All Cisco-Network Study Notes: Configuring the Cisco IDSM Sensor

Configuring the Cisco IDSM Sensor

Before we attempt to configure the IDSM v1 sensor, we need to verify that we have the correct hardware and software for the IDSM to function. The following are required:

Catalyst OS 6.1(1) or later
PFC for the VACL feature
Supervisor 1A or 2
MSFC or MFSC2 (this is optional)

This chapter spans two IDSM sensors. There is the first version that is still on the Cisco tests, and a second—the new IDSM-2 (version 2)—meant to replace IDSM version 1. The requirements for the two units are very different. The following are needed for the IDSM-2 sensor:

Catalyst OS 7.5(1) min
Native Cisco IOS software 12.1(19)E min
Supervisor 1A
Supervisor 1A/PFC2
Supervisor 1A/MSFC1
Supervisor 1A/MSFC2
Supervisor 2
Supervisor 2/MSFC2

This new version of the IDSM sensor uses Red Hat Linux as the OS and has a Pentium 1.13GHz processor on board. The new code has a Web-based IDM native, unlike version 1 which must have a director.

In order to configure IDSM-1, you will treat the IDSM sensor much like any other blade on the switch. You can access the blade through a Telnet session or through the management port. Once the IDSM is configured, you can configure the IDSM sensor to be accessible directly by Telnet instead of Telneting to the switch and then using the session command. To begin the configuration, we will first Telnet to the switch and start by using the show module command on the switch to see where the IDSM sensor is located in the chassis. We also want to verify that the module is powered up and enabled. In Figure 6.2, we see that the module has just been powered up and is coming online.

switch>(enable) 2003 Jul 13 03:30:25 PDT -07:00 %SYS-3-SUP_
  OSBOOTSTATUS:Star
ting IDSM Diagnostics
switch>(enable) 2003 Jul 13 03:31:05 PDT -07:00 %SYS 3SUP_
  OSBOOTSTATUS:IDSM diagnostics completed successfully.
2003 Jul 13 03:31:14 PDT -07:00 %SYS-5-MOD_OK:Module 4 is online
2003 Jul 13 03:31:14 PDT -07:00 %SYS-3-MOD_PORTINTFINSYNC:Port Interface
  in sync for Module 4
2003 Jul 13 03:31:14 PDT -07:00 %PAGP-5-PORTFROMSTP:Port 4/1 left bridge
  port 4/1
2003 Jul 13 03:31:15 PDT -07:00 %DTP-5-TRUNKPORTON:Port 4/1 has become
  dot1q trunk
2003 Jul 13 03:31:15 PDT -07:00 %PAGP-5-PORTTOSTP:Port 4/2 joined bridge
  port 4/2
2003 Jul 13 03:31:15 PDT -07:00 %PAGP-5-PORTTOSTP:Port 4/1 joined bridge
  port 4/1

Figure 6.2: The IDSM Sensor Initializing and Coming Online from Bootup

If you had needed to power up the module, you would first use the show module command to get the module number and then use the set power up command to turn the module power on. In Figure 6.3, we see the results of show module.

switch>(enable) show module
Mod Slot Ports Module-Type               Model               Sub Status
--- ---- ----- ------------------------- ------------------- --- ------
1   1    2     1000BaseX Supervisor      WS-X6K-SUP2-2GE     yes ok
15  1    1     Multilayer Switch Feature WS-F6K-MSFC2        no  ok
2   2    48    10/100BaseTX Ethernet     WS-X6348-RJ-45      no  ok
3   3    16    1000BaseX Ethernet        WS-X6516-GBIC       no  ok
4   4    2     Intrusion Detection Syste WS-X6381-IDS        no  ok
:::output truncated for brevity:: :

Figure 6.3: The show module Command Results

Note

If the status of the module reads "other," then the IDSM sensor is not online yet.

In this example, we see that module 4 is our IDSM sensor and that the status is listed as "ok." It has power and is enabled at this point. Now we can connect to the module by using the set-based command of session .

switch>(enable) session 4

When you use the session command, it starts a process that will act like a Telnet session and give us access to the IDSM sensor module. We have to log into the IDSM sensor and this requires a user ID and password. Since this is a new configuration, the default user ID of ciscoids and the password of attack will be used.

The Cisco IDSM sensor has three command modes to work with. The following list shows us the three modes and what we can do in each mode:

Exec This allows the administrator to perform commands such as reboot, setup, show, and shutdown the IDSM sensor.
Configuration This mode allows the administrator to change the password, assign Telnet access, upgrade IDSM signatures, and add or remove service pack.
Diagnostic This mode is how the administrator can upgrade the sensor, use network commands such as PING, show communication with the nrconn command, and show various reports.

