Saturday, October 3, 2015

Initializing and Troubleshooting Cisco 4200 IPS Sensor

The Cisco 4200 series IPS version 7.0 is still valid and included (as of this writing) in the CCNP Security SITCS exam blueprint. Studying for this exam gave me a good insight on how IPS sensor works and its best practices.
To initialize the Cisco IPS sensor, you must first gain management access to one of the following methods:

* Console port: Requires the use of the RS-232 cable provided with the sensor and a terminal emulation program such as HyperTerminal, Putty, and so on. As discussed in the previous section, for console access when an IPS module is involved, the session command is the equivalent to console access.

* Secure Shell (SSH): Requires an IP address that has been assigned to the command and control interface through the CLI setup command and uses a supported SSH client. The SSH server in the sensor is enabled by default.

* Telnet: Requires an IP address that has been assigned to the command and control interface through the CLI setup command. You must enable this IP address to allow Telnet access. Telnet is disabled by default.

* HTTPS: Requires an IP address that has been assigned to the command and control interface through the CLI setup command and uses a supported web browser. HTTPS is enabled by default but can be disabled.

Note: Sensor intialization can only be done through the console connection, and after network settings are configured, SSH and Telnet are available.

After you have access, initialization can begin. The setup command begins the sensor initialization process and initiates an interactive dialogue. The interactive dialogue includes the following initialization tasks:

* Assign the sensor a host name.

* Assign an IP address and a subnet mask to the command and control interface.

Note: If the IP address of the sensor is changed later, you can regenerate the certificate (self-signed X.509) of the sensor.

* Assign a default route.

* Add and remove access control list (ACL) entries that specify which hosts are allowed to connect to the sensor.

* Configure a Domain Name System (DNS) and HTTP proxy server for use with global event correlation.

* Configure the date and time.

* Configure the level of participation of this sensor in the Cisco SensorBase.

* Enable or disable the Telnet server.

* Specify the web server port.

* Configure the sensor interfaces and virtual sensors.

* Configure threat prevention.


sensor# setup


    --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Current Configuration:

service host
network-settings
host-ip 10.1.1.1/24,10.1.1.2
host-name sensor
telnet-option enabled
access-list 10.1.1.0/24
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit

Current time: Thu Sep  3 13:44:48 2015

Setup Configuration last modified: Thu Sep 03 13:35:20 2015

Continue with configuration dialog?[yes]: yes
Enter host name[sensor]: IPS
Enter IP interface[10.1.1.1/24,10.1.1.2]:
Enter telnet-server status[enabled]:
Enter web-server port[443]: 8080
Modify current access list?[no]: no
Modify system clock settings?[no]: yes
  Use NTP?[no]: no
  Modify summer time settings?[no]: no
  Modify system timezone?[no]: yes
    Timezone[UTC]: SGT
    UTC Offset[0]: 8
Modify interface/virtual sensor configuration?[no]: no
Modify default threat prevention settings?[no]: no

The following configuration was entered.

service host
network-settings
host-ip 10.1.1.1/24,10.1.1.2
host-name IPS
telnet-option enabled
access-list 10.1.1.0/24
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 8
standard-time-zone-name SGT
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 8080
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.

Enter your selection[2]:

Troubleshooting the initial configuration of the Cisco IPS sensor often starts with a common issue: the inaccessibility of the management interface of the sensor. Network issues or misconfigured sensor network settings often prevent accessing the sensor CLI through Telnet (if enabled), SSH, or HTTPS. To troubleshoot these issues, you must be connected to the sensor itself through its serial console (or using the session command if an IPS module).

Ping or traceroute are common tools when troubleshooting from a workstation to verify network connectivity. These same tools can be used from the sensor in addition to the show interfaces command or the setup command to verify network settings. Follow these steps to troubleshoot sensor management:

Step 1: Log in to the sensor CLI through a console or using the session command.

