Upgrading the Sensor

Upgrading the Sensor

Cisco Systems periodically releases updates of sensor software and signature versions. It is highly recommended that you regularly install the updates of signature versions as well as sensor software in order to ensure the value of the IDS sensor in the overall security architecture. Without regular updates, the IDS sensor will become no more than a pretty decoration in the rack since it will not be able to sense current threats to your network.

Updating Sensor Software (IDS 3.1)Upgrading the IDS sensor software version 3.0 or 3.1 can be done by downloading the service pack from the Cisco Web site and applying it to the IDS sensor. The following procedure can be used to update IDS sensor software versions 3.0 or 3.1.

  1. From the Cisco.com Web site (www.Cisco.com/cgi-bin/tablebuild.pl/ids3-app) download the self-extracting binary file.

  2. On the target sensor, copy the binary file to the /tmp directory.

  3. Log into the sensor as root.

  4. Change the directory to the /tmp directory.

  5. Change the binary file's attributes so it is an executable:

    sensor# chmod +x IDSk9-sp-3.1-4-S50.bin

  6. Type the following to execute the binary file with the –I option.

    sensor# ./IDSk9-sp-3.0-1-S4.bin –I

  7. Then the installation is complete, review the file /usr/nr/sp-update/output.log for the status of this service pack.

Upgrading from 3.1 to 4.x

To upgrade the IDS sensor appliance from IDS software versions 3.0 or 3.1 to version 4.0 or later requires the installation of the 4.0 software from the install CD. Before upgrading from 3.1 to 4.0, the configuration information of the IDS sensor must be saved. The easiest way to do so is through the IDS Device Manager (IDM). Use the following procedure to save the configuration information of the IDS sensor before upgrading.

  1. From the IDM browser, select Administration | Diagnostics. The diagnostics panel will display.

  2. Click Run Diagnostics.

  3. Click View Results. The diagnostics results are displayed in a report.

To save the results of the diagnostics, select Menu | Save As in the browser.With the configuration information saved, the sensor can be upgraded. The following procedure can be used to upgrade a sensor from IDS sensor software version 3.1 to version 4.0 or later.

  1. Power on the sensor.

  2. Insert the IDS 4.0(1) or 4.0(2) Upgrade/Recovery CD into the CD-ROM drive.

    On the IDS console, the following message will be displayed:IDS-4220/4230 customers:

    Sniffing and Command-and-Control interfaces have been swapped in
    CIDS 4.0. Reference the 4.0 software documentation before
    proceeding.

    IDS-4235/4250 customers:

    BIOS version "A04" or later is required to run CIDS 4.0 on your
    appliance. Reference the 4.0 software documentation before
    proceeding.
    - To recover the Cisco IDS 4.0 Application using a local
    keyboard/monitor, type: k . (WARNING: ALL DATA ON DISK 1
    WILL BE LOST)

To recover the Cisco IDS 4.0 Application using a serial connection, type: s, or just press ENTER. If the upgrade is being done with the console redirected to a serial port, press S. Otherwise, press K if the upgrade is being done with a keyboard and monitor connected directly to the sensor. After selecting either S or K, the upgrade will continue without requiring user intervention. Once the upgrade is complete, the sensor will eject the CD from the CD-ROM drive and reboot automatically. When the sensor has completed rebooting, log into the sensor using the Cisco account with the default password of Cisco and continue with the initial configuration of the device as discussed earlier in the book


Note

When upgrading an IDS-4220-E or IDS-4230-FE appliance, the command and control interface cable must be swapped with the monitoring interface cable before the software upgrade. IDS software version 4.0 switches the interfaces by making the former command and control interface into the sniffing interface. If the cables are not switched on the IDS-4220-E or IDS-4230-FE, it will not be possible to connect to the appliance through the network.

The reason for the interface switch is because the PCI-based card that was used as the sniffing interface in the IDS-4220-E and the IDS-4230-FE does not support the monitoring of the 802.1q tagged VLAN trunk packets or the tracking of the 993 Dropped Packet Alarm. Also, the performance of the PCI-based card is lower compared to the onboard NIC. For more information, see: www.Cisco.com/en/US/products/sw/secursw/ps2113/products_ installation_and_configuration_guide_chapter09186a008014a23a.html#533236

  1. Updating Sensor Software (IDS 4.0) The IDS sensor software version 4.0 and later uses a different method for updating the sensor. Since the 4.0 series software is based on Red Hat Linux, all sensor service packs are released as RPM packages. In addition, the 4.0 series software supports one of two methods for uploading service packs: ftp or Secure Copy Protocol (scp). To use scp, the host key of the system that the IDS will connect to upload the service pack must be installed in the sensor's known_hosts table. The following procedure can be used to update a sensor to the latest service pack.Go to the Cisco Connection Online (CCO) Web site URL (www.Cisco.com/kobayashi/sw-center/ Ciscosecure/ids/crypto/). The choice of software service packs depends on which model IDS sensor is being updated. Select the link for the appropriate sensor model. As of this writing, there are two links: one for the 4210/4235/4250 model sensors and one for the IDS 4215 sensor.

