Chalk Talk November

Quick Look at the Cisco IPS Sensor Initialized, Inline, and Managed

The task of deploying a network IPS (Intrusion Prevention System) device can be quite overwhelming for a network or security professional that hasn't done it before. The first and most important step in deploying a network IPS device is understanding the various modes and which mode applies to the deployment at hand. The following modes are supported on the Cisco IPS sensors:

  • Promiscuous Mode
  • Inline Interface Pair Mode
  • Inline VLAN Pair Mode
  • Inline VLAN Group Mode
  • Selective Inline Analysis Mode

All of these modes are discussed in great detail in the online configuration guides found on Cisco.com. In this article we'll first focus on the most commonly deployed Inline mode, which Is Inline Interface Pair Mode. Figure 1 shows an example at a high level of how an Inline VLAN Pair Mode is commonly deployed around the world today.


Figure 1: Inline VLAN Pair Mode Examples

Initialization

Before administrators/engineers can put the sensor in any mode or even manage it, they first must initialize the sensor. The steps below can also be found in the Cisco IPS Configuration guide on Cisco.com. It is highly recommended that administrators pay special attention to any notes found in the configuration guides in addition to the steps below.

  1. Log into the sensor via CLI (Command Line Interface). The default username and password are "cisco" (without quotations). It's important to note that the sensor will prompt you to change the default password, after which the basic setup begins.
  2. Enter the "setup" command (without quotations). The System Configuration Dialog is displayed.
  3. Specify the hostname, which is case sensitive and supports up to 64 characters (spaces are not supported). The default is sensor.
  4. Specify the IP interface in the form of IP Address/Netmask,Gateway.: X.X.X.X/nn,Y.Y.Y.Y,
  5. Enter "yes" to modify the network access list, and enter the IP address and netmask of the network you want to add to the access list. It's important to include the IP address or addresses that will be accessing the sensor via the IDM (IPS Device Manager), IME (IPS Manager Express), remote network, etc.
  6. DNS server or an HTTP proxy server for Global Correlation to work must be configured. This step can be done later if necessary too.
  7. Enter "yes" to modify the time or "no" so accept the default parameters.
  8. Enter "off", "partial", or "full" to participate in the SensorBase Network Participation followed by "yes" to participate in the SensorBase Network.
  9. Dialogue will scroll through reflecting these changes, at the end followed by the keyword "exit" there are three options [0 - 3], select option "2" to save the configuration.
  10. Select "yes" to reboot the sensor.

The sensor is now initialized and ready for further configuration.

Inline Interface Pair Mode

Now that the sensor is initialized, the sensor is now ready for interface configurations. The following steps were taken from the Cisco IPS Configuration Guide, and summarized for the purposes of this article.

  1. Assuming the administrator is logged into the sensor via CLI, type the "setup" command. The system configuration dialogue is displayed.
  2. Enter "3" to access advanced setup.
  3. Specify the Telnet server status, which is disabled by default.
  4. Specify the TCP port used by the web server, which is by default 443. Without this defined, the IME and IDM gui will not work.
  5. Enter "yes" to modify the interface and virtual sensor configuration and to see the current interface configuration.
  6. At the end of the output there are three options [0-2], select option 1 to edit the interface configuration.
  7. Enter "2" to add inline VLAN pairs and display the list of available interfaces.
  8. Enter "2" to add an inline VLAN pair to GigabitEthernet0/1.
  9. Enter a subinterface number and description.
  10. Enter numbers for VLAN 1 and 2, which in the examples would be VLANs 11 and 12. Press "Enter" to return to the available interfaces menu.
  11. At this point you can either configure another interface or press "Enter" to return to the top-level interface editing menu. Continue this step until the "Edit Interface Configuration" is one of the menu options.
  12. Enter "2" to edit the virtual sensor configuration.
  13. Enter "2" to modify the virtual sensor configuration, vs0. The virtual sensor configuration dialogue will be displayed.
  14. Enter "3" to add inline VLAN pair GigabitEthernet0/1:1
  15. Press "Enter" to return to the top-level virtual sensor menu followed by "Enter" again to return to the top-level interface and virtual sensor configuration menue.
  16. Enter "yes" if you want to modify the default threat prevention settings and "yes" again to disable automatic threat prevention on all virtual sensors.
  17. Press "Enter" to exit the interface and virtual sensor configuration. The configuration dialogue will be displayed again that was modified.
  18. Enter "2" to save the configuration.
  19. Enter "yes" to continue reboot.

