Cisco Systems IPS 7.1 User manual

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Cisco Intrusion Prevention System CLI

Configuration Guide for IPS 7.1

Text Part Number: OL-19892-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL

STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT

WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT

SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE

OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH

ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT

LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF

DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,

WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this

URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the

document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1

iii

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

CONTENTS

Preface xxxi

Contents xxxi

Audience xxxi

Organization xxxii

Conventions xxxiii

Related Documentation xxxiv

Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service

Request

xxxv

CHAPTER

1 Getting Started 1-1

Introducing the IME 1-1

Advisory 1-2

Participating in the SensorBase Network 1-2

IME Home Pane 1-3

System Requirements 1-4

IME Demo Mode 1-7

Installing the IME and Migrating Data In to the IME 1-8

Creating and Changing the IME Password 1-9

Recovering the IME Password 1-10

Configuring General Options 1-11

Configuring the Data Archive 1-12

Configuring Email Setup 1-14

Configuring Email Notification 1-15

Configuring Reports 1-17

Installation Error 1-20

CHAPTER

2 Configuring Device Lists 2-1

Device List Pane 2-1

Device List Pane Field Definitions 2-2

Add and Edit Device List Dialog Boxes Field Definitions 2-3

Adding, Editing, and Deleting Devices 2-4

Contents

iv

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Starting, Stopping, and Displaying Device, Event, Health, and Global Correlation Connection

Status

2-5

Using Tools for Devices 2-6

CHAPTER

3 Configuring Dashboards 3-1

Understanding Dashboards 3-1

Adding and Deleting Dashboards 3-1

IME Gadgets 3-2

Sensor Information Gadget 3-2

Sensor Health Gadget 3-3

Licensing Gadget 3-5

Interface Status Gadget 3-5

Global Correlation Reports Gadget 3-6

Global Correlation Health Gadget 3-7

Network Security Gadget 3-8

Top Applications Gadget 3-9

Memory & Load Gadget 3-10

RSS Feed Gadget 3-11

Top Attackers Gadget 3-11

Top Victims Gadget 3-12

Top Signatures Gadget 3-13

Attacks Over Time Gadget 3-13

Working With a Single Event for Individual Top Attacker and Victim IP Addresses 3-14

Working With a Single Event for a Top Signature 3-15

Configuring Filters 3-16

Manage Filter Rules Dialog Box Field Definitions 3-18

Add and Edit Filter Dialog Boxes Field Definitions 3-19

CHAPTER

4 Configuring RSS Feeds 4-1

Understanding RSS Feeds 4-1

Configuring RSS Feeds 4-1

CHAPTER

5 Using the Startup Wizard 5-1

Startup Wizard Introduction Window 5-1

Setting up the Sensor 5-2

Sensor Setup Window 5-2

Add and Edit ACL Entry Dialog Boxes 5-3

Configure Summertime Dialog Box 5-4

Contents

v

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Configuring Sensor Settings 5-4

