Home » Cisco Manuals » Networking » Cisco IPS-4255-K9 » Manual Viewer

Cisco IPS-4255-K9 Installation Guide - Page 374

Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco - rfc

UPC - 746320951096

Add to My Manuals
Save this manual to your list of manuals

Page 374 highlights

Glossary AIP SSM Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. AIP-SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library. When AIP-SSM detects unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log the incident, and send an alert to the device manager. See also adaptive security appliance. Alarm Channel The IPS software module that processes all signature events generated by the inspectors. Its primary function is to generate alerts for each event it receives. alert Specifically, an IPS event type; it is written to the Event Store as an evidsAlert. In general, an alert is an IPS message that indicates a network exploit in progress or a potential security problem occurrence. Also known as an alarm. Analysis Engine The IPS software module that handles sensor configuration. It maps the interfaces and also the signature and alarm channel policy to the configured interfaces. It performs packet analysis and alert detection. The Analysis Engine functionality is provided by the SensorApp process. anomaly detection AD. The sensor component that creates a baseline of normal network traffic and then uses this baseline to detect worm-infected hosts. API Application Programming Interface. The means by which an application program talks to communications software. Standardized APIs allow application programs to be developed independently of the underlying method of communication. Computer application programs run a set of standard software interrupts, calls, and data formats to initiate contact with other devices (for example, network services, mainframe communications programs, or other program-to-program communications). Typically, APIs make it easier for software developers to create links that an application needs to communicate with the operating system or with the network. application Any program (process) designed to run in the Cisco IPS environment. application image Full IPS image stored on a permanent storage device used for operating the sensor. application instance A specific application running on a specific piece of hardware in the IPS environment. An application instance is addressable by its name and the IP address of its host computer. application partition The bootable disk or compact-flash partition that contains the IPS software image. ARC Attack Response Controller. Formerly known as Network Access Controller (NAC). A component of the IPS. A software module that provides block and unblock functionality where applicable. architecture The overall structure of a computer or communication system. The architecture influences the capabilities and limitations of the system. ARP Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined in RFC 826. ASDM Adaptive Security Device Manager. A web-based application that lets you configure and manage your adaptive security device. ASN.1 Abstract Syntax Notation 1. Standard for data presentation. GL-2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01