  2. Select the appropriate service pack (for the purposes of this example, the latest service pack is: IDS-K9-min-4.1-1-S47.rpm.pkg).

  3. Download the service pack.

The update can be completed using either the command line interface or the IDM.

Updating Sensor Software (IDS 4.0) from the Command Line

The IDS sensor software upgrade command can be accessed from the configuration mode of the command line interface. To upgrade the IDS sensor using a service pack, do the following:

  1. Log into the IDS sensor using the administrative account Cisco.

  2. Enter configuration mode.

  3. Use the upgrade command to upload and apply the service pack. The supported protocols for the upgrade command include ftp and scp. The location of the service pack is given in a URL format as follows: ://username@IP Address/directory/service pack name. For example, to upgrade an IDS 4.1 sensor to the S47 service pack on host 10.16.17.205 using scp, and also upgrade the account name Cisco, use the following URL: scp://Cisco@10.16.17.205/IDS-K9-min-4.1-1-S47.rpm.pkg.

    sensor# config t
    sensor(config)# upgrade scp://Cisco@10.16.17.205/upgrades/IDS-K9-min-
    4.1-1-S47.rpm.pkg
    Password:
    Warning: Executing this command will apply a minor version upgrade
    to the application partition. The system may be rebooted to
    complete the upgrade.
    Continue with upgrade? : yes

Updating Sensor Software (IDS 4.0) with IDM

The sensor software can be manually updated using IDM. Use the following procedure to update the sensor software through the IDM:

  1. Select Administration | Update in the IDM window.

  2. This displays the Update Settings panel in the IDM, as shown in Figure 5.23.

  3. Enter the URL of the update service pack.

  4. Enter the password of the account to access the host where the update service pack can be found.

  5. Click Apply to Sensor.

  6. The update will be downloaded to the sensor and applied.

    Click To expand
    Figure 5.23: The IDM Update Settings Panel

  1. In addition to manual updates, IDS 4.0 software supports autoupdating of sensor software and signature packs. The configuration of the autoupdate feature can be done either through the command line or with the IDM.Updating Sensor Software (IDS 4.0) from the Command LineTo configure autoupdate of the sensor software using the command line interface, use the following procedure:Log into the IDS sensor using the administrative account Cisco and enter configuration mode:

    sensor# configure terminal

  2. Enter the Host service mode using the service host command.

    sensor(config)# service Host
    sensor(config-Host) optionalAutoUpgrade
    sensor(config-Host-opt) autoUpgradeParams

  3. Enter the IP address of the update host using the IP Address command and then select the protocol to use for copying the update packs to the sensor (either scp or ftp).

    sensor(config-Host-opt-aut) ipAddress 10.16.17.205
    sensor(config-Host-opt-aut) fileCopyProtocol scp

  4. Specify the account name to use to access the update host, as well as the account password necessary to access the update host.

    sensor(config-Host-opt-aut) username netrangr
    sensor(config-Host-opt-aut) password attack

  5. Specify the directory where the updates can be found. This directory must be a relative directory to either the ftp home directory (if the FTP protocol is used) or a directory relative to the home directory of the account specified.

    sensor(config-Host-opt-aut) directory updates
    sensor(config-Host-opt-aut) schedule

  6. Select whether the updates will be either based on a calendar schedule or a frequency schedule. A calendar schedule specifies the time and day you will download the updates. The frequency update stipulates that the sensor will check for updates every X number of hours regardless of what day it is.

Updating Sensor Software (IDS 4.0) Using the IDM

The Cisco IDM provides a clean and easy way to update the sensor software. In order to start filling out the parameters, choose Configuration | Autoupdate. The screen shown in Figure 5.24 should appear.

Click To expand
Figure 5.24: The IDS Autoupdate Screen Shot

Note

The sensor cannot automatically download updates from Cisco's Web site. They need to be downloaded and moved to a local server.

Upgrading Cisco IDS Software from Version 4.0 to 4.1

At the time of this writing, the latest major version of Cisco's IDS sensor software was 4.1. The only way to upgrade to this version of the IDS sensor software was with the Upgrade/Recovery CD for version 4.1, using the same procedure utilized in updating from version 3.0 or 3.1 to IDS sensor software version 4.0.


 Note

The IDS-4210 sensor must be upgraded to 512MB of memory in order to upgrade the sensor to software version 4.1 requirements. This requires an additional 256MB of memory that can be purchased from Cisco. Customers with a current SmartNET contract can request the memory upgrade at no charge.


 Note

The IDSM (WS-X6381) cannot be upgraded to Cisco IDS 4.1. The IDSM (WS-X6381) must be replaced with WS-SVC-IDSM2-K9, which supports version 4.x software.