Cisco IPS 7.1 Installation guide

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Cisco Intrusion Prevention System

Appliance and Module Installation Guide

for IPS 7.1

Text Part Number: OL-24002-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant

to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial

environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause

harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required

to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant

to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates,

uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.

However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be

determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this

URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the

document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

iii

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

CONTENTS

About This Guide

xv

Contents

xv

Audience

xv

Organization

xvi

Conventions

xvi

Related Documentation

xvii

Where to Find Safety and Warning Information

xvii

Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request

xviii

CHAPTER

1

Introducing the Sensor

1-1

Contents

1-1

How the Sensor Functions

1-1

Capturing Network Traffic

1-1

Your Network Topology

1-3

Correctly Deploying the Sensor

1-3

Tuning the IPS

1-3

Sensor Interfaces

1-4

Understanding Sensor Interfaces

1-4

Command and Control Interface

1-5

Sensing Interfaces

1-6

Interface Support

1-6

TCP Reset Interfaces

1-11

Interface Restrictions

1-12

Interface Modes

1-14

Promiscuous Mode

1-14

IPv6, Switches, and Lack of VACL Capture

1-15

Inline Interface Pair Mode

1-16

Inline VLAN Pair Mode

1-16

VLAN Group Mode

1-17

Deploying VLAN Groups

1-18

Supported Sensors

1-18

IPS Appliances

1-20

Introducing the IPS Appliance

1-20

Appliance Restrictions

1-21

Contents

iv

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Connecting an Appliance to a Terminal Server

1-22

Time Sources and the Sensor

1-22

The Sensor and Time Sources

1-23

Synchronizing IPS Module System Clocks with the Parent Device System Clock

1-23

Verifying the Sensor is Synchronized with the NTP Server

1-23

Correcting the Time on the Sensor

1-24

CHAPTER

2

Preparing the Appliance for Installation

2-1

Installation Preparation

2-1

Safety Recommendations

2-2

Safety Guidelines

2-2

Electricity Safety Guidelines

2-2

Preventing Electrostatic Discharge Damage

2-3

Working in an ESD Environment

2-4

General Site Requirements

2-5

Site Environment

2-5

Preventive Site Configuration

2-5

Power Supply Considerations

2-6

Configuring Equipment Racks

2-6

CHAPTER

3

Installing the IPS 4240 and IPS 4255

3-1

Contents

3-1

Installation Notes and Caveats

3-1

Product Overview

3-2

Front and Back Panel Features

3-3

Specifications

3-4

Connecting the IPS 4240 to a Cisco 7200 Series Router

3-5

Accessories

3-5

Rack Mounting

3-6

Installing the IPS 4240 and IPS 4255

3-7

Installing the IPS 4240-DC

3-10

CHAPTER

4

Installing the IPS 4260

4-1

Contents

4-1

Installation Notes and Caveats

4-1

Product Overview

4-2

Supported Interface Cards

4-3

Contents

v

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Hardware Bypass

4-4

4GE Bypass Interface Card

4-5

Hardware Bypass Configuration Restrictions

4-5

Hardware Bypass and Link Changes and Drops

4-6

Front and Back Panel Features

4-7

Specifications

4-9

Accessories

4-10

Rack Mounting

4-10

Installing the IPS 4260 in a 4-Post Rack

4-11

Installing the IPS 4260 in a 2-Post Rack

4-14

Installing the IPS 4260

4-16

Removing and Replacing the Chassis Cover

4-19

Installing and Removing Interface Cards

4-21

Installing and Removing the Power Supply

4-23

CHAPTER

5

Installing the IPS 4270-20

5-1

Contents

5-1

Installation Notes and Caveats

5-1

Product Overview

5-2

Supported Interface Cards

5-4

Hardware Bypass

5-5

4GE Bypass Interface Card

5-6

Hardware Bypass Configuration Restrictions

5-6

Hardware Bypass and Link Changes and Drops

5-7

Front and Back Panel Features

5-8

Diagnostic Panel

5-14

Specifications

5-15

Accessories

5-16

Installing the Rail System Kit

5-16

Understanding the Rail System Kit

5-16

Rail System Kit Contents

5-17

Space and Airflow Requirements

5-17

Installing the IPS 4270-20 in the Rack

5-18

Extending the IPS 4270-20 from the Rack

5-26

Installing the Cable Management Arm

5-28

Converting the Cable Management Arm

5-32

Installing the IPS 4270-20

5-35

Contents

vi

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Removing and Replacing the Chassis Cover