Section	Page
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0	1
Preface	13
Contents	13
Audience	13
Comply with Local and National Electrical Codes	13
Organization	15
Conventions	15
Related Documentation	16
Obtaining Documentation and Submitting a Service Request	17
Introducing the Sensor	19
How the Sensor Functions	19
Capturing Network Traffic	19
Your Network Topology	21
Correctly Deploying the Sensor	21
Tuning the IPS	21
Sensor Interfaces	22
Understanding Sensor Interfaces	22
Command and Control Interface	23
Sensing Interfaces	24
Interface Support	24
TCP Reset Interfaces	27
Interface Restrictions	28
Interface Modes	30
Promiscuous Mode	30
IPv6, Switches, and Lack of VACL Capture	31
Inline Interface Pair Mode	32
Inline VLAN Pair Mode	33
VLAN Group Mode	33
Deploying VLAN Groups	34
Supported Sensors	35
IPS Appliances	36
Introducing the IPS Appliance	36
Appliance Restrictions	37
Connecting an Appliance to a Terminal Server	37
IPS Modules	38
Introducing the AIM IPS	38
Introducing the AIP SSM	40
Introducing the IDSM2	42
Introducing the NME IPS	43
Time Sources and the Sensor	44
The Sensor and Time Sources	44
Synchronizing IPS Module System Clocks with the Parent Device System Clock	46
Verifying the Sensor is Synchronized with the NTP Server	46
Correcting the Time on the Sensor	47
Installation Preparation	47
Site and Safety Guidelines	48
Site Guidelines	48
Rack Configuration Guidelines	48
Electrical Safety Guidelines	49
Power Supply Guidelines	50
Working in an ESD Environment	50
Cable Pinouts	51
10/100BaseT and 10/100/1000BaseT Connectors	52
Console Port (RJ-45)	53
RJ-45 to DB-9 or DB-25	54
Installing the IPS 4240 and the IPS 4255	55
Introducing the IPS 4240 and the IPS 4255	55
Front and Back Panel Features	56
Specifications	58
Connecting the IPS 4240 to a Cisco 7200 Series Router	59
Accessories	59
Important Safety Instructions	59
Rack Mounting	60
Installing the IPS 4240 and the IPS 4255	61
Installing the IPS 4240-DC	64
Installing the IPS 4260	69
Introducing the IPS 4260	69
Supported Interface Cards	70
Hardware Bypass	72
4GE Bypass Interface Card	72
Hardware Bypass Configuration Restrictions	73
Hardware Bypass and Link Changes and Drops	74
Front and Back Panel Features	74
Specifications	77
Accessories	77
Important Safety Instructions	78
Rack Mounting	78
Installing the IPS 4260 in a 4-Post Rack	78
Installing the IPS 4260 in a 2-Post Rack	81
Installing the IPS 4260	83
Removing and Replacing the Chassis Cover	86
Installing and Removing Interface Cards	88
Installing and Removing the Power Supply	90
Installing the IPS 4270-20	93
Introducing the IPS 4270-20	94
Supported Interface Cards	95
Hardware Bypass	97
4GE Bypass Interface Card	97
Hardware Bypass Configuration Restrictions	98
Hardware Bypass and Link Changes and Drops	99
Front and Back Panel Features	99
Diagnostic Panel	103
Internal Components	105
Specifications	106
Accessories	107
Installing the Rail System Kit	107
Understanding the Rail System Kit	107
Rail System Kit Contents	108
Space and Airflow Requirements	108
Installing the IPS 4270-20 in the Rack	109
Extending the IPS 4270-20 from the Rack	117
Installing the Cable Management Arm	120
Converting the Cable Management Arm	123
Installing the IPS 4270-20	127
Removing and Replacing the Chassis Cover	130
Accessing the Diagnostic Panel	133
Installing and Removing Interface Cards	133
Installing and Removing the Power Supply	136
Installing and Removing Fans	141
Troubleshooting Loose Connections	143
Installing the AIM IPS	145
Specifications	145
Before Installing the AIM IPS	146
Software and Hardware Requirements	146
Interoperability With Other IPS Modules	147
Restrictions	147
Hardware Interfaces	148
Installation and Removal Instructions	149
Verifying Installation	150
Installing the AIP SSM	151
Specifications	151
Memory Specifications	152
Hardware and Software Requirements	152
Indicators	152
Installation and Removal Instructions	153
Installing the AIP SSM	153
Verifying the Status of the AIP SSM	154
Removing the AIP SSM	155
Installing the IDSM2	157
Specifications	157
Software and Hardware Requirements	158
Minimum Supported the IDSM2 Configurations	158
Using the TCP Reset Interface	159
Front Panel Features	159
Installation and Removal Instructions	160
Required Tools	160
Slot Assignments	161
Installing the IDSM2	161
Verifying Installation	165
Removing the IDSM2	166
Enabling Full Memory Tests	168
Catalyst Software	168
Cisco IOS Software	169
Resetting the IDSM2	169
Catalyst Software	169
Cisco IOS Software	170
Powering the IDSM2 Up and Down	171
Catalyst Software	171
Cisco IOS Software	172
Installing the NME IPS	173
Specifications	173
Before Installing the NME IPS	174
Software and Hardware Requirements	174
Interoperability With Other IPS Modules	175
Restrictions	175
Hardware Interfaces	176
Installation and Removal Instructions	177
Verifying Installation	178
Logging In to the Sensor	179
Supported User Roles	179
Logging In to the Appliance	180
Connecting an Appliance to a Terminal Server	181
Logging In to the AIM IPS	182
The AIM IPS and the session Command	182
Sessioning In to the AIM IPS	183
Logging In to AIP SSM	184
Logging In to the IDSM2	186
Logging In to the NME IPS	187
The NME IPS and the session Command	187
Sessioning In to the NME IPS	188
Logging In to the Sensor	189
Initializing the Sensor	191
Understanding Initialization	191
Simplified Setup Mode	191
System Configuration Dialog	192
Basic Sensor Setup	194
Advanced Setup	197
Advanced Setup for the Appliance	198
Advanced Setup for the AIM IPS	203
Advanced Setup for the AIP SSM	206
Advanced Setup for the IDSM2	210
Advanced Setup for the NME IPS	215
Verifying Initialization	218
Obtaining Software	221
Obtaining Cisco IPS Software	221
IPS Software Versioning	222
Software Release Examples	226
Upgrading Cisco IPS Software to 7.0	227
Accessing IPS Documentation	229
Cisco Security Intelligence Operations	229
Obtaining a License Key From Cisco.com	230
