This document provides an overview of the Cisco Intrusion Prevention System (IPS) Automatic Update feature and its operation.
The IPS Automatic Update feature was introduced in IPS version 6.1 and provides administrators with an easy way to update IPS signatures on a regularly scheduled interval.
Cisco recommends that you have knowledge of these topics:
Signature updates require a valid Cisco Services for IPS subscription and license key. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service in order to apply for a license key.
A Cisco.com (CCO) user account that is associated with an active Cisco Services for IPS subscription.
The information in this document is based on these hardware and software versions:
Cisco IPS Versions 6.1 and later
Specific features for Cisco IPS Versions 7.2(1), 7.3(1), and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The command and control interface of the IPS requires direct access to the Internet using HTTPS (TCP 443) and HTTP (TCP 80).
Network Address Translation (NAT) and Access Control Lists (ACLs) on edge devices such as routers and firewalls need to be configured in order to permit the IPS connectivity to the Internet.
Exclude the command and control interface IP address from all content filters and network traffic shapers.
The Automatic Update feature supports proxy servers in the 7.2(1) FIPS/CC certified release. All other 6.x and 7.x software releases do not support Automatic Update through a proxy server at this time. The 7.2(1) release includes a number of changes to the default Secure Shell (SSH) and HTTPS settings. Refer to Release Notes for Cisco Intrusion Prevention System 7.2(1)E4 before you upgrade to 7.2(1).
Warning: In Cisco IPS Version 7.0(8)E4, the default value for the Cisco server IP address is changed from 220.127.116.11 to 18.104.22.168 in the Auto Update URL configuration. If your sensor is configured for automatic updates, you might need to update the firewall rules in order to allow the sensor to connect to the new IP address. For Cisco IPS Versions 7.2 and later, the hardcoded automatic update server IP address is replaced with a named Fully Qualified Domain Name (FQDN) and Domain Name System (DNS) lookup. Refer to the Configuration section of this document for additional information.
Some signature updates require the regular expression tables to be recompiled during which time the IPS can go into software bypass mode. For inline sensors with bypass mode set to Auto, the Analysis Engine is bypassed allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. If bypass mode is set to Off, the inline sensor stops passing traffic while the update is applied.
Signature Auto Update Process
IPS authenticates to the auto update server at 22.214.171.124 using HTTPS (TCP 443).
IPS sends a client manifest to the auto update server, which includes the platform ID and an encrypted shared secret that the server uses to verify authenticity of the Cisco IPS sensor.
Once authenticated, the update server responds with a server manifest that contains a list of download file options associated with the platform ID. The data contained here includes information related to update version, download location, and supported file transfer protocols. Based on this data, the IPS auto update logic determines if any of the download options are valid and then selects the best update package for download. In preparation for the download, the server provides the IPS with a set of keys to be used to decrypt the update file.
The IPS establishes a new connection to the download server identified in the server manifest. The download server IP address varies, which is dependent on the location. The IPS uses the file transfer protocol defined in the file download data URL learned in the server manifest (currently uses HTTP (TCP 80)).
The IPS uses the previously downloaded keys to decrypt the update package and then applies the signature files to the sensor.
Basic Signature Auto-Update Configuration
The Automatic Update feature can be configured from IPS Device Manager (IDM) or IPS Manager Express (IME). Complete these steps:
From IDM/IME, choose Configuration > Sensor Management > Auto/Cisco.com Update.
Choose the Enable Signature and Engine Updates from Cisco.com check box on the right-hand pane, and click on the blue Cisco.com Server Settings title in order to drop down the configuration pane.
Enter the CCO username and password. Here is an example URL for Cisco IPS Versions 7.0(8) and 7.1(6):
Note: Do not change the Cisco.com URL. It should not need to be changed from its default setting. The // is intentional and not a typographical error. In Cisco IPS Versions 7.2(1), 7.3(1), and later, the sensor queries the DNS server that is defined in the sensor network configuration in order to resolve the www.cisco.com URL to an Internet routable IP address.
Configure a start time and frequency in order to schedule the signature update. It is recommended to set the start time to a random time that is not on the top of the hour. In this example, the time is set to 23:15:00. The frequency can be configured to support hourly or daily update attempts. Click Apply in order to apply configuration changes.
Signature Automatic Update Enhancements
Many improvements to the Automatic Update feature are included in Cisco IPS Versions 7.2(1) and later. Additional security improvements are also added to Cisco IPS Versions 7.3(2) and later. Refer to the configuration options described in this section for additional information.