5-39

Accessing the Diagnostic Panel

5-42

Installing and Removing Interface Cards

5-43

Installing and Removing the Power Supply

5-45

Installing and Removing Fans

5-50

Troubleshooting Loose Connections

5-52

CHAPTER

6

Installing the IPS 4345 and IPS 4360

6-1

Contents

6-1

Installation Notes and Caveats

6-1

Product Overview

6-2

Specifications

6-2

Accessories

6-4

Front and Back Panel Features

6-5

Rack Mount Installation

6-9

Rack-Mounting Guidelines

6-9

Installing the IPS 4345 in a Rack

6-10

Mounting the IPS 4345 and IPS 4360 in a Rack with the Slide Rail Mounting System

6-11

Installing the Appliance on the Network

6-12

Removing and Installing the Power Supply

6-15

AC Power Supply in V01 and V02 Chassis

6-15

Understanding the Power Supplies

6-16

Removing and Installing the AC Power Supply

6-18

Installing DC Input Power

6-21

Removing and Installing the DC Power Supply

6-26

CHAPTER

7

Installing the IPS 4510 and IPS 4520

7-1

Contents

7-1

Installation Notes and Caveats

7-1

Product Overview

7-2

Chassis Features

7-3

Specifications

7-9

Accessories

7-10

Memory Configurations

7-11

Power Supply Module Requirements

7-11

Supported SFP/SFP+ Modules

7-11

Installing the IPS 4510 and IPS 4520

7-12

Contents

vii

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Removing and Installing the Core IPS SSP

