Obtaining Software
Download this chapter
Obtaining SoftwareObtaining Software
 Feedback

Table Of Contents

Obtaining Software

Obtaining Cisco IPS Software

IPS Software Versioning

IPS Software Image Naming Conventions

5.x Software Release Examples

Upgrading Cisco IPS Software to 5.0

Obtaining a License Key From Cisco.com

Overview

Service Programs for IPS Products

Installing the License Key

Using IDM

Using the CLI

Cisco Security Center

Accessing IPS Documentation


Obtaining Software

This chapter provides information on obtaining Cisco IPS software for the sensor. It contains the following sections:

Obtaining Cisco IPS Software

IPS Software Versioning

Upgrading Cisco IPS Software to 5.0

Obtaining a License Key From Cisco.com

Cisco Security Center

Accessing IPS Documentation

Obtaining Cisco IPS Software

You can find major and minor updates, service packs, signature and signature engine updates, system and recovery files, firmware upgrades, and Readmes on the Download Software site on Cisco.com. Signature updates are posted to Cisco.com approximately every week, more often if needed. Service packs are posted to Cisco.com in a release train format, a new release every three months. Major and minor updates are also posted periodically. Check Cisco.com regularly for the latest IPS software.

You must have an account with cryptographic access before you can download software. You set this account up the first time you download IPS software from the Download Software site.

Note You must be logged in to Cisco.com to download software. You must have an active IPS maintenance contract and a Cisco.com password to download software. You must have a sensor license to apply signature updates.

Downloading Cisco IPS Software

To download software on Cisco.com, follow these steps:

Step 1 Log in to Cisco.com.

Step 2 From the Support drop-down menu, choose Download Software.

Step 3 Under Select a Software Product Category, choose Security Software.

Step 4 Choose Intrusion Prevention System (IPS).

Step 5 Enter your username and password.

Step 6 In the Download Software window, choose IPS Appliances > Cisco Intrusion Prevention System and then click the version you want to download.

Note You must have an IPS subscription service license to download software.

Step 7 Click the type of software file you need. The available files appear in a list in the right side of the window. You can sort by file name, file size, memory, and release date. And you can access the Release Notes and other product documentation.

Step 8 Click the file you want to download. The file details appear.

Step 9 Verify that it is the correct file, and click Download.

Step 10 Click Agree to accept the software download rules. The File Download dialog box appears. The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software.

a. Fill out the form and click Submit. The Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy appears.

b. Read the policy and click I Accept. The Encryption Software Export/Distribution Form appears.

If you previously filled out the Encryption Software Export Distribution Authorization form, and read and accepted the Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy, these forms are not displayed again.

Step 11 Open the file or save it to your computer.

Step 12 Follow the instructions in the Readme or the Release Notes to install the update.

IPS Software Versioning

This section describes how to interpret IPS software versioning. It contains the following topics:

IPS Software Image Naming Conventions

5.x Software Release Examples

IPS Software Image Naming Conventions

When you download IPS software images from Cisco.com, you should understand the versioning scheme so that you know which files are base files, which are cumulative, and which are incremental.

Note You can determine which software version is installed on your sensor by using the show version command.

Figure 12-1 illustrates what each part of the IPS software file represents:

Figure 12-1 IPS Software File Name

A major version upgrade contains new functionality or an architectural change in the product. For example, the IPS 5.0 base version release includes everything since the previous major release (the minor version features, service pack fixes, and signature updates) plus any new changes. Major upgrade 5.0(1) requires 4.1.

Note The 5.0(1) major upgrade is only used to upgrade 4.1 sensors to 5.0(1). If you are reinstalling 5.0(1) on a sensor that already has 5.0(1) installed, use the system image or recovery procedures rather than the major upgrade.

A minor version upgrade is incremental to the major version. Minor version upgrades are also base versions for service packs. The first minor version upgrade for 5.0 is 5.1(1). Minor version upgrades are released for minor enhancements to the product. Minor version upgrades contain all previous minor features, service pack fixes, and signature updates since the last major version, and the new minor features being released. The minor upgrade requires the major version.

Service packs are cumulative following a base version release (minor or major). Service packs are used for the release of defect fixes with no new enhancements. Service packs contain all service pack fixes since the last base version (minor or major) and the new defect fixes being released. Service packs require the minor version.

Signature updates are cumulative and increment by one with each new release (for example, S145, S146, S147). Signature updates include every signature since the initial signature release (S1) in addition to the new signatures being released. Signature updates require the minimum version listed in the filename.

To install the most recent signature update, you must have the most recent minor version. Service packs are dependent on the most recent minor version, which is dependent on the most recent major version.

Note For a table listing the types of files with examples of filenames and corresponding software releases, see 5.x Software Release Examples.

