© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 11 Maintaining the Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Upgrading and Recovering the Sensor Image

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Image Types There are three types of sensor images: Application image System image Recovery image

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Upgrading the Sensor You can use the upgrade command to apply image upgrades, service packs, and signature updates to your sensor. The upgrade command upgrades the sensors application and recovery images. You can use the upgrade command to upgrade from software version 4. x to version 5.0. To upgrade from 4. x to 5.0, the sensor must already be running IDS 4.1(1) or higher. Using the upgrade command to apply the IPS 5.0 major upgrade file retains your configuration, including signature settings. The IPS 5.0 major upgrade file is the same for all sensor appliances and contains the major upgrade identifier maj. Example: IPS-K9-maj S149.rpm.pkg

© 2005 Cisco Systems, Inc. All rights reserved. IPS v sensor(config)#upgrade source-url Upgrades the sensor image via an FTP or SCP server upgrade Command sensor(config)#upgrade 1-S149.rpm.pkg Upgrades the application and recovery image to IPS software version 5.0(1)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Full System Reimage A full system reimage is a means of upgrading or recovering both the application image and the recovery image. The method of performing a full system reimage varies among sensor platforms. To perform a full system reimage, you must use the system image file specific to your sensor platform. You lose all your configuration settings when you perform a full system reimage.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v You can perform a full system reimage of the following sensors by using the CIDS 5.0(1) Recovery CD: –4210 –4235 –4250 Complete the following steps to perform a full system reimage: 1. Connect to the sensor with a keyboard and monitor or a serial connection. 2. Place the CD in the sensor. 3. Boot the sensor from the CD. 4. Follow the instructions to reimage the sensor Full System Reimage: 4210, 4235, and 4250

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Full System Reimage: 4215, 4240, and 4255 You can use ROMMON, a boot utility on the sensor, to transfer system images onto the following sensors: –4215 –4240 –4255 IPS 5.0 system image files contain the sys identifier. Example: IPS-4240-K9-sys-1.1-a img

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Using ROMMON for Full System Reimage 1. Place the system image file for your sensor platform on a TFTP server. 2. Verify that you can access the TFTP server from the network connected to your sensor Ethernet port. 3. Reboot the sensor. 4. Escape the boot sequence. 5. Change the interface port number if necessary. 6. Specify the IP address of the sensor. 7. Specify the IP address of the TFTP server. 8. Specify the IP address of the sensor default gateway. 9. Specify the path and filename on the TFTP server. 10. Begin the TFTP download. Complete the following steps to perform a full system reimage over the network:

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Recovering the Sensor Appliance Image You can use either of the following methods to recover your sensor appliances application image, both of which retain your network settings. Use the recover command. Select the recovery image from the boot menu during bootup.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v sensor(config)# recover application-partition Performs an application reimage on the sensor recover Command sensor(config )# recover application-partition Warning: Executing this command will stop all applications and re-image the node to version 5.0(1)S149. All configuration changes except for network settings will be reset to default. Continue with recovery?:yes Request Succeeded sensor(config)#

© 2005 Cisco Systems, Inc. All rights reserved. IPS v You can use the boot menu to perform an application reimage on the following sensors: Booting the Recovery Image Cisco IPS Recovery

© 2005 Cisco Systems, Inc. All rights reserved. IPS v You can upgrade the recovery image on your sensor with the most recent version so that it is ready if you need to recover the application image. Recovery images are only generated for major and minor software releases, not for service packs or signature updates. The recovery image file can be recognized by the r identifier in its name. Example: IPS-K9-r-1.1-a pkg You can use the IPS 5.0 recovery image file to upgrade the recovery image of all sensor platforms, including the NM-CIDS. The recovery image can be applied to the sensor by using the upgrade command. The Recovery Image File

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Pack and Signature Updates

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Software Updates Overview IPS software updates provide the latest signature and intrusion prevention improvements. New IPS signatures are released as signature updates. IPS improvements are released as service packs. The most recent update can be uninstalled to return the IPS software to the previous version.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Software Update Guidelines The following are guidelines for installing IPS software updates: Obtain a license for downloading signature updates. Obtain a Cisco.com password for accessing the Software Center. Check Cisco.com regularly for the latest service packs and signature updates. Read the release notes to verify that the sensor meets the requirements. Download updates to an FTP, SCP, HTTP, or HTTPS server for application to your sensor.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Licensing Configuration Licensing Cisco Connection Online License File Update License

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Service Pack Files Example: IPS-K9-sp pkg IPS-K9–type–w.x-y-.pkg Extension Update Type Major Version Level Minor Version Level Service Pack Level

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Signature Update Files Example: IPS-sig-S150-minreq pkg Extension IPS-sig–Sx-minreq-w.x-y.pkg Minimum Requirement Designator Update Type Major Version Level Minor Version Level Service Pack Level Signature Update Version

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Applying Updates to the Sensor Configuration Update is located on this client Update Sensor Update is located on a remote server… URL Password Username Browse Local Local File Path

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Automatic Updates Configuration Auto Update Enable Auto Update Remote Server Settings Schedule Hourly Apply Daily

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Resetting, Powering Down, and Restoring the Default Configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Restoring the Default Configuration Configuration Restore Defaults

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Rebooting Configuration Reboot Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Shutting Down Shut Down Sensor Configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary You can use the CLI upgrade command to apply the IPS 5.0 major upgrade file and retain your configuration. You can upgrade or recover the sensor image by applying a platform-specific system image. You can use transfer to transfer a system image over the network and install it on your sensor. You can use the recovery image to recover the sensors application image in case it becomes corrupted. You must have a license to download signature updates.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) You can manually apply service pack and signature updates or have them applied automatically. You must download an update to an FTP or SCP server for it to be automatically applied. You can use the IDM to restore the default configuration to your sensor. You can use the IDM to reboot or shut down your sensor.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Q.0 Lab Visual Objective Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.P.12 RTS P.0 rPrQ prQ prP 10.0.P.0