Configuring Interfaces 5-7

Interface Summary Window 5-7

Restore Defaults to an Interface Dialog Box 5-8

Traffic Inspection Mode Window 5-8

Interface Selection Window 5-9

Inline Interface Pair Window 5-9

Inline VLAN Pairs Window 5-9

Add and Edit Inline VLAN Pair Entry Dialog Boxes 5-10

Configuring Inline VLAN Pairs 5-10

Configuring Virtual Sensors 5-11

Virtual Sensors Window 5-11

Add Virtual Sensor Dialog Box 5-12

Adding a Virtual Sensor 5-13

Applying Signature Threat Profiles 5-14

Configuring Auto Update 5-16

CHAPTER

6 Setting Up the Sensor 6-1

Understanding Sensor Setup 6-1

Configuring Network Settings 6-1

Network Pane 6-2

Network Pane Field Definitions 6-2

Configuring Network Settings 6-3

Configuring Allowed Hosts/Networks 6-5

Allowed Hosts/Networks Pane 6-5

Allowed Hosts/Network Pane and Add and Edit Allowed Host Dialog Boxes Field

Definitions

6-6

Configuring Allowed Hosts and Networks 6-6

Configuring Time 6-7

Time Pane 6-7

Time Pane Field Definitions 6-7

Configure Summertime Dialog Box Field Definitions 6-8

Configuring Time on the Sensor 6-9

Time Sources and the Sensor 6-10

Synchronizing IPS Module System Clocks with Parent Device System Clocks 6-11

Verifying the Sensor is Synchronized with the NTP Server 6-11

Correcting Time on the Sensor 6-12

Configuring NTP 6-12

Configuring a Cisco Router to be an NTP Server 6-13

Contents

vi

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Configuring the Sensor to Use an NTP Time Source 6-14

Manually Setting the System Clock 6-15

Clearing Events 6-16

Configuring Authentication 6-16

Understanding User Roles 6-17

Understanding the Service Account 6-18

The Service Account and RADIUS Authentication 6-18

RADIUS Authentication Functionality and Limitations 6-19

Authentication Pane 6-19

Authentication Pane Field Definitions 6-20

Add and Edit User Dialog Boxes Field Definitions 6-22

Adding, Editing, Deleting Users, and Creating Accounts 6-22

Locking User Accounts 6-25

Unlocking User Accounts 6-26

CHAPTER

7 Configuring Interfaces 7-1

Sensor Interfaces 7-1

Understanding Interfaces 7-1

Command and Control Interface 7-2

Sensing Interfaces 7-3

Interface Support 7-4

TCP Reset Interfaces 7-8

Understanding Alternate TCP Reset Interfaces 7-8

Designating the Alternate TCP Reset Interface 7-9

Hardware Bypass Mode 7-9

Hardware Bypass Card 7-10

Hardware Bypass Configuration Restrictions 7-10

Interface Configuration Restrictions 7-11

Understanding Interface Modes 7-13

Promiscuous Mode 7-14

IPv6, Switches, and Lack of VACL Capture 7-14

Inline Interface Mode 7-15

Inline VLAN Pair Mode 7-16

VLAN Groups Mode 7-17

Interface Configuration Summary 7-18

Configuring Interfaces 7-18

Interfaces Pane 7-18

Interfaces Pane Field Definitions 7-19

Enabling and Disabling Interfaces 7-20

Contents

vii

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Edit Interface Dialog Box Field Definitions 7-20

Editing Interfaces 7-21

Configuring Inline Interface Pairs 7-22

Interface Pairs Pane 7-22

Interface Pairs Pane Field Definitions 7-22

Add and Edit Interface Pair Dialog Boxes Field Definitions 7-22

Configuring Inline Interface Pairs 7-23

Configuring Inline VLAN Pairs 7-23

VLAN Pairs Pane 7-23

VLAN Pairs Pane Field Definitions 7-24

Add and Edit VLAN Pair Dialog Boxes Field Definitions 7-24

Configuring Inline VLAN Pairs 7-25

Configuring VLAN Groups 7-25

VLAN Groups Pane 7-26

Deploying VLAN Groups 7-26

VLAN Groups Pane Field Definitions 7-27

Add and Edit VLAN Group Dialog Boxes Field Definitions 7-27

Configuring VLAN Groups 7-27

Configuring Bypass Mode 7-28

Bypass Pane 7-28

Bypass Pane Field Definitions 7-29

Adaptive Security Appliance, ASA 5500 AIP SSM, and Bypass Mode 7-30

Configuring Traffic Flow Notifications 7-30

Configuring CDP Mode 7-31

CHAPTER

8 Configuring Policies 8-1

Understanding Security Policies 8-1

IPS Policies Components 8-1

Understanding Analysis Engine 8-2

Understanding the Virtual Sensor 8-2

Advantages and Restrictions of Virtualization 8-3

Inline TCP Session Tracking Mode 8-3

Understanding Normalizer Mode 8-4

Understanding HTTP Advanced Decoding 8-4

Understanding Event Action Overrides 8-5

Calculating the Risk Rating 8-5

Understanding Threat Rating 8-6

Event Action Summarization 8-7

Event Action Aggregation 8-7

Contents

viii

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Configuring IPS Policies 8-8

