Cisco Systems, Inc. Cisco Intrusion Prevention System IPS 7.0(4)E4 SERVICE PACK July 22, 2010 Copyright (C) 2010 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== SERVICE PACK NOTE 7.0(4)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS - MINIMUM REQUIREMENTS - FILE LIST - SUPPORTED PLATFORMS - INSTALLATION USING THE CLI - INSTALLATION CAVEATS - RESOLVED ISSUES - NEW FEATURES - RESTRICTIONS - CSM UPDATE INSTRUCTIONS - CSM, AIM IPS, and NME IPS UPDATE INSTRUCTIONS ======================================================================== SERVICE PACK NOTE This SERVICE PACK addresses the issues described in the RESOLVED ISSUES section of this document. This service pack is being used as a release vehicle to repair critical sensor failures. This service pack contains the S500 signature level, but preserves any more recent signature levels installed on your sensor. ======================================================================== 7.0(4)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS NOTE: You must have a valid maintenance contract per sensor to receive and use software upgrades including signature updates from Cisco.com. MINIMUM REQUIREMENTS To install the IPS-K9-7.0-4-E4.pkg, IPS-NME-K9-7.0-4-E4.pkg, or IPS-AIM-K9-7.0-4-E4.pkg service pack version upgrade file, you must be running IPS version 5.1(6)E3 or later on your sensor. NOTE: The IPS-AIM-K9-7.0-4-E4.pkg upgrade file can only be used to upgrade AIM-IPS sensors. The IPS-NME-K9-7.0-4-E4.pkg upgrade file can only be used to upgrade NME-IPS sensors. For all other supported sensors, user the IPS-K9-6.2-2-E3.pkg upgrade file. To see what version the sensor is currently running, log in to the CLI and execute the 'show version' command. For detailed instructions on installing the service pack upgrade file, refer to "Upgrading, Downgrading, and Installing System Images," in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0 available at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/ products_installation_and_configuration_guides_list.html FILE LIST The following files are included as part of this release: Readme - IPS-7_0-4-E4_readme.txt Service Pack Upgrade Files - IPS-AIM-K9-7.0-4-E4.pkg - IPS-K9-7.0-4-E4.pkg - IPS-NME-K9-7.0-4-E4.pkg 7.0(4) System Image Files - IPS-4240-K9-sys-1.1-a-7.0-4-E4.img - IPS-4255-K9-sys-1.1-a-7.0-4-E4.img - IPS-4260-K9-sys-1.1-a-7.0-4-E4.img - IPS-4270_20-K9-sys-1.1-a-7.0-4-E4.img - IPS-IDSM2-K9-sys-1.1-a-7.0-4-E4.bin.gz - IPS-SSM_10-K9-sys-1.1-a-7.0-4-E4.img - IPS-SSM_20-K9-sys-1.1-a-7.0-4-E4.img - IPS-SSM_40-K9-sys-1.1-a-7.0-4-E4.img - IPS-AIM-K9-sys-1.1-a-7.0-4-E4.img - IPS-NME-K9-sys-1.1-a-7.0-4-E4.img 7.0(4) Recovery Image Files - IPS-K9-r-1.1-a-7.0-4-E4.pkg - IPS-AIM-K9-r-1.1-a-7.0-4-E4.pkg - IPS-NME-K9-r-1.1-a-7.0-4-E4.pkg CSM Package Service Pack Upgrade Files - IPS-CS-MGR-AIM-K9-7.0-4-E4.zip - IPS-CS-MGR-K9-7.0-4-E4.zip - IPS-CS-MGR-NME-K9-7.0-4-E4.zip SUPPORTED PLATFORMS The following IPS/IDS platforms are supported: - IPS 4240 Series Appliance Sensor - IPS 4255 Series Appliance Sensor - IPS 4260 Series Appliance Sensor - IPS 4270 Series Appliance Sensor - IDSM2 for Catalyst 6500 - AIP SSM-10 for ASA 5500 - AIP SSM-20 for ASA 5500 - AIP SSM-40 for ASA 5500 - AIM IPS for ISR Router - NME IPS for ISR Router The following platforms are no longer supported: - IDS-4210 Series Appliance Sensor - IDS-4215 Series Appliance Sensor - IDS-4235 Series Appliance Sensor - IDS-4250 Series Appliance Sensor - NM-CIDS for Cisco 26xx, 3660, and 37xx Router Families The following platforms are not yet supported in Cisco IPS 7.0: - AIP SSC-5 for ASA 5500 series adaptive security appliances NOTE: The IPS-SSC 5 is currently only supported in Cisco IPS 6.2. INSTALLATION USING THE CLI NOTE: You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site, and you must have a SMARTnet maintenance contract number to request software upgrades from Cisco.com. NOTE: This service pack requires an automatic reboot of the sensor to apply the changes. Inline network traffic will be disrupted during the reboot. To install the 7.0(4)E4 service pack using the CLI, follow these steps: 1. Download the file IPS-K9-7.0-4-E4.pkg to a local server. AIM IPS requires the platform-specific package IPS-AIM-K9-7.0-4-E4.pkg, and NME IPS requires the platform-specific package IPS-NME-K9-7.0-4-E4.pkg 2. Log in to the CLI using an account with administrator privileges. 3. Type the following command to enter configuration mode: configure terminal 4. Type the following command to upgrade the sensor: sensor(config)# upgrade [URL]/IPS-K9-7.0-4-E4.pkg where the [URL] is a uniform resource locator pointing to where the package is located. For example, to retrieve the update via FTP, type the following: sensor(config)# upgrade ftp://@/// IPS-K9-7.0-4-E4.pkg The available transport methods are SCP, FTP, HTTP, or HTTPS. 