In addition there are system image files for the IDS-4215, IPS-4240, IPS-4255, NM-CIDS, IDSM-2, ASA-SSM-10, and ASA-SSM-20, recovery partition files for all sensors, and a maintenance partition file for the IDSM-2:

System image files (IDS-4215, IPS-4240, IPS-4255 NM-CIDS, IDSM-2, ASA-SSM-10, and ASA-SSM-20)—Full IPS application and recovery image used for reimaging an entire sensor.

Recovery partition image file—A recovery partition image file is a partition on the sensor that contains a full IPS application image to be used for recovery.

Maintenance partition image file (IDSM-2 only)—A maintenance partition image file is used to reimage the maintenance partition of the IDSM-2. Maintenance partition files are released when new major or minor versions of the maintenance partition are released. Maintenance partition image files are not released for service packs to the maintenance partition. A service pack may be released to address defects identified in existing maintenance partition images, but new maintenance partition images are not produced for subsequently released service packs.

Note The maintenance partition image file does not contain a signature designator.

5.x Software Release Examples

Table 12-1 lists platform-independent IDS 5.x software release examples. Refer to the readmes that accompany the software files for detailed instructions on how to install the files. For instructions on how to access these files on Cisco.com, see Obtaining Cisco IPS Software.

Table 12-1 Platform-Independent Release Examples 

Release
Target Frequency
Identifier
Supported Platform
Example File Name

Signature update1

Weekly

sig

All

IPS-sig-S70-minreq-5.0-1.pkg

Service pack2

Semi-annually
or as needed

sp

All

IPS-K9-sp-5.0-2.pkg

Minor version3

Annually

min

All

IPS-K9-min-5.1-1.pkg

Major version4

Annually

maj

All

IPS-K9-maj-5.0-1.pkg

Patch release5

As needed

patch

All

IPS-K9-patch-5.0-1pl.pkg

Recovery package 6

Annually or as needed

r

All

IPS-K9-r-1.1-a-5.0-1.pkg

1 Signature updates include the latest cumulative IPS signatures.

2 Service packs include defect fixes.

3 Minor versions include new features and/or functionality (for example, signature engines).

4 Major versions include new functionality or new architecture.

5 Patch releases are for interim fixes.

6 The r 1.1 can be revised to r 1.2 if it is necessary to release a new recovery package that contains the same underlying application image. If there are defect fixes for the installer, for example, the underlying application version may still be 5.0(1), but the recovery partition image will be r 1.2.


Table 12-2 describes platform-dependent release examples.

Table 12-2 Platform-Dependent Release Examples 

Release
Target Frequency
Identifier
Supported Platform
Example File Name

System image1

Annually

sys

All

IPS-4240-K9-sys-1.1-a-5.0-1.img

Maintenance partition image2

Annually

mp

IDSM-2 only

c6svc-mp.2-1-2.bin.gz

Recovery and upgrade CD

Annually or as needed

cd

All appliances with a CD-ROM drive

1 The system image includes the combined recovery and application image used to reimage an entire sensor.

2 The maintenance partition image includes the full image for the maintenance partition. The file is platform specific. If you have to recover the IDSM-2 from the maintenance partition, the application partition reflects the applicable 5.0 version after the recovery operation has been completed.


Upgrading Cisco IPS Software to 5.0

Note You cannot upgrade the IDSM (WS-X6381) to Cisco IDS 5.0. You must replace your IDSM (WS-X6381) with IDSM-2 (WS-SVC-IDSM2-K9), which supports version 5.0.

Pay attention to the following when upgrading to IPS 5.0:

The minimum required version for upgrading to 5.0 is 4.1(1). The upgrade from Cisco 4.1 to 5.0 is available as a download from Cisco.com. For the procedure for accessing Downloads on Cisco.com, see Obtaining Cisco IPS Software.

After downloading the 5.0 upgrade file, refer to the accompanying Readme for the procedure for installing the 5.0 upgrade file using the upgrade command. Or refer to Upgrading the Sensor.

If you configured Auto Update for your sensor, copy the 5.0 upgrade file to the directory on the server that your sensor polls for updates. For more information on Auto Update, see Configuring Auto Update.

If you install an upgrade on your sensor and the sensor is unusable after it reboots, you must reimage your sensor. Upgrading a sensor from any Cisco IDS version before 4.1 also requires you to use the recover command or the recovery/upgrade CD.

You can reimage your sensor in the following ways:

For IDS appliances with a CD-ROM drive, use the recovery/upgrade CD. For the procedure, refer to Using the Recovery/Upgrade CD.

For all sensors, use the recover command. For the procedure, refer to Recovering the Application Partition.

For the IDS-4215, IPS-4240, and IPS 4255, use the ROMMON to restore the system image. For the procedures, refer to Installing the IDS-4215 System Image, and Installing the IPS-4240 and IPS-4255 System Image.