Update Now Feature
Cisco IPS Version 7.2(1) introduced a new capability to the IPS GUIs and the CLI that allows administrators to initiate a signature Automatic Update immediately, which bypasses the need to wait for the scheduled time to occur.
In order to bypass the automatic update schedule and update immediately, navigate to the IDM/IME and choose Configuration > Sensor Management > Auto/Cisco.com Update. As long as the Automatic Update is correctly configured and applied, you can click the Update Now button in the upper right-hand corner of the screen in order to trigger an update attempt.
You can also enter the autoupdatenow command into the sensor CLI in order to trigger an update attempt. Here is an example:
SSP-60# autoupdatenow Warning: Executing this command will perform an auto-upgrade on the sensor immediately. Before executing this command, you must have a valid license to apply the Signature AutoUpdates and auto-upgrade settings configured.After executing this command please disable user-server/cisco-server inside 'auto-upgrade' settings, if you don't want scheduled auto-updates Continue? : yes Automatic Update for the sensor has been executed.Use 'show statistics host' command to check the result of auto-update.Please disable user-server/cisco-server in auto-upgrade settings, if you don't want scheduled auto-updates
Automatic Update via Internet Proxy
In order to trigger an automatic update via internet proxy, navigate to the IDM/IME and choose Configuration > Sensor Setup > Network. Enter the DNS and (optionally) the HTTP Proxy Server IP address and port:
Validate Trusted Root Certificates
Cisco IPS Version 7.3(2) introduced the ability for the IPS to validate the root certificate chain of the updater server when updates are downloaded. With this feature enabled, the IPS validates whether the root certificate in the certificate chain is signed by a trusted root CA. For example, the TLS root certificates that are obtained in the signature update process from the Cisco server and global correlation server are validated. This feature is currently disabled by default in Cisco IPS Version 7.3(2); however, it might be enabled by default in a future release. Refer to the IPS Read Me file for more information.
View the Local Trusted Certificate Store
In order to view the current list of installed trusted root certificates in IPS Versions 7.3(2) and later, navigate to Configuration > Sensor Management > Certificates > Trusted Root Certificates:
Enable Strict TLS Server Certificate Validation
Complete these steps in order to enable the Strict TLS Server Validation feature:
Navigate to Configuration > Sensor Setup > Network.
Expand the HTTP, FTP, Telnet, SSH, CLI & Other Options drop down menu.
Check the Enable Strict TLS Server Validation check box.
Click Apply in order to apply the configuration to the sensor.
Add/Update Root Certificates to the Local Trusted Certificate Store
As certificates expire on the updater servers, Cisco reserves the right to use a root certificate chain other than GeoTrust and Thawte. If the updated certificate does not exist in the current IPS software image, then the updated root certificate chain can be manually installed into the local trusted certificate store of the sensor. The DER-encoded certificates can be positioned on a file server and retrieved by the sensor via SCP or HTTPS. The next example uses SCP in order to demonstrate the certificate installation/update process.
From the IDM/IME, navigate to Configuration > Sensor Management > SSH > Known Host RSA Keys.
Click Add and enter the IP address of the SCP server.
Click Retrieve Host Key in order to have the sensor automatically retrieve the public key from the server.
Click OK twice and then Apply in order to apply the configuration to the sensor.
Note: A warning appears if the key size presented by the SCP server is smaller than 2,048 bits.
Click Yes in order to add the key to the known hosts table or No in order to return to the Add Known Host RSA Key screen.
Navigate to Configuration > Sensor Management > Trusted Root Certificates.
Click Add/Update in order to add a new DER-encoded certificate file from the SCP server. Ensure that the certificate file is prepositioned on the server and available for remote retrieval via SSH.
Select SCP as the protocol and enter the URL, username, and password.
Click OK in order to begin the certificate file transfer and installation.
Click Yes in order to add the certificate to the IPS local trusted root store and then OK in order to exit.
From the IDM/IME, choose Configuration > Sensor Management > Auto/Cisco.com Update. Expand the Auto Update info section in order to review the status of the last download attempt.Click Refresh in order to refresh the Auto Update info data.