IPS Policies Pane 8-8

IPS Policies Pane Field Definitions 8-9

Add and Edit Virtual Sensor Dialog Boxes Field Definitions 8-10

Add and Edit Event Action Override Dialog Boxes Field Definitions 8-12

Adding, Editing, and Deleting Virtual Sensors 8-13

The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, ASA 5585-X IPS SSP, and Virtual

Sensors

8-15

Understanding the ASA IPS Modules and Virtual Sensors 8-15

Configuration Sequence for the ASA IPS Modules 8-15

Creating Virtual Sensors on the ASA 5585-X IPS SSP and ASA IPS Modules 8-16

Assigning Virtual Sensors to Adaptive Security Appliance Contexts 8-18

Configuring Event Action Filters 8-20

Understanding Event Action Filters 8-20

Event Action Filters Tab 8-21

Event Action Filters Tab Field Definitions 8-21

Add and Edit Event Action Filter Dialog Boxes Field Definitions 8-22

Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters 8-23

Configuring IPv4 Target Value Rating 8-25

IPv4 Target Value Rating Tab 8-26

IPv4 Target Value Rating Tab Field Definitions 8-26

Add and Edit Target Value Rating Dialog Boxes Field Definitions 8-26

Adding, Editing, and Deleting IPv4 Target Value Ratings 8-26

Configuring IPv6 Target Value Rating 8-27

IPv6 Target Value Rating Tab 8-27

IPv6 Target Value Rating Tab Field Definitions 8-27

Add and Edit Target Value Rating Dialog Boxes Field Definitions 8-28

Adding, Editing, and Deleting IPv6 Target Value Ratings 8-28

Configuring OS Identifications 8-29

Understanding Passive OS Fingerprinting 8-30

Configuring Passive OS Fingerprinting 8-31

OS Identifications Tab 8-31

OS Identifications Tab Field Definitions 8-32

Add and Edit Configured OS Map Dialog Boxes Field Definitions 8-32

Adding, Editing, Deleting, and Moving Configured OS Maps 8-33

Configuring Event Variables 8-34

Event Variables Tab 8-34

Event Variables Tab Field Definitions 8-35

Add and Edit Event Variable Dialog Boxes Field Definitions 8-35

Contents

ix

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Adding, Editing, and Deleting Event Variables 8-36

