Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.2

The IDM User Interface

The IDM is a web-based, Java Web Start application that enables you to configure and manage your sensor. The web server for the IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.

The IDM user interface consists of the File, View, and Help menus. There are Home, Configuration, and Monitoring buttons. The Configuration, and Monitoring buttons open menus in the left-hand TOC pane with the configuration pane on the right. The following four buttons appear next to the Home, Configuration, and Monitoring buttons:

• Back—Takes you to the pane you were previously on.
• Forward—Takes you forward to the next pane you have been on.
• Refresh—Loads the current configuration from the sensor.

• Help—Opens the online help in a new window. The IDM contains hover-over help in addition to online help.

The navigation bar is a docking frame, which you can float or hide if you need more work space. To restore the navigation bar, click View > Navigation . To configure the sensor, choose Configuration and go through the menus in the left-hand pane. The IDM contains a Startup Wizard to aid you in configuring your sensor after you have initialized it. You can change setup settings by using the Startup Wizard. To configure monitoring, click Monitoring and go through the menus in the left-hand pane.

New configurations do not take effect until you click Apply on the pane you are configuring. Click Reset to discard current changes and return settings to their previous state for that pane.

IDM Home Window

The Home pane displays the most important information about a sensor, such as device information, licensing information, sensor health, and interface status. The IDM continuously sends control transactions to retrieve sensor status information at different snapshots and builds the corresponding graphs in the Home pane.

The Home pane provides information about the state of the sensor according to the gadgets that you choose to display. Each gadget displays the local host time. The gadgets contain the following information:

• Sensor Information—Displays specific device information.
• Sensor Health—Displays information about the overall health of the sensor and network.
• Licensing—Displays information about the status of the license key, signature updates, and signature engine updates. The timestamp on the graph is the sensor local time at each snapshot.
• Interface Status—Displays the details about the management and sensing interfaces.
• Global Correlation Reports—Displays the alerts and the denied packets resulting from reputation data.
• Global Correlation Health—Displays the configuration status of global correlation and network participation.
• Network Security—Displays alert counts and average and maximum threat and risk ratings. The timestamp on the graph is the sensor local time at each snapshot.
• Top Applications—Displays the top ten Layer 4 protocols the sensor has discovered.
• CPU, Memory, & Load—Displays the sensor load, CPU, memory, and disk usage for the sensor.

By default, the IDM displays the Sensor Information, Sensor Health, Licensing, Interface Status, Top Applications, and CPU, Memory, & Load gadgets in the Home pane.

To display the available sensor gadgets, click Add Gadgets . You can drag and drop the gadgets on to a tab to display more sensor information. To create another tab in the Home pane to display more information, click Add Dashboard . Use the icons in the top-right corner to collapse, configure the display, or close the gadget.

The IDM constantly retrieves status information to keep the Home pane updated. By default the window is refreshed every 10 seconds. To refresh the pane manually, click File > Refresh .

For More Information

For more information on configuring dashboards and gadgets, see Chapter2, “Configuring Dashboards”

Supported User Role

The following user roles are supported:

• Administrator

• Operator
• Viewer

Logging In

The IDM is a web-based, Java Web Start application that enables you to configure and manage your sensor. The web server for the IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.

Note The IDM is already installed on the sensor.

To log in to the IDM, follow these steps:

Note The default IP address is 192.168.1.2/24,192.168.1.1, which you change to reflect your network environment when you initialize the sensor. When you change the web server port, you must specify the port in the URL address of your browser when you connect to the IDM in the format https://sensor_ip_address:port (for example, https://192.0.2.1:1040).

Step 2 Click Yes to accept the security certificate. The Cisco IPS Device Manager Version window appears.

Step 3 To launch the IDM, click Run IDM . The JAVA loading message box appears, and then the Warning - Security dialog box appears.

Step 4 To verify the security certificate, check the Always trust content from this publisher check box, and click Yes . The JAVA Web Start progress dialog box appears, and then the IDM on ip_address dialog box appears.

Step 5 To create a shortcut for the IDM, click Yes . The Cisco IDM Launcher dialog box appears.

Note You must have JRE 1.5 (JAVA 5) installed to create shortcuts for the IDM. If you have JRE 1.6 (JAVA 6) installed, the shortcut is created automatically.

Step 6 To authenticate the IDM, enter your username and password, and click OK . Both the default username and password are cisco . You were prompted to change the password during sensor initialization. The IDM begins to load. If you change panes from Home to Configuration or Monitoring before the IDM has completed initialization, a Status dialog box appears with the following message:

The main window of the IDM appears.

Note If you created a shortcut, you can launch the IDM by double-clicking the IDM shortcut icon. You can also close the The Cisco IPS Device Manager Version window. After you launch the IDM, it is not necessary for this window to remain open.

For More Information

• For more information on how the IDM uses cookies, see IDM and Cookies.
• For more information on how the IDM uses certificates, see IDM and Certificates.