7-15

Removing and Installing the Power Supply Module

7-17

Removing and Installing the Fan Module

7-19

Installing the Slide Rail Kit Hardware

7-20

Installing and Removing the Slide Rail Kit

7-21

Package Contents

7-22

Installing the Chassis in the Rack

7-22

Removing the Chassis from the Rack

7-28

Rack-Mounting the Chassis Using the Fixed Rack Mount

7-30

Installing the Cable Management Brackets

7-33

Troubleshooting Loose Connections

7-34

IPS 4500 Series Sensors and the SwitchApp

7-35

CHAPTER

8

Installing and Removing the ASA 5500 AIP SSM

8-1

Contents

8-1

Installation Notes and Caveats

8-1

Product Overview

8-2

Specifications

8-4

Memory Specifications

8-4

Hardware and Software Requirements

8-4

Indicators

8-5

Installation and Removal Instructions

8-5

Installing the ASA 5500 AIP SSM

8-5

Verifying the Status of the ASA 5500 AIP SSM

8-7

Removing the ASA 5500 AIP SSM

8-7

CHAPTER

9

Installing and Removing the ASA 5585-X IPS SSP

9-1

Contents

9-1

Installation Notes and Caveats

9-1

Introducing the ASA 5585-X IPS SSP

9-2

Specifications

9-3

Hardware and Software Requirements

9-4

Front Panel Features

9-4

Memory Requirements

9-8

SFP/SFP+ Modules

9-9

Installing the ASA 5585-X IPS SSP

9-9

Contents

viii

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Installing SFP/SFP+ Modules

9-11

Verifying the Status of the ASA 5585-X IPS SSP

9-12

Removing and Replacing the ASA 5585-X IPS SSP

9-13

APPENDIX

A

Logging In to the Sensor

A-1

Contents

A-1

Supported User Roles

A-1

Logging In to the Appliance

A-2

Connecting an Appliance to a Terminal Server

A-3

Logging In to the ASA 5500 AIP SSP

A-4

Logging In to the ASA 5500-X IPS SSP

A-5

Logging In to the ASA 5585-X IPS SSP

A-6

Logging In to the Sensor

A-7

APPENDIX

B

Initializing the Sensor

B-1

Contents

B-1

Understanding Initialization

B-1

Simplified Setup Mode

B-2

System Configuration Dialog

B-2

Basic Sensor Setup

B-4

Advanced Setup

B-7

Advanced Setup for the Appliance

B-7

Advanced Setup for the ASA 5500 AIP SSM

B-13

Advanced Setup for the ASA 5500-X IPS SSP

B-17

Advanced Setup for the ASA 5585-X IPS SSP

B-21

Verifying Initialization

B-25

APPENDIX

C

Obtaining Software

C-1

Contents

C-1

Obtaining Cisco IPS Software

C-1

IPS 7.1 Files

C-2

IPS Software Versioning

C-3

IPS Software Release Examples

C-6

Accessing IPS Documentation

C-7

Cisco Security Intelligence Operations

C-8

Obtaining a License Key From Cisco.com

C-8

Contents

ix

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Understanding Licensing

C-9

Service Programs for IPS Products

C-9

Obtaining and Installing the License Key Using the IDM or the IME

C-10

Obtaining and Installing the License Key Using the CLI

C-11

Obtaining a License for the IPS 4270-20

C-14

Licensing the ASA 5500-X IPS SSP

C-15

Uninstalling the License Key

C-15

APPENDIX

D

Upgrading, Downgrading, and Installing System Images

D-1

Contents

D-1

System Image Notes and Caveats

D-1

Upgrades, Downgrades, and System Images

D-2

Supported FTP and HTTP/HTTPS Servers

D-3

Upgrading the Sensor

D-3

IPS 7.1 Upgrade Files

D-3

Upgrade Notes and Caveats

D-4

Manually Upgrading the Sensor

D-4

Upgrading the Recovery Partition

D-6

Configuring Automatic Upgrades

D-7

Understanding Automatic Upgrades

D-8

Automatically Upgrading the Sensor

D-8

Downgrading the Sensor

D-11

Recovering the Application Partition

D-12

Installing System Images

D-13

ROMMON

D-13

TFTP Servers

D-14

Connecting an Appliance to a Terminal Server

D-14

Installing the IPS 4270-20 System Image

D-15

Installing the IPS 4345 and IPS 4360 System Images

D-17

Installing the IPS 4510 and IPS 4520 System Image

D-20

Installing the ASA 5500-X IPS SSP System Image

D-23

Installing the ASA 5585-X IPS SSP System Image

D-24

Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command

D-25

Installing the ASA 5585-X IPS SSP System Image Using ROMMON

D-27

APPENDIX

E

Troubleshooting

E-1

Contents

E-1

Cisco Bug Search

E-2

Contents

x

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Preventive Maintenance

E-2

Understanding Preventive Maintenance

E-2

Creating and Using a Backup Configuration File

E-3

Backing Up and Restoring the Configuration File Using a Remote Server

E-3

Creating the Service Account

E-5

Disaster Recovery

E-6

Recovering the Password

E-7

Understanding Password Recovery

E-8

Recovering the Password for the Appliance

E-8

Using the GRUB Menu

E-8

Using ROMMON

E-9

Recovering the ASA 5500-X IPS SSP Password

E-10

Recovering the ASA 5585-X IPS SSP Password

E-12

Disabling Password Recovery

E-13

Verifying the State of Password Recovery

E-14

Troubleshooting Password Recovery

E-15

Time Sources and the Sensor

E-15

Time Sources and the Sensor

E-15

Synchronizing IPS Module Clocks with Parent Device Clocks

E-16

Verifying the Sensor is Synchronized with the NTP Server

E-16

Correcting Time on the Sensor

E-17

Advantages and Restrictions of Virtualization

E-17

Supported MIBs

E-18

When to Disable Anomaly Detection

E-19

Troubleshooting Global Correlation

E-19

Analysis Engine Not Responding

E-20

Troubleshooting RADIUS Authentication

E-21

Troubleshooting External Product Interfaces

E-21

External Product Interfaces Issues

E-21

External Product Interfaces Troubleshooting Tips

E-22

Troubleshooting the Appliance

E-22

The Appliance and Jumbo Packet Frame Size

E-23

Hardware Bypass and Link Changes and Drops

E-23

Troubleshooting Loose Connections

E-24

Analysis Engine is Busy

E-24

Communication Problems

E-25

Cannot Access the Sensor CLI Through Telnet or SSH

E-25

Correcting a Misconfigured Access List

E-27

Contents

xi

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Duplicate IP Address Shuts Interface Down