Configuring Risk Category 8-37

Risk Category Tab 8-37

Risk Category Tab Field Definitions 8-38

Add and Edit Risk Level Dialog Boxes Field Definitions 8-38

Adding, Editing, and Deleting Risk Categories 8-38

Configuring Threat Category 8-39

Configuring General Settings 8-40

General Tab 8-40

General Tab Field Definitions 8-41

Configuring the General Settings 8-41

CHAPTER

9 Configuring Shared Policies and Group Policies 9-1

Configuring Shared Policies 9-1

Understanding Shared Policies 9-1

Add Policy Field Definitions 9-2

Adding and Deleting Shared Policies 9-3

Deploying Shared Policies 9-3

Configuring Policy Groups 9-4

CHAPTER

10 Defining Signatures 10-1

Understanding Security Policies 10-1

Understanding Signatures 10-1

Event Actions 10-2

Signature Engines 10-4

Configuring Signature Definition Policies 10-7

Signature Definitions Pane 10-7

Signature Definitions Pane Field Definitions 10-8

Add and Clone Policy Dialog Boxes Field Definitions 10-8

Adding, Cloning, and Deleting Signature Policies 10-8

sig0 Pane 10-9

MySDN 10-10

Configuring Signatures 10-11

Sig0 Pane Field Definitions 10-11

Add, Clone, and Edit Signatures Dialog Boxes Field Definitions 10-12

Edit Actions Dialog Box Field Definitions 10-14

Enabling, Disabling, and Retiring Signatures 10-17

Adding Signatures 10-17

Contents

x

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Cloning Signatures 10-19

Tuning Signatures 10-20

Assigning Actions to Signatures 10-21

Configuring Alert Frequency 10-23

Example Meta Engine Signature 10-25

Example Atomic IP Advanced Engine Signature 10-28

Example String XL TCP Match Offset Signature 10-30

Example String XL TCP Engine Minimum Match Length Signature 10-33

Configuring Signature Variables 10-36

Signature Variables Tab 10-36

Signature Variables Field Definitions 10-36

Adding, Editing, and Deleting Signature Variables 10-37

Configuring Miscellaneous Settings 10-38

Miscellaneous Tab 10-38

Miscellaneous Tab Field Definitions 10-39

Configuring Application Policy Signatures 10-40

Understanding AIC Signatures 10-40

AIC Engine and Sensor Performance 10-41

AIC Request Method Signatures 10-42

AIC MIME Define Content Type Signatures 10-43

AIC Transfer Encoding Signatures 10-46

AIC FTP Commands Signatures 10-46

Configuring Application Policy 10-47

Tuning an AIC Signature 10-48

Configuring IP Fragment Reassembly Signatures 10-49

Understanding IP Fragment Reassembly Signatures 10-49

IP Fragment Reassembly Signatures and Configurable Parameters 10-50

Configuring the IP Fragment Reassembly Mode 10-51

Tuning an IP Fragment Reassembly Signature 10-51

Configuring TCP Stream Reassembly Signatures 10-52

Understanding TCP Stream Reassembly Signatures 10-52

TCP Stream Reassembly Signatures and Configurable Parameters 10-53

Configuring the TCP Stream Reassembly Mode 10-58

Tuning a TCP Stream Reassembly Signature 10-59

Configuring IP Logging 10-60

CHAPTER

11 Using the Custom Signature Wizard 11-1

Understanding the Custom Signature Wizard 11-1

Using a Signature Engine 11-1

Contents

xi

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Signature Engines Not Supported for the Custom Signature Wizard 11-2

Not Using a Signature Engine 11-4

Creating Custom Signatures 11-4

Custom Signature Wizard Field Definitions 11-9

Welcome Window 11-10

Protocol Type Window 11-10

Signature Identification Window 11-11

Service MSRPC Engine Parameters Window 11-11

ICMP Traffic Type Window 11-12

Inspect Data Window 11-12

UDP Traffic Type Window 11-12

UDP Sweep Type Window 11-12

TCP Traffic Type Window 11-12

Service Type Window 11-13

TCP Sweep Type Window 11-13

Atomic IP Engine Parameters Window 11-13

Example Atomic IP Advanced Engine Signature 11-14

Service HTTP Engine Parameters Window 11-16

Example Service HTTP Engine Signature 11-17

Service RPC Engine Parameters Window 11-19

State Engine Parameters Window 11-20

String ICMP Engine Parameters Window 11-21

String TCP Engine Parameters Window 11-21

Example String TCP Engine Signature 11-22

String UDP Engine Parameters Window 11-24

Sweep Engine Parameters Window 11-24

Alert Response Window 11-26

Alert Behavior Window 11-26

Event Count and Interval Window 11-26

Alert Summarization Window 11-27

Alert Dynamic Response Fire All Window 11-27

Alert Dynamic Response Fire Once Window 11-28

Alert Dynamic Response Summary Window 11-28

Global Summarization Window 11-29

CHAPTER

12 Configuring Event Action Rules 12-1

Understanding Security Policies 12-1

Event Action Rules Components 12-2

Understanding Event Action Rules 12-2

Contents

xii

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Calculating the Risk Rating 12-2

Understanding Threat Rating 12-4

Understanding Event Action Overrides 12-4

Understanding Event Action Filters 12-4

Event Action Summarization 12-5

Event Action Aggregation 12-5

Signature Event Action Processor 12-6

Event Actions 12-8

Configuring Event Action Rules Policies 12-11

Event Action Rules Pane 12-11

Event Action Rules Pane Field Definitions 12-12

Add and Clone Policy Dialog Boxes Field Definitions 12-12

Adding, Cloning, and Deleting Event Action Rules Policies 12-12

rules0 Pane 12-13

Configuring Event Action Overrides 12-13

Event Action Overrides Tab 12-13

Event Action Overrides Tab Field Definitions 12-13

Add and Edit Event Action Override Dialog Boxes Field Definitions 12-13

Adding, Editing, Deleting, Enabling, and Disabling Event Action Overrides 12-14

Configuring Event Action Filters 12-15

Event Action Filters Tab 12-15

Event Action Filters Tab Field Definitions 12-15

Add and Edit Event Action Filter Dialog Boxes Field Definitions 12-16

Adding, Editing, Deleting, Enabling, Disabling, and Moving Event Action Filters 12-17

