPS MC must contain at least one device at the signature level chosen.

To compare signature versions, follow these steps:

Step 1 Select Configuration > Updates.

Step 2 In the TOC, select Compare Signature Versions.

The Compare Signature Versions page appears.

Step 3 Select two signature versions to compare.

Step 4 Click Show Difference.

The Results page appears. The Results page lists signatures that are contained in the first signature version that you selected but not in the second signature version that you selected, and vice versa.

The Signature ID column contains hyperlinks to the NSDB.

Beginning with version 2.2 of the IPS MC, OPACL signature are listed; they are identified by a Signature ID of 50000. (OPACL signatures are pushed to the sensor by the Incident Control server.) Also beginning with version 2.2, signature "V" aspects for IOS IPS devices are listed. (A signature "V" aspect change indicates that an outbreak prevention service signature update has been applied.)

	User Guide for Cisco IPS Manager 3.0
	Using Update Files
User Guide for Cisco IPS Manager 3.0 Preface Introduction Advanced User Interface Design Features Managing Sensors with IPS MC Working with Groups and Sensors Configuring Sensors and Signature Settings Generating, Approving, and Deploying Sensor Configurations Monitoring Sensor Health Using Update Files Administering the System Configuration Administering the Database Reports Moving from the Unix Director or CSPM to IPS MC Solving Common Problems in IPS MC Employing Cisco Secure ACS with IPS MC Index	Download this chapter Using Update Files Download the complete book User Guide for Cisco IPS Manager 3.0 (PDF - 3 MB) Table Of Contents Using Update Files Determining Sensor Version and Signature Level of the IPS MC Server Determining Your Sensor Software Version About Signature License Management Displaying Signature License Information Updating Signature License Information Setting the General Settings for License Manager Procedures for File Updating Manually Determining the Availability of and Downloading New Signature Files Downloading Update Files Automatically Administering Automatic Application of Update Files Manually Applying Updates Verifying Signature Updates Comparing Signature Versions Using Update Files Using update files involves updating IPS sensor software versions and signature release levels; it encompasses updating both servers and sensors and it extends to updates that include minor update files, service pack update files, update patch files, and signature update files. Management Center for IPS Sensors (IPS MC) provides a choice of manual and automatic methods for obtaining and updating files on your servers and sensors as newer files become available: •Manual download with manual update •Automatic download with manual update •Automatic download with automatic update Note The automatic update feature operates only when you also have the automatic download feature configured to operate. Cisco Systems periodically releases updates of sensor software versions and signature release levels for all types of its Cisco Intrusion Prevention System sensors, which include sensor appliances, IPS modules, network modules, and IOS IPS devices. Cisco Systems recommends that you check for new releases and perform regular updates of sensor software versions and signature release levels on sensors that you have deployed. This also applies to your IPS MC and Monitoring Center for Security (Security Monitor) servers. When using IPS MC, you can update the server and any sensors, or group of sensors, that you select. When using Security Monitor, you can use the information contained in this section to update the Security Monitor server but not the sensors; sensors are not (and cannot be) updated through Security Monitor. Caution We strongly discourage updating sensor software versions and signature release levels in a direct session to an individual sensor if you manage that sensor with IPS MC. Instead, you should use the procedures found here to perform updates through the IPS MC. If you have changed the configuration of a sensor, or updated a sensor, outside IPS MC, we recommend that you delete that sensor from your configuration and then add it to your configuration from within IPS MC. Updating sensor software in a direct session to an individual sensor (instead of by performing an update through the IPS MC) results in the rejection of the SSH fingerprint for that sensor because IPS MC is not involved in a session to an individual sensor. For more information on detecting and addressing sensor changes made outside of the IPS MC (out-of-band or OOB changes) see Chapter 7, "Monitoring Sensor Health". Tip Check the time on your IPS sensor if you are having trouble updating your IPS sensor software. If the time on the sensor is ahead of the time on the associated certificate, the certificate is rejected, and the sensor software update may fail. You should understand the numbering system used for sensor software versions and signature release levels. For example: •4.1(4)S117—A 4.x sensor appliance or switch module or network module is operating with sensor software version 4.1, service pack 4, signature