Table of Contents

Bootstrapping an IDS Sensor Running Cisco Intrusion Detection System Version 3.x Software

When you use IDS MC to manage an IDS Sensor running Cisco Intrusion Detection System (IDS) version 3.x software, you might need to bootstrap the sensor so that the CiscoWorks Server can communicate with it. The bootstrapping procedure you must perform depends on whether you are adding a sensor to your network or you are installing a CiscoWorks Server on a network where a sensor is already running.

To connect to a new IDS 3.x sensor and configure its initial settings, you must assemble the sensor and connect the monitor and keyboard or the laplink cable and console. Then, complete the procedure in Bootstrapping a New IDS 3.x Sensor.

Use the following examples to determine whether you must bootstrap an existing IDS 3.x sensor:

The following sections describe the prerequisites to bootstrapping sensors on your network. You must bootstrap a sensor to make sure that IDS MC can communicate with the sensor and has administrative privileges.

Determining When to Bootstrap an IDS 3.x Sensor

You must always bootstrap a new IDS 3.x sensor. If you have an existing sensor on your network, use the nrconns command to verify that communications are established between the CiscoWorks Server and the sensor.

Note   You must have Security Monitor installed on the server to perform this procedure.

To use the nrconns command to verify that communications are established on the sensor, follow these steps:

Step 2   Type more /usr/nr/var/errors.* to scan through the NetRanger error log files.

Step 3   Type nrstatus to display a list of running services.

The following services should be running: loggerd, sapd, postofficed, and fileXferd.

Step 4   Type nrconns to display the connection status for the sensor.

If the CiscoWorks Server has not been configured on the sensor, the output of the nrconns command should indicate communication failure:

If communications are established on the sensor, the nrconns command displays the following:

If the nrconns command indicates communication failure, you must bootstrap the sensor. For more information, see Bootstrapping an Existing IDS 3.x Sensor.

Sensor Configuration Worksheet

This worksheet contains questions about your IDS 3.x sensor and your network. Write the answer to each question in the corresponding box. Then, as you perform the procedure for the sysconfig-sensor setup command, refer to the values you entered in the worksheet to help you specify the parameters.

Note   The sensor configuration values are case-sensitive. Menu/Parameter Reference  Question  Answer  [1] What is the IP address of the sensor?   [2] What is the netmask of the sensor?   [3] What is the hostname of the sensor?   [4] What is the IP address of the default router on the LAN with the sensor?   [5] What are the IP addresses of the hosts and networks (including the CiscoWorks Server) that should have access to the sensor via Telnet, FTP, and TFTP?   [6] What are the values for the following communications parameters? Sensor Host ID—A unique numeric identifier for the sensor. The expected value is a whole number between 1 and 65535. Sensor Organization ID—A unique numeric identifier for a collection of sensors. The expected value is a whole number between 1 and 65535. Sensor Host Name—A logical name associated with the host ID (not the IP hostname). We recommend that you use only lowercase letters. Sensor Organization Name—A logical name associated with the Sensor Organization ID. We recommend that you use only lowercase letters. CiscoWorks Server IP Address—The IP address of your CiscoWorks Server. CiscoWorks Server Host ID—A unique numeric identifier for the CiscoWorks Server. This value must match the value that was specified when CiscoWorks Server was installed. CiscoWorks Server Host Name—A logical name associated with the CiscoWorks Server Host ID. This value must match the value that was specified when CiscoWorks Server was installed.   [7] What is the date/time and time zone for this sensor?   [8] What are the new passwords for users root and netrangr? For security purposes, do not record your passwords in this worksheet. [9] For IPSec, you must supply the following values: What is the Security Parameter Index (SPI) for default inbound configuration? If you use custom keys, what are the values for the following inbound and outbound configurations? Cipher Key Authentication Key

Bootstrapping an Existing IDS 3.x Sensor

If you install a new CiscoWorks Server on an existing network where an IDS 3.x sensor is running, you must bootstrap the sensor. After you complete the bootstrapping task, the CiscoWorks Server can communicate with the sensor.

To bootstrap a sensor that is running on your network, follow these steps:

Step 2   Type sysconfig-sensor at the command prompt.

The following IDS Sensor Initial Configuration Utility menu appears:

IDS Sensor Initial Configuration Utility

Choose a value to configure one of the following parameters:

1-IP Address

2-IP Netmask

3-IP Hostname

4-Default Route

5-Network Access Control

6-Communications Infrastructure

7-System Date, Time and Time Zone

8-Passwords

9-Secure Communications

x-Exit

Step 3   Select 6 - Communications Infrastructure. Then, change the Host ID, Org ID, and IP address for the "Director" to the values of the new CiscoWorks Server. Use the values you entered in the Sensor Configuration Worksheet, to help you set the sensor parameters.

For a detailed explanation of the IDS Sensor Initial Configuration Utility menu, refer to the Cisco Secure Intrusion Detection System Sensor Configuration Note (current version).

Bootstrapping a New IDS 3.x Sensor

When you add an IDS version 3.x sensor to your network, you must bootstrap the sensor so that the CiscoWorks Server can communicate with it.

To bootstrap a new sensor, follow these steps:

Step 2   Type sysconfig-sensor at the command prompt.

The following IDS Sensor Initial Configuration Utility menu appears:

IDS Sensor Initial Configuration Utility

Choose a value to configure one of the following parameters:

1-IP Address

2-IP Netmask

3-IP Hostname

4-Default Route

5-Network Access Control

6-Communications Infrastructure

7-System Date, Time and Time Zone

8-Passwords

9-Secure Communications

x-Exit

Step 3   To configure the sensor, select each number and enter the appropriate information. Use the values you entered in the Sensor Configuration Worksheet, to help you set the sensor parameters.

---

Note    You must set each parameter on the IDS Sensor Initial Configuration Utility menu. The sensor has default values defined for some parameters; however, the default values most likely will not work for your environment. Certain parameters must be unique for each sensor, so errors might result if you use the default values for multiple sensors on your network. Therefore, we recommend that you set each parameter to make sure that they are valid for your specific deployment.

---

Step 4   If you change any parameter that requires a system reboot, the sensor reboots.

For a detailed explanation of the IDS Sensor Initial Configuration Utility menu, refer to the Cisco Secure Intrusion Detection System Sensor Configuration Note (current version).

Verifying Network Connectivity for an IDS 3.x Sensor

Test network connectivity if you cannot reach the sensor from the CiscoWorks Server. You can perform this task at any time to make sure that the sensor is running on the network and that the CiscoWorks Server can communicate with it.

The following task outlines the procedures for testing network connectivity for a sensor. This test ensures that the sensor is connected to the network. You can verify that the sensor is reachable so it can be bootstrapped and so it can be reached by the CiscoWorks Server that will manage the sensor.

To test connectivity for a sensor, follow these steps:

Step 2   To verify that the CiscoWorks Server can ping the sensor, type ping at the command prompt, followed by a space and then the IP address of the control interface the CiscoWorks Server connects to for command distribution.

If the ping attempt is successful, the CiscoWorks Server receives a response from the IP address that you pinged. Proceed with Step 3. If the ping is unsuccessful, a request timeout message appears. Skip to Step 4.

Step 3   If the ping attempt is successful, try to Telnet from the CiscoWorks Server to another device on your network.

Step 4   If the ping attempt is unsuccessful, perform the following tests:

If you cannot confirm connectivity for command distribution, you must bootstrap the sensor to ensure that it has a basic configuration that enables it to receive commands from the CiscoWorks Server.