Configuring IPv4 Target Value Rating 12-19

IPv4 Target Value Rating Tab 12-20

IPv4 Target Value Rating Tab Field Definitions 12-20

Add and Edit Target Value Rating Dialog Boxes Field Definitions 12-20

Adding, Editing, and Deleting IPv4 Target Value Ratings 12-20

Configuring IPv6 Target Value Rating 12-21

IPv6 Target Value Rating Tab 12-21

IPv6 Target Value Rating Tab Field Definitions 12-21

Add and Edit IPv6 Target Value Rating Dialog Boxes Field Definitions 12-22

Adding, Editing, and Deleting IPv6 Target Value Ratings 12-22

Configuring OS Identifications 12-23

OS Identifications Tab 12-23

Understanding Passive OS Fingerprinting 12-24

Configuring Passive OS Fingerprinting 12-25

OS Identifications Tab Field Definitions 12-25

Contents

xiii

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Add and Edit Configured OS Map Dialog Boxes Field Definitions 12-26

Adding, Editing, Deleting, and Moving Configured OS Maps 12-27

Configuring Event Variables 12-28

Event Variables Tab 12-28

Event Variables Tab Field Definitions 12-29

Add and Edit Event Variable Dialog Boxes Field Definitions 12-29

Adding, Editing, and Deleting Event Variables 12-29

Configuring Risk Category 12-31

Risk Category Tab 12-31

Risk Category Tab Field Definitions 12-31

Add and Edit Risk Level Dialog Boxes Field Definitions 12-31

Adding, Editing, and Deleting Risk Categories 12-32

Configuring Threat Category 12-32

Configuring General Settings 12-33

General Tab 12-33

General Tab Field Definitions 12-34

Configuring the General Settings 12-34

CHAPTER

13 Configuring Anomaly Detection 13-1

Understanding Security Policies 13-1

Anomaly Detection Components 13-2

Understanding Anomaly Detection 13-2

Worms 13-2

Anomaly Detection Modes 13-3

Enabling Anomaly Detection 13-4

Anomaly Detection Zones 13-5

Anomaly Detection Configuration Sequence 13-5

Anomaly Detection Signatures 13-7

Configuring Anomaly Detections Policies 13-9

Anomaly Detections Pane 13-9

Anomaly Detections Pane Field Definitions 13-9

Add and Clone Policy Dialog Boxes Field Definitions 13-9

Adding, Cloning, and Deleting Anomaly Detection Policies 13-10

ad0 Pane 13-10

Configuring Operation Settings 13-11

Operation Settings Tab 13-11

Operating Settings Tab Field Definitions 13-11

Configuring Anomaly Detection Operation Settings 13-11

Contents

xiv

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Configuring Learning Accept Mode 13-12