For NM-CIDS, use the bootloader. For the procedure, refer to Installing the NM-CIDS System Image.

For IDSM-2, reimage the application partition from the maintenance partition. For the procedure, refer to Installing the IDSM-2 System Image.

For AIP-SSM, reimage from ASA using the hw-module module 1 recover configure/boot command. For the procedure, refer to Installing the AIP-SSM System Image.

Caution When you install the system image for your sensor, all accounts are removed and the default account and password are reset to cisco.

Obtaining a License Key From Cisco.com

This section describes how to obtain a license key from Cisco.com and how to install it using the CLI or IDM. This section contains the following topics:

Overview

Service Programs for IPS Products

Installing the License Key

Overview

Although the sensor functions without the license key, you must have a license key to obtain signature updates. To obtain a license key, you must have a Cisco Service for IPS service contract. Contact your reseller, Cisco service or product sales to purchase a contract. For more information, see Service Programs for IPS Products.

Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license key. For the procedure, see Installing the License Key.

You must know your IPS device serial number to obtain a license key. To find the IPS device serial number in IDM, choose Configuration > Licensing, or in the CLI use the show version command.

You can view the status of the license key on the Licensing pane in IDM. Whenever you start IDM, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use IDM but you cannot download signature updates.

When you enter the CLI, you are informed of your license status. For example, you receive the following message if there is no license installed: 

***LICENSE NOTICE***

There is no license key installed on the system.

The system will continue to operate with the currently installed

signature set. A valid license must be obtained in order to apply

signature updates. Please go to http://www.cisco.com/go/license

to obtain a new license or install a license.

You will continue to see this message until you install a license key.

Service Programs for IPS Products

You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.

When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract:

IDS-4215

IPS-4240

IPS-4255

IPS-4260

IDSM-2

NM-CIDS

For ASA 5500 series adaptive security appliance products, if you purchased one of the following ASA 5500 series adaptive security appliance products that do not contain IPS, you must purchase a SMARTnet contract:

Note SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.

ASA5510-K8

ASA5510-DC-K8

ASA5510-SEC-BUN-K9

ASA5520-K8

ASA5520-DC-K8

ASA5520-BUN-K9

ASA5540-K8

ASA5540-DC-K8

ASA5540-BUN-K9

If you purchased one of the following ASA 5500 series adaptive security appliance products that ships with the AIP-SSM installed or if you purchased AIP-SSM to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract:

Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.

ASA5510-AIP10-K9

ASA5520-AIP10-K9

ASA5520-AIP20-K9

ASA5540-AIP20-K9

ASA-SSM-AIP-10-K9

ASA-SSM-AIP-20-K9

For example, if you purchased an ASA-5510 and then later wanted to add IPS and purchased an ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract.

After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key. For the procedure, see Installing the License Key.

Caution If you ever send your product for RMA, the serial number will change. You must then get a new license key for the new serial number.

Installing the License Key

This section describes how to install the license using IDM or the CLI. It contains the following topics:

Using IDM

Using the CLI

Using IDM

To obtain and install the license key, follow these steps:

Step 1 Log in to IDM using an account with administrator privileges.

Step 2 Choose Configuration > Licensing.

The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed.

Step 3 Obtain a license key by doing one of the following:

Check the Cisco Connection Online check box to obtain the license from Cisco.com.

IDM contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 4.

Check the License File check box to use a license file.

To use this option, you must apply for a license key at www.cisco.com/go/license.

The license key is sent to you in e-mail and you save it to a drive that IDM can access. This option is useful if your computer cannot access Cisco.com. Go to Step 7.

Step 4 Click Update License.

The Licensing dialog box appears.

Step 5 Click Yes to continue.

The Status dialog box informs you that the sensor is trying to connect to Cisco.com. An Information dialog box confirms that the license key has been updated.

Step 6 Click OK.

Step 7 Go to www.cisco.com/go/license.

Step 8 Fill in the required fields.

Caution You must have the correct IPS device serial number because the license key only functions on the device with that number.

Your license key will be sent to the e-mail address you specified.

Step 9 Save the license key to a hard-disk drive or a network drive that the client running IDM can access.

Step 10 Log in to IDM.

Step 11 Choose Configuration > Licensing.

Step 12 Under Update License, check the Update From: License File check box.

Step 13 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.

The Select License File Path dialog box appears.

Step 14 Browse to the license file and click Open.

Step 15 Click Update License.

Using the CLI

Use the copy source-url license_file_name license-key command to copy the license file to your sensor.

The following options apply:

source-url—The location of the source file to be copied. It can be a URL or keyword.

destination-url—The location of the destination file to be copied. It can be a URL or a keyword.

license-key—The subscription license file.

license_file_name—The name of the license file you receive.