Step 2: Use the show interfaces command to verify that the sensor management interface is enabled.

sensor# show interfaces
Interface Statistics
   Total Packets Received = 0
   Total Bytes Received = 0
   Missed Packet Percentage = 0
   Current Bypass Mode = Auto_on
MAC statistics from interface Management0/0
   Interface function = Command-control interface
   Description =
   Media Type = TX
   Default Vlan = 0
   Link Status = Up
   Link Speed = Auto_1000
   Link Duplex = Auto_Full
   Total Packets Received = 375
   Total Bytes Received = 0
   Total Multicast Packets Received = 0
   Total Receive Errors = 0
   Total Receive FIFO Overruns = 0
   Total Packets Transmitted = 75
   Total Bytes Transmitted = 0
   Total Transmit Errors = 0
   Total Transmit FIFO Overruns = 0
MAC statistics from interface GigabitEthernet0/0
   Interface function = Sensing interface
   Description =
   Media Type = TX
   Default Vlan = 0
   Inline Mode = Unpaired
   Pair Status = N/A
   Hardware Bypass Capable = No
   Hardware Bypass Paired = N/A
   Link Status = Up
   Link Speed = Auto_
   Link Duplex = Auto_
   Missed Packet Percentage = 0
   Total Packets Received = 0
   Total Bytes Received = 0
   Total Multicast Packets Received = 0
   Total Broadcast Packets Received = 0
   Total Jumbo Packets Received = 0
   Total Undersize Packets Received = 0
   Total Receive Errors = 0
   Total Receive FIFO Overruns = 0
   Total Packets Transmitted = 0
   Total Bytes Transmitted = 0
   Total Multicast Packets Transmitted = 0
   Total Broadcast Packets Transmitted = 0
   Total Jumbo Packets Transmitted = 0
   Total Undersize Packets Transmitted = 0
   Total Transmit Errors = 0
   Total Transmit FIFO Overruns = 0
MAC statistics from interface GigabitEthernet0/1
   Interface function = Sensing interface
   Description =
   Media Type = TX
   Default Vlan = 0
   Inline Mode = Unpaired
   Pair Status = N/A
   Hardware Bypass Capable = No
   Hardware Bypass Paired = N/A
   Link Status = Up
   Link Speed = Auto_
   Link Duplex = Auto_
   Missed Packet Percentage = 0
   Total Packets Received = 0
   Total Bytes Received = 0
   Total Multicast Packets Received = 0
   Total Broadcast Packets Received = 0
   Total Jumbo Packets Received = 0
   Total Undersize Packets Received = 0
   Total Receive Errors = 0
   Total Receive FIFO Overruns = 0
   Total Packets Transmitted = 0
   Total Bytes Transmitted = 0
   Total Multicast Packets Transmitted = 0
   Total Broadcast Packets Transmitted = 0
   Total Jumbo Packets Transmitted = 0
   Total Undersize Packets Transmitted = 0
   Total Transmit Errors = 0
   Total Transmit FIFO Overruns = 0

Step 3: Use the setup command to make sure that the sensor IP address is unique.

sensor# setup

    --- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Current Configuration:

service host
network-settings
host-ip 10.1.1.1/24,10.1.1.2
host-name sensor
telnet-option enabled
access-list 10.1.1.0/24
ftp-timeout 300
no login-banner-text
exit
time-zone-settings
offset 0
standard-time-zone-name UTC
exit
summertime-option disabled
ntp-option disabled
exit
service web-server
port 443
exit
service event-action-rules rules0
overrides
override-item-status Enabled
risk-rating-range 90-100
exit
exit

Current time: Fri Sep  4 15:45:35 2015

Setup Configuration last modified: Fri Sep 04 15:39:32 2015

Continue with configuration dialog?[yes]:


Step 4: Use the show interfaces command to make sure that the management port is connected to an active network connection.

Step 5: Use the setup command to make sure that the IP address of the workstation that is trying to connect to the sensor is permitted in the ACL of the sensor.

Step 6: Make sure that the network configuration allows the workstation to connect to the sensor.