To start configuring the IDSM sensor, we will use the command setup. This will walk us through all the parameters that the IDSM sensor needs in order to have its initial configuration completed. In Figure 6.4, we see the various parameters we will be prompted to configure for the IDSM sensor.

Figure 6.4: Using the IDSM setup Command for Initial Configuration

This configuration is the same that we have read about and used in earlier chapters of this book for the more traditional Cisco IDS sensor appliances. We will be configuring an IP address, subnet mask and default gateway for the sensor. Then we will assign a host name for the sensor, a host ID, the post office protocol port, and the organization name/ID. We then need to configure the director information since we cannot manage the IDSM sensor from the command line. It requires the director.

Note

In the IDSM software version 4, there is now a CLI to manage the IDSM sensor. This version of software cannot run on the old style IDSM version 1 sensor. Thus, for the current Cisco certification test, there's no way to manage the IDSM sensor from the command line.

In Table 6.1, we see the list of parameters and the values each needs in order to be configured.

Table 6.1: Listing of Cisco IDSM Sensor Setup Parameters
Cisco IDSM Setup Parameters	Value	Description of Parameter
IDSM Virtual Terminal UserID	default is ciscoids	IDSM session user ID
IDSM Virtual Terminal Password	default is attack	IDSM session password
Sensor IP address	IP address	IP address of the sensor
Sensor Subnet Mask	Subnet Mask	Subnet Mask of the sensor
Sensor Default Gateway	Default Gateway	Default Gateway for the sensor
Sensor Host Name		Name of the Sensor
Sensor Host ID	<1–65535>	Numeric ID of the sensor
Sensor Host Postoffice Port	<1–65535> default is 45000	Postoffice protocol port to use
Sensor Organization Name		ID of a group of Cisco IDS devices
Director IP Address		IP address of the Director device
Director Host Name		Name of Director Device
Director Host Postoffice Port	<1–65535> default is 45000	Postoffice protocol port to use
Director Heart Beat Interval	<1–65535> default is 5	System heartbeat to monitor routes
Director Organization Name	Name of Director case sensitive	Organization
Director Organization ID	<1–65535>	ID of Director Organization

Note

For the Director and sensor name, you can have up to 255 characters. They are case-sensitive and spaces are invalid. The "_" and "-" are acceptable to use.

Once all the information is entered, we need to save it to the IDSM sensor. In Figure 6.5, we see the final screen before the information is saved and applied along with the warning of the required reboot. This reboot betrays the Windows pedigree of the Cisco IDSM sensor.

Figure 6.5: Final Configuration of IDSM Sensor before Application and Save

Note

The 4.0 IDSM sensor code for Version 2 sensor does not use the Postoffice protocol. Instead, it uses Remote Data Exchange Protocol (RDEP).

Note

Once the initial configuration of the IDSM is completed, there are some concepts that we need to know about when working with the IDSM. One of these is the Virtual Lan Access List (VACL). This is an ACL applied to a VLAN. To configure the VACL, we take the following steps:

Create a VACL that can capture interesting traffic
Commit the VACL to memory
Map a VACL to the VLANs
Assign the sensor monitoring port as a VACL capture port.

VACLs are one of two methods used to capture traffic for analysis on the switch. The second way is to use SPAN to mirror VLANs to capture the traffic. The VACL offers a much more granular approach to the capture than SPAN. A critical point to remember is that VACLS have the same implicit deny at the end that other ACLs have. All traffic that does not match the VACL will be dropped.

In order to configure the IDSM to do something useful like examine traffic, we need to perform a series of tasks. One of the first tasks is to initialize the IDSM, which includes the configuration of the post office parameters by using the setup command. We just completed that task, so we move on to the second step of assigning the Command port to the VLAN that will allow communication to the Director. This is accomplished by the set vlan command on the switch. This is where it is helpful to have two Telnet sessions open on the switch. There would be one Telnet session for configuring the IDSM module and one Telnet session for configuring the switch itself. We will configure the 6500 switch to capture traffic for the IDS by using either SPAN sessions, VACLs, or MLS IP capturing, depending on the configuration of the switch.

The set vlan command is used as the following to assign the command and control port to a VLAN:

set vlan

The parameter is the number identifying the VLAN we want to place the port into. The parameter is the slot number of the module that has the ports to be included in the VLAN. The src_port is the actual port to be placed in the VLAN. The command will look like this:

switch>(enable) set vlan 1 4/2

This will assign VLAN 1 to module 4 and port 2, which is the command and control port. This assumes the director is on VLAN1. If the director is not on VLAN 1, then we need to have routing enabled between VLAN 1 and whatever the VLAN is that the director is located on.