Note You cannot install an older license key over a newer license key.

The exact format of the source and destination URLs varies according to the file. Here are the valid types:

ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:

ftp:[//[username@] location]/relativeDirectory]/filename

ftp:[//[username@]location]//absoluteDirectory]/filename

scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:

scp:[//[username@] location]/relativeDirectory]/filename

scp:[//[username@] location]//absoluteDirectory]/filename

http:—Source URL for the web server. The syntax for this prefix is:

http:[[/[username@]location]/directory]/filename

https:—Source URL for the web server. The syntax for this prefix is:

https:[[/[username@]location]/directory]/filename

Note If you use FTP or SCP, you are prompted for a password.

Note If you use SCP, the remote host must be on the SSH known hosts list. For the procedure, see Defining Known Host Keys.

Note If you use HTTPS, the remote host must be a TLS trusted host. For the procedure, see Adding Trusted Hosts.

To install the license key, follow these steps:

Step 1 Apply for the license key at www.cisco.com/go/license.

Note You must have a Cisco Services for IPS service contract before you can apply for a license key. For more information, see Service Programs for IPS Products.

Step 2 Fill in the required fields.

Note You must have the correct IPS device serial number because the license key only functions on the device with that number.

Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified.

Step 3 Save the license key to a system that has a web server, FTP server, or SCP server.

Step 4 Log in to the CLI using an account with administrator privileges.

Step 5 Copy the license key to the sensor: 

sensor# copy scp://user@10.89.147.3://tftpboot/dev.lic license-key

Password: *******

Step 6 Verify the sensor is licensed: 

sensor# show version

Application Partition:

Cisco Intrusion Prevention System, Version 5.0(1)S149.0

OS Version 2.4.26-IDS-smp-bigphys

Platform: IPS-4255-K9

Serial Number: JAB0815R0JS

Licensed, expires: 19-Dec-2005 UTC

Sensor up-time is 2 days.

Using 706699264 out of 3974291456 bytes of available memory (17% usage)

system is using 17.3M out of 29.0M bytes of available disk space (59% usage)

application-data is using 36.5M out of 166.8M bytes of available disk space (23% usage)

boot is using 39.4M out of 68.6M bytes of available disk space (61% usage)

MainApp          2005_Feb_18_03.00   (Release)   2005-02-18T03:13:47-0600   Running   

AnalysisEngine   2005_Feb_15_03.00   (QATest)    2005-02-15T12:59:35-0600   Running   

CLI              2005_Feb_18_03.00   (Release)   2005-02-18T03:13:47-0600       

Upgrade History:

	IDS-K9-maj-5.0-1-   14:16:00 UTC Thu Mar 04 2004

Recovery Partition Version 1.1 - 5.0(1)S149

sensor#

Step 7 Copy your license key from a sensor to a server to keep a backup copy of the license: 

sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic 

Password: *******

sensor#

Cisco Security Center

The Cisco Security Intelligence Operations site on Cisco.com provides intelligence reports about current vulnerabilities and security threats. It also has reports on other security topics that help you protect your network and deploy your security systems to reduce organizational risk.

You should be aware of the most recent security threats so that you can most effectively secure and manage your network. Cisco Security Intelligence Operations contains the top ten intelligence reports listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.

Cisco Security Intelligence Operations contains a Security News section that lists security articles of interest. There are related security tools and links.

You can access Cisco Security Intelligence Operations at this URL:

http://tools.cisco.com/security/center/home.x

Cisco Security Intelligence Operations is also a repository of information for individual signatures, including signature ID, type, structure, and description.

You can search for security alerts and signatures at this URL:

http://tools.cisco.com/security/center/search.x

Accessing IPS Documentation

You can find IPS documentation at this URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html

Or to access IPS documentation from Cisco.com, follow these steps:

Step 1 Log in to Cisco.com.

Step 2 Click Support.

Step 3 Under Support at the bottom of the page, click Documentation.

Step 4 Choose Products > Security > Intrusion Prevention System (IPS) > IPS Appliances > Cisco IPS 4200 Series Sensors. The Cisco IPS 4200 Series Sensors page appears. All of the most up-to-date IPS documentation is on this page.

Note Although you will see references to other IPS documentation sites on Cisco.com, this is the site with the most complete and up-to-date IPS documentation.

Step 5 Click one of the following categories to access Cisco IPS documentation:

Download Software—Takes you to the Download Software site.

Note You must be logged into Cisco.com to access the software download site.

Release and General Information—Contains documentation roadmaps and release notes.

Reference Guides—Contains command references and technical references.

Design—Contains design guide and design tech notes.

Install and Upgrade—Contains hardware installation and regulatory guides.

Configure—Contains configuration guides for IPS CLI, IDM, and IME.

Troubleshoot and Alerts—Contains TAC tech notes and field notices.