Sensor Installation
Sensor Installation
Once you decide on the proper placement and deployment strategy, you can then begin to install and configure the sensors. Before you can use Cisco Secure Policy Manager (CSPM) to configure your sensors, though, you must first connect to the sensors and perform basic network connectivity. Once the sensors have a basic configuration, CSPM can be used to configure and manage all sensors in your CIDS infrastructure. This section discusses the management access methods (used to connect initially to the sensor), prepping the sensors for network access (bootstrapping), and configuring the sensors for communication with CSPM.
Once the sensor is properly configured, it can be added as a sensor node in CSPM. After adding the sensor to the NTT tree, you can use CSPM to configure and manage your network sensor appliance.
Connecting to Your Network Sensor Appliance
Once the sensor is installed and powered on, you must gain management access to the sensor. This section describes the methods you can use to connect to your sensor, as well as the default user account you’ll use for initial configuration. Three access methods can be used to initially connect to and manage your network sensors. The three access methods include the following:
-
Console access using a RS-232 cable
-
Telnet to the default initial IP addresses
-
Directly with a keyboard and a monitor
Note? When an IDS 4200 is first plugged into a power source, it powers on momentarily, and then powers off. The Network Interface Controller link lights remain lit as long as a valid link exists. You must press the power switch to boot the system into operation.
When a connection is made, you must then log into the sensor using the preconfigured user account.
Console Access
You can connect to the sensors via their console port. You can use the dual serial communication cable (PN 72-1847-01), included with the sensor, to attach a computer to the console port of the sensor. Once the cable is connected, you can then launch a terminal emulation application, such as Hyperterminal. Table 25-1 lists the terminal settings that must be used for console access.
|
Terminal Parameters |
Terminal Settings |
|---|---|
|
Bits Per Second |
9,600 |
|
Data Bits |
8 |
|
Parity |
None |
|
Stop Bits |
1 |
|
Flow Control |
Hardware or RTS/CTS |
| Note? |
Cisco recommends using the dual serial communication cable (PN 72-1847-01, included in the accessory kit) rather than a keyboard and monitor because some keyboards and monitors are incompatible with the sensors. |
Accessing the Sensor via Telnet
The network sensor appliances come preconfigured with a default IP address of 10.1.9.201. You can use this address to telnet directly to the network sensor, as long as your computer or network has a route-to-host address of 10.1.9.201. If the sensor is installed at a remote location, you probably won’t be able to use this option until the default IP address is changed to an address that’s routable on your network.
Direct Access with a Keyboard and Monitor
All the 4200 series sensors have both a keyboard and a monitor port located on the back panel. Because the sensor is running the Solaris operating system (OS), you can simply add a keyboard and a monitor, and then begin working on the sensor. Of course, this requires that you also have physical access to the sensor. Some monitors and keyboards are incompatible with the sensors. Cisco provides a list of supported keyboards and monitors in its installation notes. The Cisco Intrusion Detection System Sensor Installation and Safety Note has a section devoted to supported monitors and keyboards.
User Accounts
Two user accounts are created on the sensors. These two user accounts are used to access the OS and the IDS software located on the sensors. The pre-configured default user accounts are root and netrangr. The root account is typically used for OS functions and tasks, while the netrangr user account is used to administer the CIDS software installed on the host. Table 25-2 shows the common commands used to manage the sensors and the corresponding user account, which must be used to issue the command successfully. Because the sensors run the Solaris OS, these commands are case-sensitive.
|
Command |
Description |
Log in As |
|---|---|---|
|
idsstart |
Starts the sensor. |
netrangr |
|
idsstop |
Stops the sensor. |
netrangr |
|
idsconns |
Displays the state of the current communications' connection. |
netrangr |
|
idsvers |
Displays software version information. |
netrangr |
|
idsstatus |
Displays status of Cisco IDS daemons/services. |
netrangr |
|
ping |
Verifies IP connectivity. |
netrangr |
|
snoop -d <sensing interface name> |
Displays traffic seen by the monitoring interface. |
root |
|
verifySensor |
Displays detailed information about the system. |
root |
|
shutdown -y -i 0 |
Shuts down the sensor. |
root |
|
traceroute |
Traces network traffic to a destination. |
root |
The root Account
The root account is a Solaris OS user account. This account is used to log in to and perform system-level functions on the sensor. You must be logged in with this account to run the sysconfig-sensor script, which is discussed in more detail in the section “Sensor Bootstrap.” The root user must also be used to perform system-level functions on the Solaris OS. Common Solaris commands, such as snoop, can be used when logged in as root. The password used for the root account is attack. The first time you use this account, you’re prompted to change the password. Changing the default password for this account is highly recommended.
| Note? |
The snoop command is a common Unix command that configures the OS to display all the network traffic received on a particular network interface. You can use the snoop command to verify the NIC is configured and is receiving network traffic. |
The netrangr Account
The netrangr account is used for administering the IDS system on the sensor. The password for this account is attack. The first time you use this account, you’re prompted to change the password. Changing the default password for this account is highly recommended.