Learning Accept Mode Tab 13-12

The KB and Histograms 13-12

Learning Accept Mode Tab Field Definitions 13-14

Add and Edit Start Time Dialog Boxes Field Definitions 13-14

Configuring Learning Accept Mode 13-14

Configuring the Internal Zone 13-15

Internal Zone Tab 13-15

General Tab 13-16

TCP Protocol Tab 13-16

Add and Edit Destination Port Dialog Boxes Field Definitions 13-17

Add and Edit Histogram Dialog Boxes Field Definitions 13-17

UDP Protocol Tab 13-17

Other Protocols Tab 13-18

Add and Edit Protocol Number Dialog Boxes Field Definitions 13-18

Configuring the Internal Zone 13-19

Configuring the Illegal Zone 13-22

Illegal Zone Tab 13-22

General Tab 13-23

TCP Protocol Tab 13-23

Add and Edit Destination Port Dialog Boxes Field Definitions 13-23

Add and Edit Histogram Dialog Boxes Field Definitions 13-24

UDP Protocol Tab 13-24

Other Protocols Tab 13-25

Add and Edit Protocol Number Dialog Boxes Field Definitions 13-25

Configuring the Illegal Zone 13-25

Configuring the External Zone 13-29

External Zone Tab 13-29

TCP Protocol Tab 13-29

Add and Edit Destination Port Dialog Boxes Field Definitions 13-30

Add and Edit Histogram Dialog Boxes Field Definitions 13-30

UDP Protocol Tab 13-31

Other Protocols Tab 13-31

Add and Edit Protocol Number Dialog Boxes Field Definitions 13-32

Configuring the External Zone 13-32

Disabling Anomaly Detection 13-35

CHAPTER

14 Configuring Global Correlation 14-1

Understanding Global Correlation 14-1

Contents

xv

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Participating in the SensorBase Network 14-2

Understanding Reputation 14-2

Understanding Network Participation 14-3

Understanding Efficacy 14-4

Reputation and Risk Rating 14-5

Global Correlation Features and Goals 14-5

Global Correlation Requirements 14-6

Understanding Global Correlation Sensor Health Metrics 14-7

Configuring Global Correlation Inspection and Reputation Filtering 14-7

Inspection/Reputation Pane 14-8

Inspection/Reputation Pane Field Definitions 14-9

Configuring Global Correlation Inspection and Reputation Filtering 14-9

Configuring Network Participation 14-10

Network Participation Pane 14-10

Network Participation Pane Field Definitions 14-10

Configuring Network Participation 14-11

Troubleshooting Global Correlation 14-11

Disabling Global Correlation 14-12

CHAPTER

15 Configuring SSH and Certificates 15-1

Understanding SSH 15-1

Configuring Authorized RSA Keys 15-2

Authorized RSA Keys Pane 15-2

Authorized RSA Keys Pane Field Definitions 15-2

Add and Edit Authorized RSA Key Dialog Boxes Field Definitions 15-3

Defining Authorized RSA Keys 15-3

Configuring Authorized RSA1 Keys 15-4

Authorized RSA1 Keys Pane 15-4

Authorized RSA1 Keys Pane Field Definitions 15-4

Add and Edit Authorized RSA1 Key Dialog Boxes Field Definitions 15-5

Defining Authorized RSA1 Keys 15-5

Configuring Known Host RSA Keys 15-6

Known Host RSA Keys Pane 15-6

Known Host RSA Keys Pane Field Definitions 15-7

Add and Edit Known Host RSA Key Dialog Boxes Field Definitions 15-7

Defining Known RSA Host Keys 15-7

Configuring Known Host RSA1 Keys 15-8

Known Host RSA1 Keys Pane 15-8

Contents

xvi

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Known Host RSA1 Keys Pane Field Definitions 15-9