release level 117. •5.0(2)S135.0—A 5.x sensor appliance is operating with sensor software version 5.0, service pack 2, signature release level 135.0. •S117—An IOS IPS device is operating with signature release level 117. You should also understand the sensor and signature update files: •Cisco periodically releases updates of sensor software versions and signature release levels for its IPS sensors in the form of update files that are compressed (.zip). IPS MC works with these compressed files directly; you should not extract anything from them. Update files with the extension of .zip are used by IPS MC to update 4.x sensors and 5.x sensors. •There are four types of sensor and signature update files: –Major update files—In major update files, used for 5.x devices, "maj" is contained in the filename. You can not use the automatic update feature to update major update files. –Minor update files—In minor update files, used for 5.x devices, "min" is used in the filename. –Service pack update files—In service pack update files, the letters "sp" precede the version number for 4.x devices. When these update files are applied, they change the version number of a sensor. Service pack update files contain executable code; they affect the actual micro-engine software on the sensor. They also contain signature updates. Service pack update files are not available for IOS IPS devices; instead, you should install Cisco IOS updates as required. –Signature update files—Signature update filenames contain the letters "sig" before the version number for 4.x devices. Signature update files contain newly released signatures but not executable code. Signature update files contain signature updates for IOS IPS devices. Note The four file types listed above refer only to sensor and signature update file types and are distinct from other update files, such as a patch or upgrade to the IPS MC software. •By inspecting the name of an update file, you can identify the device type (sensor appliance or IDSM), type of update (service pack or signature), version number, and signature release level. For example, the file `IDS-K9-sp-4.1-4-S91.zip` has the following characteristics: –IDS-K9—Applies to a sensor appliance. –sp—Contains a service pack update. Service pack updates include signature updates. –4.1—Applies to sensor software version 4.1. –4—Applies to Service Pack 4. –S91—Contains signature release level 91. –zip—The file is compressed but should not be extracted. •Update files are applied in different ways: –Service pack update files must be applied individually and sequentially. For 4.x devices, service pack update files can move major and minor version numbers. But for 5.x devices, service pack update files change the service pack number. –Signature update files do not need to be applied individually because they are cumulative. That is, a given revision level contains all signatures from previous levels. Signature update files can be applied only to sensors operating with the same version number, or with the same version number plus service pack designation. Signature update files can be applied only to sensors that are not already operating at that file's signature revision level. To perform updates, you must have access to the appropriate server: •You must have access to the IPS MC server if you want to update IPS MC or a sensor. •You must have access to the Security Monitor server if you want to update Security Monitor. •If you have installed IPS MC and Security Monitor on the same server, you must have access to that server if you want to update IPS MC, a sensor, or Security Monitor. Note After updating sensor software versions and signature release levels, you cannot revert to the previous version or level using the IPS MC. For information on using Signature Definition Files (SDFs) to update IOS IPS devices, see Using Signature Definition Files (SDFs) in IOS IPS Devices, page 5-127. This chapter contains the following topics: •Determining Sensor Version and Signature Level of the IPS MC Server •Determining Your Sensor Software Version •About Signature License Management –Displaying Signature License Information –Updating Signature License Information –Setting the General Settings for License Manager •Procedures for File Updating –Manually Determining the Availability of and Downloading New Signature Files –Downloading Update Files Automatically –Administering Automatic Application of Update Files –Manually Applying Updates –Verifying Signature Updates •Comparing Signature Versions Determining Sensor Version and Signature Level of the IPS MC Server Use this procedure to determine the sensor software version and signature release level that your IPS MC server is operating with. For a Security Monitor server, this procedure is not available but it is not necessary. To determine your sensor version and signature level on the IPS MC server, follow these steps: Step 1 In IPS MC, select Devices. The Devices page appears. Step 2 Refer to the last four lines on the Devices page to determine the sensor software version and signature release level that your IPS MC server is operating with. For example, the last four lines may appear as follows: Latest signature