In order to verify the status of the Automatic Update process via the CLI, enter the show statistics host command:
IPS# show statistics host <Output truncated> Auto Update Statistics lastDirectoryReadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012 = Read directory: http://CCOUser@126.96.36.199//swc/esd/06/273556262/guest/ = Success lastDownloadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012 = Download: http://CCOUser@188.8.131.52//swc/esd/06/273556262/guest/ IPS-sig-S654-req-E4.pkg = Success nextAttempt = 17:55:00 GMT-06:00 Wed Jun 27 2012 lastInstallAttempt = 16:55:46 GMT-06:00 Wed Jun 27 2012 = Success <Output truncated>
From the IDM/IME, refer to the Licensing gadget on the Home dashboard in order to view the License Status and currently installed signature version. The same information can be obtained via the CLI with the show version command.
SSP-60# show version Application Partition:
Cisco Intrusion Prevention System, Version 7.3(2)E4
Host: Realm Keys key1.0 Signature Definition: Signature Update S805.0 2014-06-03 Threat Profile Version 7 OS Version: 184.108.40.206 Platform: ASA5585-SSP-IPS60 Serial Number: JAF1527CPNK Licensed, expires: 21-Jun-2014 UTC Sensor up-time is 39 days. Using 46548M out of 48259M bytes of available memory (96% usage) system is using 32.4M out of 160.0M bytes of available disk space (20% usage) application-data is using 86.6M out of 377.5M bytes of available disk space (24% usage) boot is using 63.4M out of 70.5M bytes of available disk space (95% usage) application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage)
* IPS-sig-S802-req-E4 16:07:23 UTC Thu May 29 2014 IPS-sig-S805-req-E4.pkg 16:18:51 UTC Mon Jun 09 2014
Recovery Partition Version 1.1 - 7.3(2)E4
Host Certificate Valid from: 15-Jul-2013 to 16-Jul-2015
After correct configuration of Auto Signature Update, complete these steps in order to isolate and correct commonly encountered issues:
For all IPS appliances and modules except for the AIM and IDSM, ensure that the command and control interface is connected to the local network, assigned a valid IP address/subnet mask/gateway, and has IP reachability to the Internet. For the AIM and IDSM modules, the virtual command and control interface are utilized as defined in the configuration. In order to confirm the operational status of the interface from the CLI, enter this show command:
IPS# show interfaces <Output truncated> MAC statistics from interface Management0/0 Interface function = Command-control interface Description = Media Type = TX Default Vlan = 0 Link Status = Up <--- <Output truncated>
In order to validate whether the CCO user account has necessary privileges to download signature update packages, open a web browser and log in to Cisco.com with this same CCO account. Once authenticated, manually download the latest IPS signature package. The inability to manually download the package is likely due to the lack of association of the user account to a valid Cisco Services for IPS subscription. In addition, access to security software on CCO is restricted to authorized users who have accepted the annual encryption/export agreement. Failure to approve this agreement has been known to prevent signature downloads from IDM/IME/CSM. In order to verify whether this agreement has been accepted, open a browser and log in to Cisco.com with the same CCO account. Once authenticated, attempt to manually download a Cisco IOS? software package with the K9 feature set.
Check if there is a proxy in place for Internet bound traffic (all versions except 7.2(1) and later). If the traffic from the command and control port goes through this proxy, the Auto Update feature does not work. Reconfigure the network so that the command and control port traffic is not filtered through a proxy and test again.
For sensors that run Versions 7.2 or 7.3 software, ensure that one or more DNS servers are configured. This is required so that the sensor is able to resolve the www.cisco.com updater FQDN to an Internet-routable IP address.
Check if there are any content filtering or traffic shaping applications or appliances in the path to the Internet. If present, configure an exclusion in order to allow the IP address of the command and control interface to access the Internet without restriction.
If ICMP traffic is permitted towards the Internet, open the CLI of the IPS sensor and try to ping a public IP address.
This test can be used to verify if the necessary routing and NAT rules (if used) are configured correctly. If the ICMP test succeeds yet Auto Updates continue to fail, ensure that network devices such as routers and firewalls along the path permit the HTTPS and HTTP sessions from the IPS command and control interface IP. For example, if the command and control IP address is 10.1.1.1, a simple ACL entry on an ASA firewall can look like this example:
access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq www access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq https
The CCO username should not contain any special characters, for example, @ . Refer to Cisco bug ID CSCsq30139 for more information.
When signature auto-update failures occur, use the next table in order to match the associated HTTP error codes.
IPS# show statistics host Auto Update Statistics lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010 = Read directory: https://220.127.116.11//cgi-bin/front.x/ida/locator/locator.pl = Error: AutoUpdate exception: HTTP connection failed [1,110] <-- lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010 lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010 nextAttempt = 19:35:00 CST Thu Nov 18 2010