Cisco Systems, Inc. Cisco Intrusion Prevention System IPS 7.1(3)E4 SERVICE PACK Copyright (C) 2012 Cisco Systems, Inc. All rights reserved. Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their registered owners. ======================================================================== Table Of Contents ======================================================================== SERVICE PACK NOTE 7.1(3)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS - MINIMUM REQUIREMENTS - FILE LIST - SUPPORTED PLATFORMS - INSTALLATION USING THE CLI - INSTALLATION CAVEATS - RESOLVED ISSUES - RELEVANT ISSUES NOT RESOLVED - NEW FEATURES - RESTRICTIONS ======================================================================== SERVICE PACK NOTE This SERVICE PACK addresses the issues described in the RESOLVED ISSUES section of this document. This service pack is being used as a release vehicle to repair critical sensor failures. Also this service pack is being used to add functionality described in the NEW FEATURES section of this document. This service pack contains the S605 signature level, but preserves any more recent signature levels installed on your sensor. This service pack introduces 7 new IPS Platforms: - ASA 5512-X IPS SSP - ASA 5515-X IPS SSP - ASA 5525-X IPS SSP - ASA 5545-X IPS SSP - ASA 5555-X IPS SSP - IPS 4345 - IPS 4360 ======================================================================== 7.1(3)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS NOTE: You must have a valid maintenance contract per sensor to receive and use software upgrades including signature updates from Cisco.com. MINIMUM REQUIREMENTS To install the IPS-SSP_10-K9-7.1-3-E4.pkg, IPS-SSP_20-K9-7.1-3-E4.pkg, IPS-SSP_40-K9-7.1-3-E4.pkg, or IPS-SSP_60-K9-7.1-3-E4 service pack version upgrade file on SSP platforms, you must be running IPS version 7.1(1)E4 or later on your sensor. To install the IPS-4270_20-K9-7.1-3.pkg service pack version upgrade file on 4270 platform, you must be running IPS version 6.0(6) or later on your sensor. The ASA 5512-X IPS SSP, ASA 5515-X IPS SSP, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, IPS 4345 and IPS 4360 will come pre-loaded with 7.1(3)E4 or a later version, and do not require upgrading to 7.1(3)E4. These platforms can be re-imaged to 7.1(3)E4 using the System Image or Recovery Image files. To see what version the sensor is currently running, log in to the CLI and execute the 'show version' command. For detailed instructions on installing the service pack upgrade file, refer to "Upgrading, Downgrading, and Installing System Images," in Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1 available at this URL: http://www.cisco.com/en/US/docs/security/ips/7.1/ configuration/guide/cli/cliguide71.html FILE LIST The following files are included as part of this release: Readme: - IPS-7-1-3-E4.readme.txt Service Pack Upgrade Files: - IPS-SSP_10-K9-7.1-3-E4.pkg - IPS-SSP_20-K9-7.1-3-E4.pkg - IPS-SSP_40-K9-7.1-3-E4.pkg - IPS-SSP_60-K9-7.1-3-E4.pkg - IPS-4270_20-K9-7.1-3-E4.pkg System Image Files: - IPS-SSP_10-K9-sys-1.1-a-7.1-3-E4.img - IPS-SSP_20-K9-sys-1.1-a-7.1-3-E4.img - IPS-SSP_40-K9-sys-1.1-a-7.1-3-E4.img - IPS-SSP_60-K9-sys-1.1-a-7.1-3-E4.img - IPS-SSP_5512-K9-sys-1.1-a-7.1-3-E4.aip - IPS-SSP_5515-K9-sys-1.1-a-7.1-3-E4.aip - IPS-SSP_5525-K9-sys-1.1-a-7.1-3-E4.aip - IPS-SSP_5545-K9-sys-1.1-a-7.1-3-E4.aip - IPS-SSP_5555-K9-sys-1.1-a-7.1-3-E4.aip - IPS-4270_20-K9-sys-1.1-a-7.1-3-E4.img - IPS-4345-K9-sys-1.1-a-7.1-3-E4.img - IPS-4360-K9-sys-1.1-a-7.1-3-E4.img Recovery Image Files: - IPS-SSP_10-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_20-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_40-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_60-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_5512-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_5515-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_5525-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_5545-K9-r-1.1-a-7.1-3-E4.pkg - IPS-SSP_5555-K9-r-1.1-a-7.1-3-E4.pkg - IPS-4270_20-K9-r-1.1-a-7.1-3-E4.pkg - IPS-4345-K9-r-1.1-a-7.1-3-E4.pkg - IPS-4360-K9-r-1.1-a-7.1-3-E4.pkg SUPPORTED PLATFORMS Cisco IPS 7.1(3)E4 is supported on the following platforms: - ASA 5585-X IPS SSP-10 - ASA 5585-X IPS SSP-20 - ASA 5585-X IPS SSP-40 - ASA 5585-X IPS SSP-60 - ASA 5512-X IPS SSP - ASA 5515-X IPS SSP - ASA 5525-X IPS SSP - ASA 5545-X IPS SSP - ASA 5555-X IPS SSP - IPS 4270-20 - IPS 4345 - IPS 4360 INSTALLATION USING THE CLI NOTE: You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site, and you must have a SMARTnet maintenance contract number to request software upgrades from Cisco.com. NOTE: This service pack requires an automatic reboot of the sensor to apply the changes. Inline network traffic will be disrupted during the reboot. To install the 7.1(3)E4 service pack using the CLI, follow these steps: 1. Download the file IPS-SSP_10-K9-7.1-3-E4.pkg to a local server. Note: Each supported IPS platform requires its own platform-specific package as listed above. 