Cisco IDS Software v4.0
IDS software v4.0 and after afflicted the way the ambassador managed the IDS sensor. With their release, Cisco switched the basal operating arrangement from Solaris 8 to Red Hat Linux 8. Additionally, IDS 4.0 provides an "IOS-like" command band interface to configure the IDS sensor appliance. Like IOS, the command band interface for the IDS 4.0 software is burst bottomward into submenus that the ambassador charge use to configure assorted appearance in the IDS sensor.
The absence authoritative annual username/password aggregate for Cisco's IDS software 4.0 and after is: Cisco /Cisco. Cisco Systems developers able the weakness of this username/password aggregate and appropriate that the absence countersign for the Cisco annual be afflicted aloft aboriginal login. Once the absence countersign for the Cisco annual has been changed, the user is logged in and the command band carapace is started.
In adjustment to accept the able time and date brand placed on your log files, and for assorted aegis certifications to assignment appropriately if they are time-based, we charge to configure the sensor to accept the actual time and advance that time. The afterward steps, apparent in Figure 5.4, calmly achieve this:
sensor# alarm set 20:32:00 September 27 2003
sensor# config t
sensor(config)# annual host
// This is area we admission the time ambit mode
sensor(config-Host)# timeParams
// We charge to acclimatize the annual from UTC in minutes
sensor(config-Host-tim)# annual –480
// Now we specify the accepted time zone
sensor(config-Host-tim)# standardtimezone PST
// We admission the summer time constant agreement mode
sensor(config-Host-tim)# summertimeparams
// Now we specify the summer time ambit that recur anniversary year
sensor(config-Host-tim-sum)# active-selection recurringparams
// Admission the summertime alternating constant mode
sensor(config-Host-tim-sum)# recurringParams
// Now specifiy the summertime timezone name
sensor(config-Host-tim-sum-rec)# summerTimeZoneName PST
sensor(config-Host-tim-sum-rec)# exit
sensor(config-Host-tim-sum)# exit
sensor(config-Host-tim)# exit
sensor(config-Host)# exit
Apply Changes:?[yes]: yes
Warning: The bulge charge be rebooted for the changes to go into effect.
Continue with reboot? [yes]:
Figure 5.4: Configuring the Sensor's Time
The abutting footfall is to configure the Secure Carapace server on the IDS sensor. Figure 5.5 shows how this is done. We will use the ssh generate-key command from the top-level prompt. Once the key has been generated, the sensor charge be rebooted. After the sensor reboots, it can be accessed anon through SSH.
Ciscoids-1 login: Cisco
password:
last login: Thu Sept 25 15:58:25 on ttyS0
****NOTICE***
This artefact contains cryptographic appearance and is accountable to United
States and bounded country laws administering import, export, transfer, and use.
Delivery of Cisco cryptographic articles does not betoken third-party
authority to import, export, administer or use encryption. Importers,
exporters, distributors, and users are amenable for their acquiescence
with U.S. laws and regulations. If you are clumsy to accede with U.S. and
local laws, acknowledgment this artefact immediately.
A arbitrary of U.S. laws administering Cisco cryptographic articles may be begin
at: http://www.Cisco.com/ww1/export/crypto
Ciscoids-1# ssh generate-key
MD5: 05:2D:b1:E1:06:AE:40:C5:3D:DD:01:EE:34:92:CC:20
Bubble Babble: xires-rifs-vonuz-pubue-sapet-sauron-rings-lords-fatyn-gelin-
opera
Warning: The bulge charge be rebooted for the changes to go into effect.
Continue with reboot? [yes]:
Figure 5.5: SSH Key Generation and Reboot
Once the sensor has able rebooting, the abutting footfall is to configure the accustomed hosts which can affix to the SSH server on the sensor. This can be able as follows:
Log in to the sensor application the cisco account.
Enter agreement approach application the configure terminal command at the CLI prompt.
Enter the host annual sub-menu application the annual host command.
Select the arrangement ambit sub-menu application the networkParams command.