Understanding Licensing	230
Service Programs for IPS Products	231
Obtaining and Installing the License Key Using IDM or IME	231
Obtaining and Installing the License Key Using the CLI	233
Upgrading, Downgrading, and Installing System Images	237
Upgrades, Downgrades, and System Images	237
Supported FTP and HTTP/HTTPS Servers	238
Upgrading the Sensor	238
IPS 7.0 Upgrade Files	238
upgrade Command and Options	239
Using the upgrade Command	240
Upgrading the Recovery Partition	241
Configuring Automatic Upgrades	242
Automatic Upgrades	242
auto-upgrade Command and Options	243
Using the auto-upgrade Command	244
Automatic Upgrade Examples	246
Downgrading the Sensor	247
Recovering the Application Partition	248
Application Partition	248
Using the recover Command	248
Installing System Images	249
Understanding ROMMON	250
Supported TFTP Servers	250
Connecting an Appliance to a Terminal Server	250
Installing the IPS 4240 and IPS 4255 System Images	251
Installing the IPS 4260 System Image	254
Installing the IPS 4270-20 System Image	256
Installing the AIM IPS System Image	259
Installing the AIP SSM System Image	261
Reimaging the AIP SSM	262
Reimaging the AIP SSM Using the recover configure/boot Command	262
Installing the IDSM2 System Image	264
Understanding the IDSM2 System Image	264
Installing the IDSM2 System Image for Catalyst Software	264
Installing the IDSM2 System Image for Cisco IOS Software	265
Configuring the IDSM2 Maintenance Partition for Catalyst Software	267
Configuring the IDSM2 Maintenance Partition for Cisco IOS Software	271
Upgrading the IDSM2 Maintenance Partition for Catalyst Software	274
Upgrading the IDSM2 Maintenance Partition for Cisco IOS Software	275
Installing the NME IPS System Image	276
Troubleshooting	279
Bug Toolkit	279
Preventive Maintenance	280
Understanding Preventive Maintenance	280
Creating and Using a Backup Configuration File	281
Backing Up and Restoring the Configuration File Using a Remote Server	281
Creating the Service Account	283
Disaster Recovery	284
Recovering the Password	285
Understanding Password Recovery	286
Recovering the Appliance Password	286
Using the GRUB Menu	286
Using ROMMON	287
Recovering the AIM IPS Password	288
Recovering the AIP SSM Password	288
Recovering the IDSM2 Password	291
Recovering the NME IPS Password	291
Disabling Password Recovery	292
Verifying the State of Password Recovery	293
Troubleshooting Password Recovery	293
Time and the Sensor	294
Time Sources and the Sensor	294
Synchronizing IPS Module Clocks with Parent Device Clocks	295
Verifying the Sensor is Synchronized with the NTP Server	295
Correcting Time on the Sensor	296
Advantages and Restrictions of Virtualization	296
Supported MIBs	297
When to Disable Anomaly Detection	298
Troubleshooting Global Correlation	298
Analysis Engine Not Responding	299
Troubleshooting External Product Interfaces	300
External Product Interfaces Issues	300
External Product Interfaces Troubleshooting Tips	301
Troubleshooting the Appliance	301
Hardware Bypass and Link Changes and Drops	302
Troubleshooting Loose Connections	302
Analysis Engine is Busy	303
Connecting the IPS 4240 to a Cisco 7200 Series Router	303
Communication Problems	304
Cannot Access the Sensor CLI Through Telnet or SSH	304
Correcting a Misconfigured Access List	306
Duplicate IP Address Shuts Interface Down	307
SensorApp and Alerting	308
SensorApp Not Running	308
Physical Connectivity, SPAN, or VACL Port Issue	310
Unable to See Alerts	311
Sensor Not Seeing Packets	313
Cleaning Up a Corrupted SensorApp Configuration	315
Blocking	315
Troubleshooting Blocking	316
Verifying ARC is Running	316
Verifying ARC Connections are Active	317
Device Access Issues	319
Verifying the Interfaces and Directions on the Network Device	321
Enabling SSH Connections to the Network Device	321
Blocking Not Occurring for a Signature	322
Verifying the Master Blocking Sensor Configuration	323
Logging	324
Understanding Debug Logging	324
Enabling Debug Logging	325
Zone Names	328
Directing cidLog Messages to SysLog	329
TCP Reset Not Occurring for a Signature	330
Software Upgrades	331
Upgrading and Analysis Engine	332
Which Updates to Apply and Their Prerequisites	332
Issues With Automatic Update	333
Updating a Sensor with the Update Stored on the Sensor	333
Troubleshooting IDM	334
Cannot Launch IDM - Loading Java Applet Failed	334
Cannot Launch IDM-Analysis Engine Busy	335
IDM, Remote Manager, or Sensing Interfaces Cannot Access Sensor	335
Signatures Not Producing Alerts	336
Troubleshooting IME	337
Time Synchronization on IME and the Sensor	337
Not Supported Error Message	337
Troubleshooting the IDSM2	337
Diagnosing IDSM2 Problems	338
Minimum Supported IDSM2 Configurations	339
Switch Commands for Troubleshooting	339
Status LED Off	340
Status LED On But the IDSM2 Does Not Come Online	341
Cannot Communicate With the IDSM2 Command and Control Port	342
Using the TCP Reset Interface	344
Connecting a Serial Cable to the IDSM2	344
Troubleshooting the AIP SSM	344
Health and Status Information	345
The AIP SSM and the Data Plane	347
AIM SSP and the Normalizer Engine	347
Troubleshooting the AIM IPS and the NME IPS	347
Interoperability With Other IPS Network Modules	347
Gathering Information	348
Health and Network Security Information	348
Tech Support Information	349
Understanding the show tech-support Command	349
Displaying Tech Support Information	349
Tech Support Command Output	350
Version Information	352
Understanding the show version Command	352
Displaying Version Information	352
Statistics Information	354
Understanding the show statistics Command	355
Displaying Statistics	355
Interfaces Information	365
Understanding the show interfaces Command	365
Interfaces Command Output	365
Events Information	366
Sensor Events	366
Understanding the show events Command	367
Displaying Events	367
Clearing Events	370
cidDump Script	370
Uploading and Accessing Files on the Cisco FTP Site	371
Glossary	373