level of IDS 4.x 4.1(4)S117 Latest signature level of IPS 5.x S181.0 Latest signature level of IOS IPS S117 Latest secondary signature level v1.0 The versions listings correspond to your IPS MC server and, therefore, all four may not appear. Determining Your Sensor Software Version Use this procedure to determine the sensor software version that a sensor is operating with. To determine the software version on a sensor, follow these steps: Step 1 In IPS MC, select Devices > Sensor. The Sensor page appears. Step 2 In the Sensor page, position your mouse over the sensor whose sensor software version you want to determine. The sensor software version of the sensor appears in the tool tip. About Signature License Management Cisco Intrusion Prevention System 5.x sensors require a valid signature subscription license key to be present; without such a key, signature updates cannot be performed. The signature subscription license key is available to you on Cisco.com. It is indexed by the serial number of the 5.x device. You must have a valid/current service contract to retrieve a license key. If you do not have a valid contract you can obtain a trail license key (by email only). You can update the signature subscription license key manually or automatically. Manually, you can update the key by logging in to Cisco.com, supplying the serial number of the device, copying the license key that is supplied to you, and then pasting the key to the device. Automatic update of the key is available in IPS MC, along with related signature license management tasks: (1) a display of the current license status of the device and (2) an automatic check for a new license on Cisco.com when the installed license is near expiration. During an automatic update, IPS MC connects to Cisco.com and transfers the key to the 5.x device. Whether you update your keys manually or automatically, you can display signature license information in IPS MC on the License Management page. This section contains the following topics: •Displaying Signature License Information •Updating Signature License Information •Setting the General Settings for License Manager Displaying Signature License Information The License Information page displays signature license information. Also on the License Information page, you can update signature license information. For more information, see Updating Signature License Information. To display signature license information, follow these steps: Step 1 Select Admin > License Management. Step 2 In the Object Selector, select the 5.x device, or group of 5.x devices, for which you want to display signature license information. The Objector Selector closes, and the Object bar displays the 5.x device that you selected in the Object Selector. Step 3 In the TOC, select License Information. The License Information page appears. The License Manager supports only 5.x devices, but you can hide other devices on the License Information page by selecting the Hide non-supported sensors by License Manager check box. IOS IPS and 4.x devices are not supported. For the 5.x device or 5.x group that you selected in Step 2, the License Information page displays the following fields: •Sensor IP—The IP address to the sensor. •Sensor Version—The full identification of the sensor software version and signature release level. For example, `5.0(0)S129`. •Serial Number—The product serial number for the device that you selected in Step 2. •Status—The status of the license for the device that you selected in Step 2. For example, `expiredLicense`. •Expires—Expiration date of the license. for example, `Fri Dec 31 18:00:00 CST 2004`. Updating Signature License Information On the License Information page, you can configure IPS MC to update signature subscription license keys automatically, instead of manually, and to perform additional tasks for you. You can update one or more keys. Email or HTTPS, depending on the option that you choose, is used to transfer the keys. You must store the key or keys in a specific directory: For Windows 2000 and 2003 platforms, this directory is `CSCOpx\MDC\etc\ids\license`. The file used to store the key or keys must be named according to a specific convention: For Windows 2000 and 2003 platforms, the convention is `<ip_address>.email.key`. Also on the License Information page, you can view signature license information. For more information, see Displaying Signature License Information. To update signature license information, follow these steps: Step 1 Select Admin > License Management. Step 2 In the Object Selector, select the 5.x device, or group of 5.x devices, for which you want to update signature license information. The Objector Selector closes, and the Object bar displays the 5.x device that you selected in the Object Selector Step 3 In the TOC, select License Information. Note The License Manager supports only 5.x devices. You can hide other devices on the License Information page by selecting the Hide non-supported sensors by License Manager check box. IOS IPS and 4.x devices are not supported. The License Information page appears. Step 4 Select the check box of each 5.x device for which you want to update license information. Step 5 