Sensor Bootstrap
When a new sensor is installed on the network, it lacks any specific configuration information. In its default state, the sensor has no way of communicating on the network or with any management platform. Before a sensor can be operational, it must first be bootstrapped. Bootstrapping a sensor consists of building a basic configuration, which allows the sensor to communicate with remote hosts.
If you’re using CSPM to configure and manage your CIDS, you’re required to reboot the sensor when PostOffice parameters are changed. For example, if you add a new CSPM platform and you want to manage an existing sensor with the new CSPM server, you rebootstrap the sensor. If you upgrade an existing CSPM with another, yet retain all the settings from the older CSPM platform, you won’t have to rebootstrap the sensor.
The IDS Device Manager isn’t affected by the PostOffice parameters configured on the sensor. The IDS Device Manager connects to and configures the sensor via an IP address and a web interface, so it isn’t affected by changes in the PostOffice protocol.
To bootstrap a server, you must log in to the sensor using the root user account. Stored on each sensor is a configuration script named sysconfig-sensor, which provides a menu-driven system that enables you to create a basic configuration on the sensor.
Before running the sysconfig-sensor script, you need to collect and record the relevant information needed to configure the sensor. Table 25-3 is a worksheet that lists the information you should collect and record before running the sysconfig-sensor script.
|
Menu Item Number |
Information needed for bootstrap |
|---|---|
|
1 |
What is the IP address of the sensor? |
|
2 |
What is the netmask to be used by the sensor? |
|
3 |
What is the sensor's host name? |
|
4 |
What are the IP address of the sensor's default gateway? |
|
5 |
What are the IP addresses and/or network range addresses that will be permitted to access the sensor via Telnet, FTP, and TFTP? You must specify the IP addresses of hosts that will be allowed to configure and manage the sensor. |
|
6 |
What are the values for the following PostOffice communications parameters? Sensor Host ID—A unique numeric identifier for the sensor. The expected value is a whole number between 1 and 65,535. Sensor Organization ID—A unique numeric identifier for a collection of sensors. The expected value is a whole number between 1 and 65,535. Sensor Host Name—A logical name associated with the host ID (not the IP host name). Cisco recommends you use only lowercase letters. Sensor Organization Name—A logical name associated with the Sensor Organization ID. Cisco recommends you use only lowercase letters. CSPM IP Address—The IP address of your CSPM server. CSPM Host ID—A unique numeric identifier for the CSPM host. This value must match the value specified when CSPM was installed. CSPM Host Name—A logical name associated with the CSPM Host ID. This value must match the value specified when CSPM was installed. |
|
7 |
What is the current date, time, and time zone for this sensor? |
|
8 |
What should the passwords be for both the root and netrangr accounts? |
|
9 |
For IPSec, you must supply the following values: What is the security parameter index (SPI) for default inbound configuration? If you use custom keys, what are the values for the following inbound and outbound configurations? Cipher key Authentication key |
Performing a Sensor Bootstrap in 12 Easy Steps
The following 12 steps are required to bootstrap a sensor:
-
Step 1 Log in to the sensor using the user name root and the password attack. You’ll be prompted to change the password if this is the first time you’ve used this account. If you don’t know how to log in to the sensor, see the previous section, “Connecting to Your Network Sensor.”
-
Step 2 At the command prompt, type sysconfig-sensor. When this command is issued, a menu will appear. The following is an example of the menu you’ll see on your screen.
Cisco IDS Sensor Initial Configuration Utility Select Options 1 through 6 to initially configure the Sensor. 1 - IP Address 2 - IP Netmask 3 - IP Host Name 4 - Default Route 5 - Access Control List 6 - Communications Infrastructure 7 - Date/Time and Time Zone 8 - Passwords 9 - Secure Communications 10 - Display 11 - IDS Device Manager x - Exit Selection:
-
Step 3 Type 1 to enter the IP Address screen:
IP Address
Enter the TCP/IP address the Sensor uses. The new value won’t be activated until you restart the Sensor. Write down the new address. You’ll need to update the information on the Access Control List menu (Option 5 on the main menu).
WARNING: If you do not update the IP address on the Access Control List menu, you will not be able to log in once the Sensor has rebooted with the new address: Current address:10.1.9.201 New address:
This screen enables you to configure the new IP address. The existing default IP address is 10.1.9.201. The new IP address won’t be activated until the sensor is restarted.
Note? You must enter this IP address in the list of allowed hosts in the Access Control List screen (Option 5, discussed in a later step).