2. Log in to the CLI using an account with administrator privileges. 3. Type the following command to enter configuration mode: configure terminal 4. Type the following command to upgrade the sensor: sensor(config)# upgrade [URL]/IPS-SSP_10-K9-7.1-3-E4.pkg where the [URL] is a uniform resource locator pointing to where the package is located. For example, to retrieve the update via SCP, type the following: sensor(config)# upgrade scp://@/// IPS-SSP_10-K9-7.1-3-E4.pkg The available transport methods are SCP, FTP, HTTP, or HTTPS. 5. Enter the appropriate password when prompted. 6. To complete the upgrade, type yes when prompted. 7. The sensor reboots to finish applying the changes. To determine whether the 7.1(3)E4 service pack has successfully been installed on a sensor, log in to the CLI and type 'show version' at the command prompt. The sensor will report the version as 7.1(3)E4, and the Upgrade History should include IPS-SSP_10-K9-7.1-3-E4.pkg. INSTALLATION CAVEATS The 7.1(3)E4 service pack cannot be uninstalled. You must re-image the sensor using a system image file, which causes all configuration settings to be lost. The install behavior of this service pack is that all executables, libraries, and so forth are replaced but user configuration is preserved. The ASA 5512-X IPS SSP, ASA 5515-X IPS SSP, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, IPS 4345 and IPS 4360 will come pre-loaded with 7.1(3)E4 or a later version, and do not require upgrading to 7.1(3)E4. These platforms can be re-imaged to 7.1(3)E4 using the System Image or Recovery Image files. For the IPS 4270-20, an upgrade to 7.1(3)E4 Service Pack is not allowed if its sensor license was generated for 6.0.x versions and earlier. The upgrade fails and you receive the error message - Currently installed License is not valid in 7.1(3). Install a license that is applicable for 'IPS versions 6.1 and above', To obtain a new license for the IPS 4270-20, follow these steps: 1. Log in to Cisco.com. 2. Go to http://www.cisco.com/go/license. 3. Under Licenses Not Requiring a PAK, click Demo and Evaluation licenses. 4. Under Security Products/Cisco Services for IPS service license (Version 6.1 and later), click All IPS Hardware Platforms. 5. Fill in the required fields. Your license key will be sent to the email address you specified. 6. You must have the correct IPS device serial number and product identifier(PID) because the license key only functions on the device with that number. RESOLVED ISSUES The following known issues have been resolved in the 7.1(3)E4 service pack release. Release notes can be viewed in Bug Navigator at the following url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl Identifier Headline ---------- ------------------------------------------------------------- CSCtl04402 failure in decode params during web server control transaction CSCte50759 sensorApp aborts during signature update CSCtq05123 treapi error 606 during string-xl or string-tcp signature configuration CSCtg38568 IPS 4270 with 10Gig cards will not pass jumbo frames. CSCts70493 show health reports 'Failed Applications Green' when sensorApp has cored CSCtn81330 hangup on vi session will use 100% cpu CSCti08564 IPS TCP normalizer reorders packets but sends them with OoO timestamps CSCtn84402 SensorApp not processing packets when eventstore is locked during query CSCti43137 IPS AAA PAM module sends incorrect NAS IP in radius packet CSCts40849 sensorApp core in atomic-ip-advanced inspector CSCti57119 IPS packet capture creates multiple files that are not removable CSCtj86988 mainApp hangs in AuthenticationMgr CSCti79423 IPS: IP Reputation Update brings down sensorApp on IDSM-2 CSCtq71035 Inline interface pair stops packet forwarding after rebooting CSCts98784 IPS SSP collaborationApp core CSCts40616 IPS SSP sensorApp core due to buffer overflow errors CSCtg50681 Sensor Upgrade failure. \"ExecUpgradeSoftware: < > already installed\" CSCtg73897 SendAckLimiter: repair ReportInterval issue and improve stats collection CSCti70744 IPS sensor unable to copy current-config CSCtj04994 IDS: service aaa creates local