Lesson 5

Configuring the Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-1

Configuring Allowed Hosts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-2

 Configuring Allowed Hosts

Configuration
Add
Sensor
Setup

Allowed
Hosts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-3

 Configuring Allowed Hosts (Cont.)

IP
Address

Network
Mask

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-4

 Configuring Allowed Hosts (Cont.)

Edit

Delete

Apply Reset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-5

Setting the Time

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-6

 Time Considerations

• The sensor must have a reliable time source so that

events display correct time stamps. Otherwise, you
cannot correctly analyze the logs after an attack.
• For sensor appliances, you can set the time in the
following ways:
– Manually
– By using NTP (recommended)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-7

 Configuring Time Settings

Configuration Time

Sensor
Setup
Standard
Time Zone
Time

Summertime
NTP
Server

Apply Reset Apply Time to Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-8

 Configuring the Time Settings (Cont.)

Summer
Zone Name

Offset

Start Time

End Time
Summertime
Duration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-9

Configuring User
Accounts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-10

 User Accounts

• Users access a sensor by logging in to a user

account.
• Multiple user accounts can be created on a sensor.
• Each user account is associated with a role that
determines the user’s privileges.
• The following roles can be assigned to an account:
– Administrator
– Operator
– Viewer
– Service

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-11

 The Service Account

• This is a special account that enables root access.

• Sensor allows only one service account.
• It is not created by default.
• It should be created for troubleshooting.

!Caution!
Do not make modifications to the
Sensor through the service
account except under the
direction of TAC.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-12
 Creating User Accounts

Configuration
Add
Sensor
Setup

Users

Username

User
Role

Passwor
d

Confirm
Password

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-13

 Creating User Accounts (Cont.)

Role

Status

Edit

Delete

Apply Reset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-14

Configuring the Interfaces

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-15

 Sensor Interface Overview

• There is only one command and control interface

per sensor.
• You can configure up to eight monitoring
interfaces, depending on the type of sensor.
• All monitoring interfaces use the same
configuration.
• Multiple monitoring interfaces enable the
following:
– Simultaneous protection of multiple network
subnets
– Inline sensing mode

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-16

 Sensor Interface Overview (Cont.)

Packets

Monitoring Monitoring
Interface Interface

Copies of
Copies of Packets
Packets
4215 sensor Command and
Control Interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-17

 Sensor Interface Overview (Cont.)

Monitoring Monitoring
Interface Interface

4215 Sensor Command and

Control Interface

Packets

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-18

 Enabling the Interfaces

Configuration

Select
Interface All
Configuration
Edit

Interfaces Enable

Disabl
e

Apply Reset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-19

 Editing the Interfaces

Description

Enabled

Duplex

Speed

Select
Use
Interface
Alternate
TCP Reset
Interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-20

 Creating Interface Pairs

Configuration

Interface
Configuration
Add

Interface
Pairs

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-21

 Creating Interface Pairs (Cont.)

Interface
Pair
Name

Select two
interfaces

Description

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-22

 Creating Interface Pairs (Cont.)

Select All

Edit

Delete

Apply Reset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-23

 Assigning Interfaces to the Virtual Sensor

Configuration

Analysis
Engine

Virtual
Sensor
Edit

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-24

 Assigning Interfaces to the Virtual Sensor
(Cont.)

Assigned
Interface
s (or
Pairs)
Available
Interface
s (or
Pairs)
Add

Remove

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-25

 Configuring Traffic Flow Notification

Configuration

Interface Missed
Configuration Packets
Threshold

Traffic Flow Notification

Notifications Interval

Interface Idle
Threshold
Apply Reset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-26

Configuring Software
Bypass

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-27

 Software Bypass

The software bypass feature ensures that packets

continue to flow through the sensor even if the
sensor hangs or an application crashes. Here are
some major characteristics of software bypass:
• It applies only to inline paired interfaces.
• It causes traffic inspection to cease without impacting
network traffic.
• It can be used for the following purposes:
– Troubleshooting
– To ensure that traffic continues to flow during sensor
upgrades
– As a failover mechanism
• It can be configured to automatically start and stop.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-28
 Configuring Software Bypass Modes

Configuration

Interface
Configuration

Bypass
• You.

Bypass
Apply Reset
Mode

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-29

Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-30

 Summary

• You can use the IDM to edit the settings

configured via the setup command’s interactive
prompts.
• You can use the IDM to define the time, time zone,
and daylight saving time for the sensor.
• You can use the IDM to create and remove users
from the sensor.
• Users access a sensor by logging in to user
accounts that you create on the sensor.
• User accounts have roles that determine the user’s
privileges on the sensor.
• Use the service account only under the direction of
TAC for troubleshooting.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-31
 Summary (Cont.)

• All sensors have only one command and control interface.

• Several sensor models can have multiple monitoring
interfaces.
• All monitoring interfaces use the same configuration.
• For the sensor to monitor your networks you must enable the
monitoring interfaces and assign them to the default virtual
sensor.
• For a sensor to operate in inline mode, you must configure
two monitoring interfaces as a pair.
• You can configure the sensor to monitor the flow of packets
across an interface and send a notification if the flow
changes.
• The software bypass feature ensures that packets continue
to flow through the sensor even if the Analysis Engine
ceases to function.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-32
Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-33

 Lab Visual Objective

Web
FTP
.50
172.26.26.0
.150
172.30.P.0 .1 .1 172.30.Q.0
.2 .2
RBB
prP prQ
172.16.Q.0
172.16.P.0 .1 .1
.4 .4

sensorP sensorQ
.2 .2
rP rQ

10.0.P.0 .2 .2 10.0.Q.0
.100
.100

RTS
RTS

Student PC Student PC
10.0.P.12 10.0.Q.12
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—5-34