-
Step 4 Type 2 to enter the IP Netmask screen:
IP Netmask Enter the TCP/IP netmask that the Sensor uses. The new value will not be activated until you restart the Sensor. Current address: Current netmask:255.255.255.0 New netmask:
The default netmask is 255.255.255.0. Enter the new netmask to be used by this sensor. The new netmask won’t be activated until you restart the sensor.
-
Step 5 Type 3 to access the IP Host Name screen:
IP Host Name Enter a new host name for the Sensor. The new value will not be activated until you restart the Sensor. Current name: sensor New name:
Enter the new hostname to be used by this sensor, such as sensor1.
-
Step 6 Type 4 to enter the Default Route screen. This is the address of the router that services the local subnet. All nonlocal traffic will be sent to this address.
Default Route Enter the default route for the TCP/IP traffic coming from the Sensor. The default route is the IP address of the primary router attached to the same LAN as the Sensor. The new value will not be activated until you restart the Sensor. Current default route: New default route:
The current default address is 10.1.9.1. Enter the new default gateway address.
-
Step 7 Type 5 to enter the Access Control List screen. Listed here are the IP network and host addresses that should have telnet, TFTP, and FTP access to this sensor. The IP address of the CSPM and the local sensor must be listed here to allow communications between the two hosts.
Access Control List You can modify the list of IP addresses and networks that are allowed to log into the Sensor. A TCP wrapper application enforces this list. If a host with an IP address that is not in this list attempts to log into the Sensor, the TCP connection will automatically be closed. WARNING: If you have changed the IP address of the Sensor, list the host addresses from which you log in remotely. This list must contain only host IP addresses and not host names. The Sensor by default does not use ANY type of name service (for example, DNS, NIS, NIS+). List the network addresses with just the network portion of the address: 192.9.200. Current list: ??10. Enter an address to add to the list. If the address entered is already in the list, it will be deleted from it. IP address:
As you can see, by default, any host with an IP address that starts with 10. is allowed to communicate with this sensor. To delete the 10. entry, simply type 10. again and it will be removed from the list. To enter an address range, simply type the network portion of the IP address and nothing more, and then press ENTER. For example, to allow all hosts in the 192.168.10.0 /24 network, type 192.168.10. and press ENTER.
Note? You should limit the number of hosts that have access to your servers. The more hosts allowed to communicate with your sensor, the greater the potential for an intruder to use the systems to attack your IDS sensors. The IP address of the director platform must be entered.
-
Step 8 Type 6 to enter the Communications Infrastructure screen.
Note? The communication setting must be configured properly. If a host ID, orgID, or any other ID is inputted incorrectly, the sensor will be unable to communicate with the rest of the CIDS infrastructure.
Communications Infrastructure To create the configuration files necessary to enable communication between the Sensor and the IDS Manager, enter the following values: ?*Sensor Host ID ?*Sensor Organization ID ?*Sensor Host Name ?*Sensor Organization Name ?*Sensor IP Address ?*IDS Manager Host ID ?*IDS Manager Organization ID ?*IDS Manager Host Name ?*IDS Manager Organization Name ?*IDS Manager IP Address Do you want to continue (y/n)?
Type y to enter the PostOffice communications information. Table 25-2 lists these parameters with the acceptable values for each. You must specify this sensor’s host and organization information. The Host ID must be unique, however, the organization ID must be the same as the one configured on the other CIDS sensors and infrastructure.
-
Step 9 Type 7 to enter the Date/Time and Time Zone screen.
Date/Time and Time Zone 1 - Synchronize Date/Time with Another Host 2 - Set Date/Time 3 - Change Time Zone x - Exit Selection:
Choose the method you want to use to set the date, time, and time zone information.
-
Step 10 Type 8 to enter the Password screen.
Select the account whose password you want to change. 1 - netrangr 2 - root x - Exit Selection:
Change the passwords for both the netrangr and the root user accounts.
-
Step 11 Type 10 to view the Display screen.
Display Display Mode: VGA/Terminal 1 - Toggle Display Mode x - Exit Selection:
Within the Display screen, you can toggle between VGA/Terminal mode and Terminal mode. In VGA/Terminal mode, you can connect to the sensor via a console cable or by using a monitor and a keyboard. In this mode, boot messages are only sent to the VGA port.
Terminal mode limits the sensor’s display to a terminal connected to the console port, while disabling the VGA port. If you choose Terminal mode, the VGA port won’t provide any access to the system. In Terminal mode, boot messages are sent to the terminal, not to the VGA port.
-
Step 12 Type 11 to view the IDS Device Manager screen.
IDS Device Manager Current Mode: Enabled 1 - Disable x - Exit Selection:
Because you’re using IDS Device Manager, this option should be enabled. By default, it is enabled.