Add and Edit Known Host RSA1 Key Dialog Boxes Field Definitions 15-9

Defining Known Host RSA1 Keys 15-9

Generating the Sensor Key 15-10

Understanding Certificates 15-11

Configuring Trusted Hosts 15-12

Trusted Hosts Pane 15-13

Trusted Hosts Pane Field Definitions 15-13

Add Trusted Host Dialog Box Field Definitions 15-13

Adding Trusted Hosts 15-13

Adding Trusted Root Certificates 15-14

Trusted Root Certificates Pane 15-14

Trusted Root Certificates Field Definitions 15-15

Add and Update Trusted Root Certificates Dialog Box Field Definitions 15-15

Adding and Updating Trusted Root Certificates 15-15

Generating the Server Certificate 15-16

CHAPTER

16 Configuring Attack Response Controller for Blocking and Rate Limiting 16-1

ARC Components 16-1

Understanding Blocking 16-2

Understanding Rate Limiting 16-4

Understanding Service Policies for Rate Limiting 16-5

Before Configuring the ARC 16-5

Supported Devices 16-5

Configuring Blocking Properties 16-7

Blocking Properties Pane 16-7

Understanding Blocking Properties 16-7

Blocking Properties Pane Field Definitions 16-8

Configuring Blocking Properties 16-9

Add and Edit Never Block Address Dialog Boxes Field Definitions 16-10

Adding, Editing, and Deleting IP Addresses Never to be Blocked 16-11

Configuring Device Login Profiles 16-11

Device Login Profiles Pane 16-12

Device Login Profiles Pane Field Definitions 16-12

Add and Edit Device Login Profile Dialog Boxes Field Definitions 16-12

Configuring Device Login Profiles 16-13

Configuring Blocking Devices 16-14

Blocking Device Pane 16-14

Blocking Devices Pane Field Definitions 16-14

Contents

xvii

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Add and Edit Blocking Device Dialog Boxes Field Definitions 16-15

Adding, Editing, and Deleting Blocking and Rate Limiting Devices 16-15

Configuring Router Blocking Device Interfaces 16-17

Router Blocking Device Interfaces Pane 16-17

Understanding Router Blocking Device Interfaces 16-17

How the Sensor Manages Devices 16-18

Router Blocking Device Interfaces Pane Field Definitions 16-19

Add and Edit Router Blocking Device Interface Dialog Boxes Field Definitions 16-19

Configuring the Router Blocking and Rate Limiting Device Interfaces 16-20

Configuring Cat 6K Blocking Device Interfaces 16-21

Cat 6K Blocking Device Interfaces Pane 16-21

Understanding Cat 6K Blocking Device Interfaces 16-21

Cat 6K Blocking Device Interfaces Pane Field Definitions 16-22

Add and Edit Cat 6K Blocking Device Interface Dialog Boxes Field Definitions 16-22

Configuring Cat 6K Blocking Device Interfaces 16-23

Configuring the Master Blocking Sensor 16-24

Master Blocking Sensor Pane 16-24

Understanding the Master Blocking Sensor 16-24

Master Blocking Sensor Pane Field Definitions 16-25

Add and Edit Master Blocking Sensor Dialog Boxes Field Definitions 16-25

Configuring the Master Blocking Sensor 16-25

CHAPTER

17 Configuring SNMP 17-1

Understanding SNMP 17-1

Configuring General Configuration 17-2

General Configuration Pane 17-2

General Configuration Pane Field Definitions 17-2

Configuring General Parameters 17-3

Configuring SNMP Traps 17-3

Traps Configuration Pane 17-4

Traps Configuration Pane Field Definitions 17-4

Add and Edit SNMP Trap Destination Dialog Boxes Field Definitions 17-5

Configuring SNMP Traps 17-5

Supported MIBs 17-6

CHAPTER

18 Managing Time-Based Actions 18-1

Configuring and Monitoring Denied Attackers 18-1

Denied Attackers Pane 18-1

Denied Attackers Pane Field Definitions 18-2

Contents

xviii

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Monitoring the Denied Attackers List and Adding Denied Attackers 18-2