Match case Limit results 1 per page

Glossary

GL-2

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0

OL-18504-01

AIP SSM

Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco

ASA 5500 series adaptive security appliance. AIP-SSM is an IPS services module that monitors and

performs real-time analysis of network traffic by looking for anomalies and misuse based on an

extensive, embedded signature library. When AIP-SSM detects unauthorized activity, it can terminate

the specific connection, permanently block the attacking host, log the incident, and send an alert to the

device manager. See also adaptive security appliance.

Alarm Channel

The IPS software module that processes all signature events generated by the inspectors. Its primary

function is to generate alerts for each event it receives.

alert

Specifically, an IPS event type; it is written to the Event Store as an evidsAlert. In general, an alert is

an IPS message that indicates a network exploit in progress or a potential security problem occurrence.

Also known as an alarm.

Analysis Engine

The IPS software module that handles sensor configuration. It maps the interfaces and also the

signature and alarm channel policy to the configured interfaces. It performs packet analysis and alert

detection. The Analysis Engine functionality is provided by the SensorApp process.

anomaly detection

AD. The sensor component that creates a baseline of normal network traffic and then uses this baseline

to detect worm-infected hosts.

API

Application Programming Interface. The means by which an application program talks to

communications software. Standardized APIs allow application programs to be developed

independently of the underlying method of communication. Computer application programs run a set

of standard software interrupts, calls, and data formats to initiate contact with other devices (for

example, network services, mainframe communications programs, or other program-to-program

communications). Typically, APIs make it easier for software developers to create links that an

application needs to communicate with the operating system or with the network.

application

Any program (process) designed to run in the Cisco IPS environment.

application image

Full IPS image stored on a permanent storage device used for operating the sensor.

application instance

A specific application running on a specific piece of hardware in the IPS environment. An application

instance is addressable by its name and the IP address of its host computer.

application partition

The bootable disk or compact-flash partition that contains the IPS software image.

ARC

Attack Response Controller. Formerly known as Network Access Controller (NAC). A component of

the IPS. A software module that provides block and unblock functionality where applicable.

architecture

The overall structure of a computer or communication system. The architecture influences the

capabilities and limitations of the system.

ARP

Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined

in RFC 826.

ASDM

Adaptive Security Device Manager. A web-based application that lets you configure and manage your

adaptive security device.

ASN.1

Abstract Syntax Notation 1. Standard for data presentation.