Do one of the following: a. To obtain updated license information by email, click the Update key(s) via email check box. Note You must save the email attached key(s) in the format: <ip_address>.email.key to the directory <CSCOpx>\MDC\etc\ids\license before updating key(s) via email. b. To obtain updated license information by Cisco Connection Online (CCO), click the Get new key(s) via CCO check box. The IPS MC License Manager connects to CCO to obtain new keys and update the 5.x devices that you selected. The process will take some time, depending on the speed of your connection to Cisco.com and the complexity of your network. Note Email can be used to put license keys into the special directory by using the first option in this step. However, Get new key(s) via CCO does not use email; it uses HTTPS. Step 6 To verify that your update was successful, view your signature license information. For more information, see Displaying Signature License Information. Setting the General Settings for License Manager You can set general settings for the IPS MC License Manager that apply to all License Manager operations, rather than to specific devices or groups. To set the general settings for License Manager, follow these steps: Step 1 Select Admin > License Management. Step 2 On the License Management page, select General Settings. The General Settings page appears displaying the License General Settings box. Step 3 Choose how you want to handle automatic retrieval of a new signature subscription license key if the license expires during the next 30 days. Either select or deselect the Enable automatic retrieval for new license on CCO (with license expiring within 30 days) check box. Step 4 Choose how you want to handle automatic retrieval of a signature subscription license key if the license is invalid. Either select or deselect the Enable automatic retrieval for license on CCO (with invalid license) check box. Step 5 If you selected the check box in Step 4, select a corresponding Retrieval Interval—one day, one week, or one month— from the list box. Step 6 Click Apply. If you enabled automatic retrieval in Step 3, the IPS MC License Manager performs automatic retrieval at 12:00 midnight local time every day. (You cannot change the retrieval time.) If you enabled automatic retrieval in Step 4, the IPS MC License Manager performs automatic retrieval as follows: •If you selected one day in the Retrieval Interval list box, the IPS MC License Manager performs automatic retrieval at 2:00 a.m. local time every day. (You cannot change the retrieval time.) •If you selected one week in the Retrieval Interval list box, the IPS MC License Manager performs automatic retrieval at 2:00 a.m. local time every Sunday. (You cannot change the retrieval time or day.) •If you selected one month in the Retrieval Interval list box, the IPS MC License Manager performs automatic retrieval at 2:00 a.m. local time on the first day of each calendar month. (You cannot change the retrieval time or date.) Procedures for File Updating This section details the variety of manual and automatic methods IPS MC provides to determine availability of update files, download the update files, and apply them to your sensors. This section contains the following topics: •Manually Determining the Availability of and Downloading New Signature Files •Downloading Update Files Automatically •Administering Automatic Application of Update Files •Manually Applying Updates •Verifying Signature Updates Manually Determining the Availability of and Downloading New Signature Files We recommend that you regularly check the Cisco Systems Software Center (Downloads) for updates of sensor software versions and signature release levels. Tip You can subscribe to the Cisco IDS Active Update Notification to receive emails informing you of the most recent update files. Update files are explained in detail earlier in this chapter,Chapter 8 "Using Update Files". Each update file has a readme file associated with it to provide additional details. To manually determine the availability of, and download, new signature files, follow these steps: Step 1 If you are not already registerted with Cisco.com and authorized for Cisco Secure IDS Strong Crypto software, register with Cisco.com at http://www.cisco.com and log in. Step 2 Navigate to www.cisco.com > [log in] > Technical Support > Downloads > CiscoWorks Software > VPN/Security Management Solution > Management Center for IDS Sensors > IPS MC Application Files.) Tip Use this download location for both IPS MC and Security Monitor. Step 3 Click the name of an update file to download it. If you are not already authorized to download Cisco Secure IDS Strong Crypto Software, you are prompted to submit an application. The approval process typically takes a few hours. The Software Download page appears. Step 4 Download the update file to `~CSCOpx/mdc/etc/ids/updates` on the server. Note Do not change the name of the update file. Also, do not extract (unzip) or otherwise perform operations on the update file. Downloading Update Files Automatically Cisco Systems periodically releases updates of sensor software versions and signature release levels for all types of its Cisco