IDM and Cookies

The IDM uses cookies to track sessions, which provide a consistent view. The IDM uses only session cookies (temporary), not stored cookies. Because the cookies are not stored locally, there is no conflict with your browser cookie policy. The cookies are handled by the IDM Java Start application rather than the browser.

IDM and Certificates

The Cisco IPS contains a web server that is running the IDM. Management stations connect to this web server. Blocking forwarding sensors also connect to the web server of the master blocking sensor. To provide security, this web server uses an encryption protocol known as TLS, which is closely related to SSL protocol. When you enter a URL into the web browser that starts with https:// ip_address , the web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the host.

Note The IDM is enabled by default to use TLS and SSL.We highly recommend that you use TLS and SSL.

The process of negotiating an encrypted session in TLS is called “handshaking,” because it involves a number of coordinated exchanges between client and server. The server sends its certificate to the client. The client performs the following three-part test on this certificate:

1. Is the issuer identified in the certificate trusted?

Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the certificate is among the list of CAs trusted by your browser, the first test is passed.

2. Is the date within the range of dates during which the certificate is considered valid?

Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range of dates, the second test is passed.

3. Does the common name of the subject identified in the certificate match the URL hostname?

The URL hostname is compared with the subject common name. If they match, the third test is passed.

When you direct your web browser to connect with the IDM, the certificate that is returned fails because the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of CAs trusted by your browser.

When you receive an error message from your browser, you have three options:

• Disconnect from the site immediately.
• Accept the certificate for the remainder of the web browsing session.
• Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires.

The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in your web browser is the same as the one on your sensor.

Understanding Licensing

Although the sensor functions without the license key, you must have a license key to obtain signature updates and use the global correlation features. To obtain a license key, you must have the following:

• Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to purchase a contract.

• Your IPS device serial number—To find the IPS device serial number in the IDM, choose Configuration > Sensor Management > Licensing , or in the CLI use the show version command.

• Valid Cisco.com username and password.

Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license key.

You can view the status of the license key in these places:

• The IDM Home window Licensing section on the Health tab
• The IDM Licensing pane ( Configuration > Licensing )
• License Notice at CLI login

Whenever you start the IDM or the CLI, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use the IDM and the CLI, but you cannot download signature updates.

If you already have a valid license on the sensor, you can click Download on the License pane to download a copy of your license key to the computer that the IDM is running on and save it to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have reimaged the sensor.

For More Information

For more information on global correlation, see Chapter11, “Configuring Global Correlation”

Service Programs for IPS Products

You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.

When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract:

• IPS 4345
• IPS 4345-DC
• IPS 4360
• IPS 4510
• IPS 4520
• IPS 4520-XL

When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract.

Note SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.

When you purchase an ASA 5500 series adaptive security appliance product that ships with an IPS module installed, or if you purchase one to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract.

Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.

For example, if you purchase an ASA 5585-X and then later want to add IPS and purchase an ASA-IPS10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.

For More Information

For information on obtaining and installing the sensor license key, see Obtaining and Installing the License Key.

Licensing Pane Field Definitions

Note You must be administrator to view license information in the Licensing pane and to install the sensor license key.

The following fields are found in the Licensing pane:

• Current License—Provides the status of the current license:

– License Status—Displays the current license status of the sensor.

– Expiration Date—Displays the date when the license key expires (or has expired). If the key is invalid, no date is displayed.

– Serial Number—Displays the serial number of the sensor.

– Product ID—Displays the product ID of your sensor.

• Update License—Specifies from where to obtain the new license key:

– Cisco.com—Contacts the license server at Cisco.com for a license key.

– License File—Specifies that a license file be used.

– Local File Path—Indicates where the local file is that contains the license key.

Obtaining and Installing the License Key

Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.

To obtain and install the license key, follow these steps:

Step 2 Choose Configuration > Sensor Management > Licensing .

Step 3 The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed.

Step 4 Obtain a license key by doing one of the following:

• Click the Cisco.com radio button to obtain the license from Cisco.com. The IDM contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 5.
• Click the License File radio button to use a license file. To use this option, you must apply for a license key at this URL: www.cisco.com/go/license . The license key is sent to you in e-mail and you save it to a drive that the IDM can access. This option is useful if your computer cannot access Cisco.com. Go to Step 7.

Step 5 Click Update License , and in the Licensing dialog box, click Yes to continue. The Status dialog box informs you that the sensor is trying to connect to Cisco.com. An Information dialog box confirms that the license key has been updated.

Step 6 Click OK .

Step 7 Log in to Cisco.com .

Step 8 Go to www.cisco.com/go/license .

Step 9 Fill in the required fields. Your license key will be sent to the e-mail address you specified.

Step 10 Save the license key to a hard-disk drive or a network drive that the client running the IDM can access.

Step 11 Log in to the IDM.

Step 12 Choose Configuration > Sensor Management > Licensing .

Step 13 Under Update License, click the License File radio button.

Step 14 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.

Step 15 Browse to the license file and click Open .

Step 16 Click Update License .