Using the accessList command, admission the IP abode and netmask of the hosts or subnets that will be accustomed admission to the IDS sensor through the arrangement interface. The architecture of this command is: accessList ipAddress
Once all of the IP addresses or IP abode ranges accept been entered into the access-list, use the appearance settings command to verify them. This is apparent in Figure 5.6.
sensor(config)# annual host
sensor(config-Host)# networkParam
sensor(config-Host-net)# accesslist ipaddress 10.16.17.0 netmask
255.255.255.0
sensor(config-Host-net)# appearance settings
networkParams
———————————————————————-
ipAddress: 10.1.9.201
netmask: 255.255.255.0 default: 255.255.255.0
defaultGateway: 10.1.9.1
hostname: sensor
TelnetOption: disabled default: disabled
accessList (min: 0, max: 512, current: 2)
———————————————————————-
ipAddress: 10.0.0.0
netmask: 255.0.0.0 default: 255.255.255.255
———————————————————————-
ipAddress: 10.16.17.0
netmask: 255.255.255.0 default: 255.255.255.255
———————————————————————-
———————————————————————-
———————————————————————-
sensor(config-Host-net)#
Figure 5.6: Access-List Agreement on IDS Sensor
Exit the networkParams sub-menu and acknowledgment to the host annual menu. Aloft departure the host annual sub-menu, the IDS will appeal acceptance that the changes be activated to the sensor. Columnist Admission to baddest the absence acknowledgment of Yes. Otherwise, blazon No and columnist Admission .
Exit the host annual sub-menu and the agreement menu.
Once the access-lists accept been configured, the IDS sensor can be accessed application Secure Carapace over the network.
The sensor needs to affix to hosts, which are SSH servers for software upgrades, signature updates, and book artful as able-bodied as added hosts, such as Cisco routers, PIX Firewalls, and Catalyst switches. In adjustment to facilitate that communication, the SSH host keys of the hosts that the sensor can acquaint with charge be added to the known_hosts list. The afterward achieve can be acclimated to add hosts to this list:
Log in to the sensor application the cisco account.
Enter agreement approach application the configure terminal command from the CLI prompt.
Use the ssh host-key command to admission the IP abode of the host whose SSH host key will be added to the known_hosts list. This is apparent in Figure 5.7.
Ciscoids-1(config)# ssh host-key 192.168.50.14
MD5: 05:2D:b1:E1:06:AE:40:C5:3D:DD:01:EE:34:92:CC:20
Bubble Babble: xires-rifs-vonuz-pubue-sapet-sauron-rings-lords-fatyn-gelin-
opera would you like to add this to the accepted hosts table for this
host?[yes]
Ciscoids-1(config)#
Figure 5.7: Adding the SSH Host Key to the Accepted Hosts Annual
When asked if the key of the host should be added to the accepted hosts table, columnist Admission to baddest the absence acknowledgment of Yes. Otherwise, blazon No and columnist Enter.
To verify the SSH keys in the accepted hosts annual on the sensor, use the annual sshKnownHosts command at the top-level configure prompt.
Use the appearance settings command to annual the hosts in the accepted hosts list, as apparent in Figure 5.8.
sensor# config t
sensor(config)# annual ssh
sensor(config-SshKnownHosts)# appearance settings
rsa1Keys (min: 0, max: 500, current: 1)
-----------------------------------------------
id: 192.168.50.3
exponent: 35
length: 1024
modulus:
16508318659201744987257493934049916934023534822357915597860524173
8075615412030757209625612325747411882803771482511468683235829969888641604222
4132981902416287493190437220610204921172702794243732481684970354838327952077
2060730597444996382750101204023809139442273626501927211475878502549484330223
6884372899127817
-----------------------------------------------
-----------------------------------------------
sensor(config-SshKnownHosts)#
Figure 5.8: Displaying the SSH Accepted Hosts Annual
Exit the annual sshKnownHosts sub-menu and acknowledgment to the top-level configure menu.
Exit configure mode.
When we charge to abolish an entry, we use the afterward command:
sensor(config-SshKnownHosts)# no rsalkeys
The
(config-SshKnownHosts)# no rsalKeys id 192.168.0.20
The host 192.168.0.20 is removed from the SSH accepted hosts list. To verify the removal, we can use the command:
sensor(config-SshKnownHosts)# appearance settings
rsa1Keys (min: 0, max: 500, current: 0)
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
sensor(config-SshKnownHosts)#