Intrusion Prevention System sensors—sensor appliances, IPS modules, network modules, and IOS IPS devices. Cisco Systems recommends that you check for and perform regular updates of sensor software versions and signature release levels on sensors that you have deployed. This also applies to your IPS MC and Security Monitor servers. Using this procedure, you can download signature updates automatically. For information on the automatically applying signature updates and other update files, see Administering Automatic Application of Update Files. To download update files automatically, follow these steps: Step 1 Select Admin > System Configuration. Step 2 In the TOC, select Auto Download IPS Updates. The Auto Download IPS Updates page appears. Step 3 Select the radio button corresponding to the location that you want to download from: •Cisco.com The Cisco.com download option requires that you understand the following information: Normally, for security reasons, your network operation center does not have direct access to the Internet. This means that IPS MC and Security Monitor servers in your NOC cannot connect to Cisco.com unless you use a proxy server. The Automatic Signature Download page allows you to specify the IP address, port, username and password for a proxy server. You must point to a server that provides access to the Internet and to Cisco.com. Tip The proxy server sits between the IPS MC and Security Monitor servers and the Internet. HTTP traffic sent between the IPS MC and Security Monitor servers and Cisco.com must pass through it. •Local Server The Local Server download option has a caveat: The Apache server specified as the local server must include the mod_autoindexing module. Note If you select the Local Server download option, all files with the extension of .zip are downloaded, even if they are not valid signature update files. Step 4 Enter the CCO username and CCO password that are to be used as credentials for downloading the signature update file. Tip To import the Cisco.com credentials that are associated with your CiscoWorks username, click Import My Ciscoworks CCO Login at the bottom of the page. Doing so retrieves the Cisco.com username, password, and email address from the CiscoWorks database for the logged-in user. Step 5 If you want to check for available downloads daily, select the Check every day at (HH:mm:ss) check box and enter a time in 24-hour format. Step 6 Select the radio button corresponding to how you want to configure the server connection: Check and Download or Check only. Step 7 Review the Last Checked at and Last time downloaded fields to determine when IPS MC last checked for, and when it last downloaded, available downloads. Step 8 If you want to enable the IPS MC to automatically apply updates to its database, select the Enable auto update MC: checkbox. Step 9 Complete the Proxy Server area: a. If you want to use a proxy server, select the Enable check box and proceed Step B. Otherwise, skip to Step 9. b. In the Address field, enter the IP address of the proxy server. c. In the Port field, enter the port that IPS MC uses to connect to the proxy server. d. In the User Name field, enter a username that is valid on the proxy server. e. In the Password field, enter the password corresponding to the username entered in the previous step. Step 10 To save your changes, click Apply. Step 11 To check for available downloads immediately, click Check Now. Administering Automatic Application of Update Files IPS MC enables you to automatically apply update files to selected sensors and groups of sensors. There are two levels of automatic file updating: •Signature Updates—Automatically applies updated signature files to selected sensors and groups. •All Updates—Automatically applies all update files (with the exception of major updates) to selected sensors and groups. These update files may include signature files, patches, service packs, and minor updates. Note You can not use the Auto Apply IPS Update feature if you have not configured Automatic downloading. For information on the automatic downloading of signature updates and other update files, see Downloading Update Files Automatically. To administer the settings for the application of automatic updates, follow these steps: Step 1 Select Admin > System Configuration. Step 2 In the TOC, select Auto Apply IPS Updates. The Auto Apply IPS Updates page appears. Step 3 Select the checkbox to the left of the group(s) or sensor(s) for which you want to set automatic update settings. Tip You can click the Selection tab to view only the groups and sensors you currently have selected. Step 4 Do one of the following: a. To enable automatic signature updates for the selected group(s) or sensor(s), click Apply SigUpdate. (This choice activates the automatic application of signature file updates only.) b. To enable all automatic updates (including signatures, patches, service packs, and minor upgrades) for the selected group(s) or sensor(s), click Apply All Other Updates. Note Major updates can not be handled through automatic updates. c. To turn off automatic updates for the selected group(s) or sensor(s), click Disable. Automatic file updates are applied