E-28

The SensorApp and Alerting

E-29

The SensorApp Is Not Running

E-29

Physical Connectivity, SPAN, or VACL Port Issue

E-31

Unable to See Alerts

E-32

Sensor Not Seeing Packets

E-34

Cleaning Up a Corrupted SensorApp Configuration

E-35

Blocking

E-36

Troubleshooting Blocking

E-36

Verifying ARC is Running

E-37

Verifying ARC Connections are Active

E-38

Device Access Issues

E-40

Verifying the Interfaces and Directions on the Network Device

E-41

Blocking Not Occurring for a Signature

E-42

Verifying the Master Blocking Sensor Configuration

E-43

Logging

E-45

Enabling Debug Logging

E-45

Zone Names

E-49

Directing cidLog Messages to SysLog

E-50

TCP Reset Not Occurring for a Signature

E-51

Software Upgrades

E-52

Upgrading and Analysis Engine

E-52

Which Updates to Apply and Their Prerequisites

E-53

Issues With Automatic Update

E-53

Updating a Sensor with the Update Stored on the Sensor

E-54

Troubleshooting the IDM

E-55

Cannot Launch IDM - Loading Java Applet Failed

E-55

Cannot Launch the IDM-the Analysis Engine Busy

E-56

The IDM, Remote Manager, or Sensing Interfaces Cannot Access the Sensor

E-56

Signatures Not Producing Alerts

E-57

Troubleshooting the IME

E-58

Time Synchronization on the IME and the Sensor

E-58

Not Supported Error Message

E-58

Installation Error

E-59

Troubleshooting the ASA 5500 AIP SSM

E-59

Health and Status Information

E-59

Failover Scenarios

E-61

The ASA 5500 AIP SSM and the Normalizer Engine

E-62

The ASA 5500 AIP SSM and the Data Plane

E-63

Contents

xii

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

The ASA 5500 AIP SSM and Jumbo Packet Frame Size

E-63

The ASA 5500 AIP SSM and Jumbo Packets

E-64

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

E-64

IPS Reloading Messages

E-64

Troubleshooting the ASA 5500-X IPS SSP

E-65

Failover Scenarios

E-65

Health and Status Information

E-66

The ASA 5500-X IPS SSP and the Normalizer Engine

E-74

The ASA 5500-X IPS SSP and Memory Usage

E-75

The ASA 5500-X IPS SSP and Jumbo Packet Frame Size

E-75

The ASA 5500-X IPS SSP and Jumbo Packets

E-75

TCP Reset Differences Between IPS Appliances and ASA IPS Modules

E-76

IPS Reloading Messages

E-76

Troubleshooting the ASA 5585-X IPS SSP

E-76

Failover Scenarios

E-77

Traffic Flow Stopped on IPS Switchports

E-78

Health and Status Information

E-78

The ASA 5585-X IPS SSP and the Normalizer Engine

E-81

The ASA 5585-X IPS SSP and Jumbo Packet Frame Size

E-82

The ASA 5585-X IPS SSP and Jumbo Packets

E-82

IPS Reloading Messages

E-83

Gathering Information

E-83

Health and Network Security Information

E-84

Tech Support Information

E-84

Understanding the show tech-support Command

E-85

Displaying Tech Support Information

E-85

Tech Support Command Output

E-86

Version Information

E-89

Understanding the show version Command

E-89

Displaying Version Information

E-89

Statistics Information

E-91

Understanding the show statistics Command

E-92

Displaying Statistics

E-92

Interfaces Information

E-104

Understanding the show interfaces Command

E-104

Interfaces Command Output

E-104

Events Information

E-105

Sensor Events

E-105

Understanding the show events Command

E-105

Contents

xiii

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Displaying Events

E-106

Clearing Events

E-108

cidDump Script

E-109

Uploading and Accessing Files on the Cisco FTP Site

E-109

APPENDIX

F

Cable Pinouts

F-1

Contents

F-1

10/100BaseT and 10/100/1000BaseT Connectors

F-1

Console Port (RJ-45)

F-2

RJ-45 to DB-9 or DB-25

F-3

G

LOSSARY

I

NDEX

Contents

xiv

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

-xv

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

About This Guide

Published: March 31, 2010

Revised: November 9, 2013, OL-24002-01

Contents

This guide describes how to install appliances and modules that support Cisco IPS 7.1. It includes a

glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set

for Cisco Intrusion Prevention System 7.1. Use this guide in conjunction with the documents listed in

Cisco IPS 7.1 Installation guide

Related papers

Other documents