The ping and traceroute commands are tools that can be used to diagnose basic network connectivity. The sensor always sends ping and traceroute requests over its management interface. The sensor uses a User Datagram Protocol (UDP)-based traceroute algorithm.

sensor# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2): 56 data bytes
64 bytes from 10.1.1.2: icmp_seq=0 ttl=128 time=74.3 ms
64 bytes from 10.1.1.2: icmp_seq=1 ttl=128 time=1.0 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=128 time=1.0 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=128 time=1.0 ms

--- 10.1.1.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.0/19.3/74.3 ms

sensor# trace ?
<A.B.C.D>     Address of system to trace route to.
sensor# trace 10.1.1.2
traceroute to 10.1.1.2 (10.1.1.2), 4 hops max, 40 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *

A common reason for the management interface not comming up automatically is if a duplicate IP address on the network is detected. Use the setup or more current-config commands to make sure that the IP address of the sensor is unique and correct if necessary.

sensor# more ?
backup-config      Display the saved backup system configuration.
current-config     Display the current system configuration.
sensor# more current-config
! ------------------------------
! Current configuration last modified Fri Sep 04 15:39:32 2015
! ------------------------------
! Version 6.0(6)
! Host:
!     Realm Keys          key1.0
! Signature Definition:
!     Signature Update    S399.0   2009-05-06
!     Virus Update        V1.4     2007-03-02
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.1.1.1/24,10.1.1.2
telnet-option enabled
access-list 10.1.1.0/24
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service analysis-engine
exit

As discussed earlier, it's important to permit the client or workstation IP address(es) that you are using to access the sensor. This can be verified on the sensor using the show settings network-settings command. If the host or network IP address isn't defined in this access-list, you won't be able to access the sensor.

sensor# configure terminal
sensor(config)# service host
sensor(config-hos)# show ?
history      Display commands entered in current menu.
settings     Display configuration contents for the current and children
             sub-modes.
sensor(config-hos)# show settings
   network-settings
   -----------------------------------------------
      host-ip: 10.1.1.1/24,10.1.1.2 default: 192.168.1.2/24,192.168.1.1
      host-name: sensor <defaulted>
      telnet-option: enabled default: disabled
      access-list (min: 0, max: 512, current: 1)
      -----------------------------------------------
         network-address: 10.1.1.0/24

         -----------------------------------------------
      -----------------------------------------------
      ftp-timeout: 300 seconds <defaulted>
      login-banner-text:  <defaulted>
   -----------------------------------------------
   time-zone-settings
   -----------------------------------------------
      offset: 0 minutes <defaulted>
      standard-time-zone-name: UTC <defaulted>
   -----------------------------------------------
   ntp-option
   -----------------------------------------------
      disabled
      -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
   summertime-option
   -----------------------------------------------
      disabled
      -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
   auto-upgrade-option
   -----------------------------------------------
      disabled
      -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
   crypto
   -----------------------------------------------
      key (min: 0, max: 10, current: 2)
      -----------------------------------------------
         <protected entry>
         name: realm-cisco.pub <defaulted>
         type
         -----------------------------------------------
            rsa-pubkey
            -----------------------------------------------
               length: 2048 <defaulted>
               exponent: 65537 <defaulted>
               modulus: 244421899893577470838748553352326288435999689341985596486301
994738784115193250391117266894019475454915539040765802039333061189129250830
085940304031186014499632568812428068058089581614196337399623060624990057049
103055901539559350860600086797768080736401860634357232523755752931263045580
687043018638056211443743928906945667092207499582739028476161059151575200840
514024367308318977822469964934598367010389389888297490802884118543730076293
589703535912161993319470931302986888300125472155726463496235394688386410649
153139478068529040823519551321727313809996538303971613015327071522004656710
78281289241976924173320339117043 <defaulted>
            -----------------------------------------------
         -----------------------------------------------
         <protected entry>
         name: realm-trend.pub <defaulted>
         type
         -----------------------------------------------
            rsa-pubkey
            -----------------------------------------------
               length: 2048 <defaulted>
               exponent: 65537 <defaulted>
               modulus: 217655614225730213141598553514187230316250933807770536966381728952706057093
255106548981819071374567214826052703006066720836660660380267930439066724143
390626495479300550101618179584637287052936465692146572612651375969203545215
856442216029442035208044042129754019708951199037567696011338536732967664528
979577797349198405658704521451482006336695073134640004430849159462643470699
947608668822814014830063399534204647069509052443439525363706527255224510771
122235801811504605447832514984814327059910100698443685257548784136694276397
529508017679990530923523245629558008672420329791409598422432844439158222313
84237991008381919 <defaulted>
            -----------------------------------------------
         -----------------------------------------------
      -----------------------------------------------
   -----------------------------------------------
   password-recovery: allowed <defaulted>

No comments:

Post a Comment