as configured. The status (as `Disabled`, `Enable Sigupdate`, or `Enable All Updates`) of each group or sensor you've changed is updated and displayed to the right of its icon. Manually Applying Updates IPS MC enables you to apply signature update files to your sensors either manually or automatically. For information on the automatic updating process, see TBD. You can use this procedure, part of the overall the manual update process, to apply the update(s), previously downloaded to your server, to one or more sensors. Note If you don't have automatic updating configured, you should periodically check the Cisco Systems Software Center (Downloads) regularly to determine whether a new signature update file is available. For more information, see Manually Determining the Availability of and Downloading New Signature Files. Tip If you have installed IPS MC and Security Monitor on the same host, your Security Monitor server will be updated when you update your IPS MC server. To manually apply signature update files, follow these steps: Step 1 In IPS MC, select Configuration > Updates. Step 2 From the TOC, select Update Network IDS/IPS Signatures > Submit. The Update Network IDS/IPS Signatures page appears, showing all update files, if any, that have been downloaded to `~CSCOpx/mdc/etc/ids/updates` on the server where you have installed IPS MC. Note You can select Update Network IDS/IPS Signatures > Pending in the TOC to edit or delete pending signature updates. Step 3 Select an update file from the Update File list, and then click Apply. If the update file does not apply to any devices in your IPS MC installation, the Update Summary page appears and states that the update file will be applied to IPS MC only, and not to any devices. If the update file does apply to at least one device in your IPS MC installation, the Select Sensors to Update page appears. The Select Sensors to Update page displays all the sensors (in any group) that can be updated using the update file you selected, presuming that your server has established communications with them; however, you must select only devices that follow a prescribed update path. Step 4 Click Next. The Enter Root Password Page appears. Step 5 Enter the valid root password for each sensor. Enter each password a second time to confirm it. Step 6 Click Next. The Update Summary page appears. This page describes the update that is about to be applied. Step 7 Click Finish. The sensors you selected, if any, are updated using the update file that you chose earlier. In addition, the server where you installed IPS MC is updated. If you have installed Security Monitor on the server where you have installed IPS MC, this procedure updates the server operations that apply to Security Monitor; more specifically, this procedure supplies Security Monitor with the names of new signatures and an NSDB reference for them; sensors are not (and cannot be) updated through Security Monitor. The update process may take several minutes, depending upon the size and complexity of your network and its traffic. However, the update process is performed by a separate thread, so the Update Network IDS/IPS Signatures page appears again almost immediately. Step 8 Verify that the update was successful. For more information, see Verifying Signature Updates. The update process may take several minutes, depending upon the size and complexity of your network and its traffic. Verifying Signature Updates Use this procedure to verify that your signature update was successful. To verify a signature update, follow these steps: Step 1 For a server, see Determining Sensor Version and Signature Level of the IPS MC Server or use the Progress Viewer, an icon for which is available on every page of IPS MC. Step 2 For a sensor, see Determining Your Sensor Software Version or use the Progress Viewer, an icon for which is available on every page of IPS MC. Comparing Signature Versions Beginning with version 2.0 of the IPS MC, you can compare signature versions that are on two different devices. The following field is found on the Compare Signature Versions page: •Signature Version—A valid Cisco IPS signature version. The IPS MC must contain at least one device at the signature level chosen. To compare signature versions, follow these steps: Step 1 Select Configuration > Updates. Step 2 In the TOC, select Compare Signature Versions. The Compare Signature Versions page appears. Step 3 Select two signature versions to compare. Step 4 Click Show Difference. The Results page appears. The Results page lists signatures that are contained in the first signature version that you selected but not in the second signature version that you selected, and vice versa. The Signature ID column contains hyperlinks to the NSDB. Beginning with version 2.2 of the IPS MC, OPACL signature are listed; they are identified by a Signature ID of 50000. (OPACL signatures are pushed to the sensor by the Incident Control server.) Also beginning with version 2.2, signature "V" aspects for IOS IPS devices are listed. (A signature "V" aspect change indicates that an outbreak prevention service signature update has been applied.)
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.