Configuring Host Blocks 18-3

Host Blocks Pane 18-3

Host Block Pane Field Definitions 18-3

Add Host Block Dialog Box Field Definitions 18-4

Adding, Deleting, and Managing Host Blocks 18-4

Configuring Network Blocks 18-5

Network Blocks Pane 18-6

Network Blocks Pane Field Definitions 18-6

Add Network Block Dialog Box Field Definitions 18-6

Adding, Deleting, and Managing Network Blocks 18-6

Configuring Rate Limits 18-7

Rate Limits Pane 18-7

Rate Limits Pane Field Definitions 18-8

Add Rate Limit Dialog Box Field Definitions 18-8

Adding, Deleting, and Managing Rate Limiting 18-9

Configuring IP Logging 18-10

Understanding IP Logging 18-10

IP Logging Pane 18-11

IP Logging Pane Field Definitions 18-11

Add and Edit IP Logging Dialog Boxes Field Definitions 18-11

Configuring IP Logging 18-12

CHAPTER

19 Configuring External Product Interfaces 19-1

Understanding External Product Interfaces 19-1

Understanding CSA MC 19-1

External Product Interface Issues 19-3

Configuring the CSA MC to Support IPS Interfaces 19-3

Configuring External Product Interfaces 19-4

External Product Interfaces Pane 19-4

External Product Interfaces Pane Field Definitions 19-5

Add and Edit External Product Interface Dialog Boxes Field Definitions 19-6

Add and Edit Posture ACL Dialog Boxes Field Definitions 19-7

Adding, Editing, and Deleting External Product Interfaces and Posture ACLs 19-7

Troubleshooting External Product Interfaces 19-10

CHAPTER

20 Managing the Sensor 20-1

Configuring Passwords 20-1

Contents

xix

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Passwords Pane 20-1

Passwords Pane Field Definitions 20-2

Configuring Password Requirements 20-2

Configuring Packet Logging 20-3

Recovering the Password 20-4

Understanding Password Recovery 20-4

Recovering the Appliance Password 20-5

Using the GRUB Menu 20-5

Using ROMMON 20-6

Recovering the ASA 5500 AIP SSM Password 20-7

Recovering the ASA 5500-X IPS SSP Password 20-9

Recovering the ASA 5585-X IPS SSP Password 20-11

Disabling Password Recovery 20-13

Troubleshooting Password Recovery 20-14

Verifying the State of Password Recovery 20-14

Configuring Licensing 20-14

Licensing Pane 20-15

Understanding Licensing 20-15

Service Programs for IPS Products 20-16

Licensing Pane Field Definitions 20-16

Obtaining and Installing the License Key 20-17

Obtaining a New License Key for the IPS 4270-20 20-18

Licensing the ASA 5500-X IPS SSP 20-18

Uninstalling the License Key 20-19

Configuring Sensor Health 20-20

Configuring IP Logging Variables 20-21

Configuring Automatic Update 20-22

Auto/Cisco.com Update Pane 20-22

Supported FTP and HTTP Servers 20-23

UNIX-Style Directory Listings 20-23

Signature Updates and Installation Time 20-23

Auto/Cisco.com Update Pane Field Definitions 20-24

Configuring Auto Update 20-25

Manually Updating the Sensor 20-26

Update Sensor Pane 20-26

Update Sensor Pane Field Definitions 20-27

Updating the Sensor 20-27

Restoring Defaults 20-29

Rebooting the Sensor 20-29

Contents

xx

Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1

OL-19891-01

Shutting Down the Sensor 20-30

CHAPTER

21 Monitoring the Sensor 21-1

Monitoring Events 21-1

Events Pane 21-1

Events Pane Field Definitions 21-2

Event Viewer Pane Field Definitions 21-3

Configuring Event Display 21-3

Clearing Event Store 21-4

Displaying Inspection Load Statistics 21-4

Displaying Interface Statistics 21-5

Monitoring Anomaly Detection KBs 21-7

Anomaly Detection Pane 21-7

Understanding KBs 21-8

Anomaly Detection Pane Field Definitions 21-8

Showing Thresholds 21-9

Threshold for KB_Name Window 21-9

Thresholds for KB_Name Window Field Definitions 21-10

Monitoring the KB Thresholds 21-10

Comparing KBs 21-11

Compare Knowledge Base Dialog Box 21-11

Differences between knowledge bases KB_Name and KB_Name Window 21-11

Difference Thresholds between knowledge bases KB_Name and KB_Name

Window

21-11

Comparing KBs 21-12

Saving the Current KB 21-12

Save Knowledge Base Dialog Box 21-13

Loading a KB 21-13

Saving a KB 21-13

Deleting a KB 21-14

Renaming a KB 21-14

Downloading a KB 21-15

Uploading a KB 21-15

Configuring OS Identifications 21-16

Configuring Learned Operating Systems 21-16

Configuring Imported Operating Systems 21-17

Clearing Flow States 21-18

Clear Flow States Pane 21-18

Clear Flow States Pane Field Definitions 21-19

Page is loading ...

Cisco Systems IPS 7.1, Home Security System IPS 7.1 User manual

Related papers

Other documents