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. 7. The sensor reboots to finish applying the changes. To determine whether the 7.0(4)E4 service pack has successfully been installed on a sensor, log in to the CLI and type 'show version' at the command prompt. The sensor will report the version as 7.0(4)E4, and the Upgrade History should include IPS-K9-7.0-4-E4.pkg. INSTALLATION CAVEATS The 7.0(4)E4 service pack cannot be uninstalled. You must re-image the sensor using a system image file, which causes all configuration settings to be lost. The install behavior of this service pack is that all executables,libraries, and so forth are replaced but user configuration is preserved. The reason for this upgrade behavior change is that this service pack contains changes to libraries and drivers. RESOLVED ISSUES The following known issues have been resolved in the 7.0(4)E4 service pack release. Release notes can be viewed in Bug Navigator at the following url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Identifier Headline ---------- ------------------------------------------------------------- CSCta45869 Enhance SMB-A Engine Functionality CSCta96144 sensorApp terminates with core in updateTime (version 7.x) CSCtb19915 Possible Reassembly Problem with SMB-Advanced Engine CSCtb39179 SensorApp fails in TcpRootNode::expireNow() CSCtg73897 SendAckLimiter: repair ReportInterval issue and improve stats collection CSCtf04660 IPS: crash in Anomaly Detection getLearnedKnowledgeBase CSCtg22175 fast retransmit ACK swaps mac address for multicast traffic CSCtf78755 Too many event action filters corrupt rules0.xml and causes failure CSCsy93579 SensorApp becomes memory critical over time. CSCtg86008 Error message after running "show tech-support" or "cidDump" CSCsz19556 7280.0 does not reliably alert CSCth34460 Unhandled signal 8 results in application exit without core CSCtd91982 Crash mainAPP aborted parsing CT name and idapi parameters CSCtg17572 SMB-Advanced engine: some signatures do not fire correctly CSCtg38568 IPS 4270 with 10Gig cards will not pass jumbo frames. CSCtc25895 sensorApp processing (memory) failure under extreme traffic loads CSCtc89228 F1 Control Plane error message on SSM CSCth21612 SMB-Advanced engine: opcode parameter ignored CSCtd67026 SSL/TLS Vulnerable to a Memory Exhaustion DOS Attack CSCth53517 SMBAdvanced: UUID zero does not validate successful BIND CSCtb58224 No mgmt communications after clearing and reconfiguring host config NEW FEATURES Version 7.0(4) has an enhancement that provides RADIUS AAA support. You can configure the IPS to use remote RADIUS servers to manage user accounts. This feature simplifies the operation of large IPS deployments. For detailed information about the RADIUS feature and how to configure it, for the CLI refer to "Setting Up the Sensor," found in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0 available at this URL: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/ cli_setup.html For IDM, refer to "Setting Up the Sensor," in Installing and Using Cisco Intrusion Prevention System Device Manager 7.0 available at this URL: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/ idm_setup.html RESTRICTIONS TACACS+ authentication is not supported in this version. CSM UPDATE INSTRUCTIONS To apply the 7.0(4)E4 service pack to sensor(s) using CSM 3.x, follow these steps: 1. Download the service pack ZIP file, IPS-CS-MGR-K9-7.0-4-E4.zip, to the /MDC/ips/updates directory. 2. Launch IPS Update Wizard from Tools-->Apply IPS Update. Select Sensor Updates from the drop down menu, and select the IPS-CS-MGR-K9-7.0-4-E4.zip file. 3. Click Next to go to next screen. 4. Select the device(s) to apply the service pack, then click Finish. 5. Create a deployment job and deploy to sensor(s) using Deployment Manager. Deployment Manager can be launched from Tools-->Deployment Manager. Click Deploy in the popup and follow instructions. CSM, AIM IPS, and NME IPS UPDATE INSTRUCTIONS AIM IPS and NME IPS require the following platform-specific packages: IPS-CS-MGR-AIM-K9-7.0-4-E4.pkg for AIM IPS and IPS-CS-MGR-NME-K9-7.0-4-E4.pkg for NME IPS. To update AIM IPS and NME IPS from CSM, select IPS-CS-MGR-K9-7.0-4-E4.zip in the Update File list box and click Next. The AIM IPS and NME IPS platform-specific upgrade packages do not appear in the list; however, CSM automatically applies the correct platform package to them. =========================================================================