The Cisco IPS sensor is now configured for Inline VLAN Pair Mode as the example in Figure 1 shows.

Managed

With the initial setup of the IPS completed above, further configuration, management, and monitoring can be done using the Cisco IPS Manager Express (IME). To download IME, go to the url www.cisco.com/go/ime and follow the instructions to install. After it is installed, complete the following steps:

  1. Launch the IME application and, once in the Home View, click on Devices > Device List and then on Add. The Add Device window is displyed.
  2. In the window, put in the required information in the following fields:
    1. Sensor name
    2. Sensor IP Address
    3. User Name
    4. Password
    5. Web Server Port

      Note: There are options to choose to connect using https or http. If you choose https, the sensor will present you with a certificate which, once you verify and accept, is stored locally for future use during connections to the Sensor. There are also options to pull in most recent events, specify a specific time interval, or exclude some events.
  3. After all the parameters have been entered, click OK. Figure 2 below shows the Add Device window pop-up from IME.


Figure2: Adding IPS Sensors to Cisco IME

Once connected, the Sensor is displayed in the Device list with information related to the Sensor such as Time, Device Name, IP Address, Device Type, Event Status, Sensor Health, Global Correlation Status, version, License Expiration, Load, Memory, CPU and Signature Version. More details can be obtained in the Device Details pane. This altogether provides information at a glance.

To get a detailed presentation of this information, from the Home View, click on Dashboards (Home > Dashboards > Dashboard) as shown in Figure 3 below:


Figure 3: Monitoring IPS Sensors using Cisco IME

The Health Dashboard and the Events Dashboard are pre-populated with Gadgets by default. More Gadgets can be added to either of the dashboards and a customizable dashboard can be added by clicking on Add Dashboard located next to Video Help in the top right of the Dashboard pane.

Conclusion

In this article we briefly discussed the Cisco IPS sensor and one of the most commonly deployed modes of operation. We also discussed a method of managing the sensor once it is deployed. The Cisco IPS sensor is quite versatile and isn't a one size fits all, so it's important to follow the best practices around discovery, design, planning, etc. As a best practice for any product deployment, review the data sheets, design guides, and configuration guides available on Cisco.com.

David Burns joined Cisco in July 2008 as a systems engineer working for a U.S.-based SP Mobility account. He came to Cisco from a large U.S.-based cable company, where he was a senior network and security design engineer. Dave has held various roles prior to joining Cisco during his 10-plus years in the industry, working in SP operations, SP engineering, SP architecture, enterprise IT, and United States military intelligence communications engineering. He is currently the lead systems engineer in a number of areas that include Femtocell, Datacenter, MTSO, and security architectures. He holds various sales and industry and Cisco technical certifications, including CISSP, CCSP, CCDP, and two associate-level certifications. Dave recently passed the CCIE Security written exam, and is currently preparing for the CCIE Security Lab. Dave earned his Bachelor of Science degree in telecommunications engineering technology from Southern Polytechnic State University, Georgia, where he currently serves as a member of the industry advisory board for the Computer & Electrical Engineering Technology School.

Odunayo Adesina, CCIE No. 26695 (Routing and Switching), is a systems engineer with Cisco in the U.S. commercial segment. In this role for over four years, Odunayo has worked with commercial customers in St. Louis, Missouri, to help develop their enterprise network architectures, which are typically a combination of borderless, collaboration, and virtualization solutions. He has more than 11 years of experience in the industry and holds various industry and Cisco certifications, including the CISSP No. 54152, CCSP, CEH, and VSP. He was one of the first few people who were CSS1 certified when the Cisco security certification was first developed. Prior to his role at Cisco, Odunayo worked with a large service provider as a network engineer, implementing and managing security, routing, and switching solutions, and later as security specialist, driving ISO 27001 compliance, developing and enforcing security polices for the enterprise. He also worked with Cisco partners, where he implemented solutions across many industry verticals. Odunayo holds a bachelor of technology degree in electronics and electrical engineering from Ladoke Akintola University of Technology.

CCNP Security IPS 642-627 Official Cert Guide

By David Burns, Odunayo Adesina, Keith Barker

ISBN-10: 1-58714-255-4
ISBN-13: 978-1-58714-255-0

Published: October 25, 2011
US SRP: $55.99

Published by Cisco Press.