Upgrading a Sensor from 3.1 to 4.0

Upgrading a Sensor from 3.1 to 4.0

Upgrading your IDS sensor to version 4.0 from 3.1 is very similar to re-imaging the sensor using the Cisco IDS 4.0(1) Upgrade/Recovery CD. There are a few considerations before upgrading that need to be addressed. If your IDS sensor is model IDS-4235 or IDS-4250, you must upgrade the BIOS before you can install version 4.0 on either platform. The other consideration is that if your IDS sensors are models IDS-4220-E or IDS-4230-FE, you must swap the interface cables on the two ports. The PCI card that is normally used for sniffing on the IDS-4220-E and the IDS-4230-FE does not support monitoring of dot1q trunk packets or the tracking of alarm 993, Dropped Packet. The performance of the PCI card is also lower than the integrated NIC. If you do not swap the cables on the IDS-4220-E or IDS-4230-FE, there is a chance you will not be able to connect to your appliance over the network.

Prior to upgrading, make sure you record the configuration information before reinitializing the sensor using the run Diagnostics command.

Upgrading a Sensor BIOS

To upgrade the Bios on the IDS4235 or IDS4250, follow these steps:


 Note

You have to use a directly connected keyboard and monitor for this procedure. A console connection will not work.

  1. Copy the file Bios_A04.exe from the Cisco IDS 4.0(1) Upgrade/Recovery CD located off of the root in /BIOS to a temp folder on your Windows workstation. If you do not have the CD, you can download it from Cisco.com.

  2. Insert a 1.44MB floppy diskette into your workstation.

  3. Execute the BIOS update file. Double-click BIOS_A04.exe. This creates the BIOS update diskette.

  4. Take the new BIOS diskette and insert it into your IDS-4235 or IDS-4250.

  5. Boot the sensor from the BIOS diskette and follow the instructions displayed. Do not reboot or power off until this process has completed.

  6. With the upgrade finished, remove the diskette and reboot the sensor.

Initializing a Version 4.0 Sensor

Once you have met all the necessary requirements for older sensor models, you need to initialize the sensor. If the sensor is a newer model, no additional considerations need to be made.

To initialize a sensor with software version 4.0, follow these steps.

  1. Power up the appliance.

  2. Insert the Cisco IDS 4.0(1) Upgrade/Recovery CD.

  3. When the boot menu appears, type either a k to use a directly connected keyboard and monitor, or type s to use a serial connection while installing the image. It will take several minutes for the files to copy to the sensor.

  4. Log on to the sensor. The default username and password for version 4.0 are the same: cisco. You will be prompted to change the password on the first login.

  5. At the prompt, type setup to initialize the sensor. The System Configuration Dialog screen, shown next, is displayed. Press the Spacebar to continue.

    ---System Configuration Dialog---
     
    At any point you may enter a question mark '?' for help.
    Use ctrl-c to abort configuration dialog at any prompt.
    Default Settings are in square brackets '[]'.
     
    Current Configuration:
     
    networkParams
    ipAddress
    netmask
    defaultGateway
    hostname
    telnetOption
    accessList 10.0.0.0 255.0.0.0
    exit
    timeParams
    summerTimeParams
    active-selection
    exit
    exit
    service webServer
    general
    ports
    exit
    exit

  6. You are prompted whether to continue with the configuration dialog. Type yes or press Enter. Any default answers are in the square "[]" brackets.

  7. Type the host name of the sensor.

  8. Type the IP address.

  9. Type the IP netmask.

  10. Type the default gateway.

  11. Enter the Telnet server status. The server is disabled by default

  12. Enter the Web server port, which is 443 by default.

  13. Save the configuration by typing yes or no to reconfigure.

  14. Do not reboot at this point. Type no when asked to continue with the reboot.

  15. Enter configuration terminal mode. Type configure terminal.

  16. Enter host configuration mode. Type service host.

  17. Enter network parameters configuration mode. Type networkParams.

  18. To show the current settings, type show settings. The expected output should be similar to the following:

    networkParams
    -----------------------------------------------
    ipAddress: 10.0.0.8
    netmask: 255.255.255.0 default: 255.255.255.0
    defaultGateway: 10.0.0.10
    hostname: sensor1
    telnetOption: disabled default: disabled
    accessList (min: 0, max: 512, current: 1)
    -----------------------------------------------
    ipAddress: 10.0.0.0
    netmask: 255.0.0.0 default: 255.255.255.255

  19. Remove the 10. network from having complete access. The command syntax is as follows:

    no accessList ipAddress 10.0.0.0 netmask 255.0.0.0

  20. Enter the IP addresses of hosts or networks that will have access to the sensor. If you can afford to do it, only specify individual host addresses that will have access. Do not give entire networks access unless absolutely necessary.

    The syntax for a single host is as follows:

    accessList ipAddress 10.0.0.4

    The syntax for an entire network is as follows:

    accessList ipAddress 10.0.0.0 netmask 255.255.255.0

    Repeat the command as necessary depending on the number hosts or networks being added.

  21. Exit the parameters configuration mode. Type exit.

  22. Set the System clock settings. Type timeParams. When done, exit back to configure terminal mode.

  23. Type yes to apply settings. Type no to keep the system from rebooting, then exit configure terminal mode. Type exit.

  24. Set the clock. Type clock set hh:mm month day year.

  25. At this point, you need to generate the X.509 by typing tls generate key. Record the results. You will need to verify the authenticity of the certificate when you connect via a Web browser.

  26. Reboot the sensor. Type reset, then yes.

  27. Once you have rebooted, you will need to upgrade to the latest signature updates and set the interfaces.

Start Sidebar
Configuring & Implementing: Switching Interfaces for Multicast Traffic

Multicast Media Access Control (MAC) traffic is becoming more prominent on enterprise networks. More employees have a need for, or want to have access to, television feeds, stock tickers, broadcast news, and radio. In order to monitor this type of traffic on the 4220-E or 4230-FE sensors, the sniffing ports need to be changed. Follow these five simple steps:

  1. Log in to the sensor as root.

  2. Change directories to the /usr/nr/etc/ directory.

  3. Open the packetd.conf file for editing.

  4. Change the NameOfPacketDevice token to /dev/iprb0.

  5. Save and exit.

  6. Type mv /etc/hostname.iprb0 /etc/hostname.spwr0 to reconfigure the spwr interface for command and control.

  7. Swap the network cables between the two interfaces, iprb0 and spwr0.

  8. Reboot the sensor for changes to take place.