user accounts with invalid characters CSCtj51386 sensor out of storage space due to global-correlation log CSCtn11478 IDS - ATOMIC.ARP engine creates phantom duplicate signatures upon edit CSCto62559 RADIUS sends an empty calling-station-id for HTTP/HTTPS authentication CSCto77871 Sensor health status for missed packets is incorrect CSCtq00491 Sensor health for signature updates is incorrect CSCtq95375 radius module should handle multiple cisco-av-pair responses CSCts21378 normalizer signature 1330.12 drops legit reset packet and keeps tracking CSCts58648 Old SMB engine should not be allowed to run CSCts70337 IPS SSP crash in sensor app(AlarmDBProcessor::lookupRootNode hashtable) CSCsv26568 IPS SNMP InterfaceGroup OID does not show correct Virtual Sensor CSCta43555 Network Security Level not functioning CSCtf02842 ntp daemon may lose synchronization with server CSCtg22175 fast retransmit ACK swaps mac address for multicast traffic CSCtg22575 Unexpected Behavior using Exact-Match-Offset In Atomic ip CSCto97367 Incorrect behaviour while changing cisco password CSCtn56839 IPS interface can be configured as promisc and VLAN-pair at same time CSCtj93001 Invalid card type error logged in by sensor for SSP-IPS40 CSCtj31566 SSH TCP port forwarding is enabled - x86 Only CSCsk85023 Need a way to disable weak ciphers for HTTPS access to the sensor. CSCsu08529 Enh: IPS Add SNMP support for a subset of Health Statistics CSCti49271 inline IPS stops traffic after reset in redundant environment (e1000) CSCto51204 authentication attemptLimit leaks file handles and hangs mainApp for x86 RELEVANT ISSUE NOT RESOLVED Identifier Headline ---------- ------------------------------------------------------------- CSCtt10189 LSI insufficient resource error not throttled in main.log - Spyker CSCtt43148 Unable to configure IPS from IDM {Error- Unauthorized component Edit} CSCtu85641 Custom sigs- string-xl-icmp/string-icmp engine not working for icmp-type CSCts72622 Cleared CLI ID's not being cleaned up CSCtu75883 Deny-Attacker-ServicePair InLine does not show denied attackers CSCtw56890 IDM documentation is missing reference to permit-packet-logging av pair CSCtu05099 Visual indication of progress required when editing sig actions CSCto77478 telnet/ssh connection to CLI may close during "sh ev al" CSCtr46541 3401.0 alert not firing for some packet sizes CSCtr75697 sensorApp stopped after extended duration packet display of IPSec pkts CSCts72622 Cleared CLI ID's not being cleaned up CSCtw45784 Inconsistent behaviour seen for deny action of sig 1204-0 CSCtt02648 TCP Normalizer 1330 sigs fire with replayed traffic NEW FEATURES The following new features are added as part of 7.1(3)E4 service pack release. 1. RADIUS AAA support You can configure the IPS to use remote RADIUS servers to manage user accounts. This feature simplifies the operation of large IPS deployments. For detailed information about the RADIUS feature and how to configure it, for the CLI refer to "Setting Up the Sensor," found in Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1 available at this URL: http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cliguide71.html 2. SNMP Health Monitoring The IPS sensor can be configured to send trap-related information for various Health metrics. To receive sensor health information through SNMP, you must have sensor health metrics enabled. For detailed information about the new SNMP health monitoring related traps and how to configure it, for the CLI refer to "Configuring SNMP" found in Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1 available at this URL: http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/cli/cliguide71.html 3. Packet Command Restriction This feature is used to prevent users from arbitrarily executing packet capture/display/iplog commands. This restriction can be enforced for RADIUS users using a cisco av-pair (permit-packet-logging=true/false) on RADIUS server and in the CLI for local users. By default there is no restriction to the above mentioned commands. Only 'Administrator' role users can change the settings of the packet command restriction feature. 4. CLI Timeout To improve the security of the IPS sensor, a new feature has been added to time out the CLI if the session is inactive for more than the configured value. RESTRICTIONS TACACS+ authentication is not supported in this version. CLI Timeout feature is applicable only for sessions established via SSH/Telnet/Console. 'Service' account logins are not impacted. =========================================================================