© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 14 Installing and Maintaining the IDSM-2

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Introduction

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDSM-2 Performance500 Mbps Size1 RU/slot ProcessorDual 1.13 GHz Operating systemLinux

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDSM-2 Key Features Brings switching and security into a single chassis Supports inline and promiscuous-mode operations Provides an effective platform across all Catalyst 6500 chassis Uses the same code as the Cisco IPS network appliances

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDSM-2 Differences Between Promiscuous and Inline Mode The following IDSM-2 features vary, depending on your selection of inline or promiscuous mode: How the IDSM-2 obtains the traffic it inspects Number of VLANS supported Potential effects on the network Supported Catalyst switches Supported software Supported signature actions

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Ports, Traffic, and Time

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDSM-2 Ports The IDSM-2 has the following logical ports: –Port 1: TCP resets (for promiscuous-mode only) –Port 2: Command and control –Ports 7 and 8: Sensing Ports 7 and 8 can be configured as a port pair to support inline IPS.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDSM-2 Traffic Flow: Promiscuous IDSM-2 Alarms and Configuration Through IDSM-2 Command and Control Port Source Traffic Destination Traffic Copied VACL or SPAN Traffic or RSPAN Traffic to IDSM-2 Monitor Ports Cisco Catalyst 6500 Source Traffic Destination Traffic Switch Backplane Management Console

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDSM-2 Traffic Flow: Inline IDSM-2 Alarms and configuration through IDSM-2 command and control port Source Traffic Destination Traffic VLAN traffic flows through IDSM-2 Cisco Catalyst 6500 Source Traffic Destination Traffic Management Console

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Time and the IDSM-2 You can use one of the two following methods to ensure accurate time on the IDSM-2: Allow the IDSM-2 to automatically synchronize its clock with the switchs time. Configure the IDSM-2 to get its time from an NTP time synchronization source.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Installation and Configuration Tasks

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Installation and Configuration Tasks Task 1: Install the IDSM-2 in the switch. Task 2: Initialize the IDSM-2. Task 3: Configure the switch for command and control access to the IDSM-2. Task 4: Configure the interfaces.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 1: Installing the IDSM-2 in the Switch Step1: Read the Regulatory Compliance and Safety Information for the Intrusion Detection System Appliances and Modules and take the necessary safety precautions. Slot 2: Choose a slot for the module. Step 3: Loosen the installation screws that secure the filler plate to the desired slot. Step 4: Remove the filler plate. Step 5: Hold the module with one hand and place your other hand under the module carrier to support it. Step 6: Align the notch on the sides of the module carrier with the groove in the slot. Step 7: Insert the IDSM-2 into the slot until the notches on both ejector levers engage the chassis sides. Step 8: Fully seat the module in the backplane connector. Step 9: Tighten the installation screws.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 2: Initializing the IDSM-2 Step1: Access the IDSM-2 using the switch session command. Step 2: Log in at the IDSM-2 login prompt with the username cisco and the default password cisco. Step 3: Execute the setup command to enter the configuration dialog. Step 4: Enter the network communication parameters. Step 5: Reset the IDSM-2.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 3: Configuring the Switch for Command and Control Access to the IDSM-2 Step 1: Log in to the switch. Step 2: Enter privileged mode. Step 3: Assign the command and control port to the correct VLAN.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Task 4: Configuring the Interfaces Step 1: Log in to the switch. Step 2: Enter privileged mode. Step 3: Set the native VLAN for the IDSM-2 sensing ports, 7 and 8. Step 4: Clear all VLANs from each IDSM-2 sensing port except the native VLAN on each port. Step 5: Enable BPDU spanning tree filtering on the IDSM-2 sensing ports.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the IDSM-2 for Inline Operation Step 1: Configure ports 7 and 8 as a port pair. Step 2: Assign the port pair to the default virtual sensor.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Verify IDSM-2 Status

© 2005 Cisco Systems, Inc. All rights reserved. IPS v IDSM-2 Status LED IDSM-2 status LED colors and their descriptions: Green: IDSM-2 is operational. Amber: IDSM-2 is disabled, running a boot and self-diagnostic sequence, or shut down. Red: Diagnostics other than an individual port test failed. Off: IDSM-2 power is off.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v show module Command show module [mod] switch> cat6k>show module Mod Slot Ports Module-Type Model Sub Status BaseX Supervisor WS-X6K-SUP2-2GE yes ok Multilayer Switch Feature WS-F6K-MSFC2 no ok BaseX Ethernet WS-X6408-GBIC no ok /100BaseTX Ethernet WS-X6548-RJ-45 no ok Intrusion Detection Syste WS-SVC-IDSM-2 yes ok Switch Fabric Module 2 WS-X6500-SFM2 no ok Intrusion Detection Syste WS-SVC-IDSM-2 yes ok Intrusion Detection Syste WS-SVC-IDSM-2 yes ok Displays the status of all modules in the switch. Three IDSM-2s are installed, one in slot 4, one in slot 6, and one in slot 7. The ok state indicates that the IDSM-2s are online. Displays module status and information

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Upgrade and Recovery

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Upgrading the IDSM-2 You can use the upgrade command to apply image upgrades, service packs, and signature updates to your IDSM-2. You can use the upgrade command to upgrade from software version 4. x to 5.0. To upgrade from 4. x to 5.0, the IDSM-2 must already be running IDS 4.1(1) or higher. Using the upgrade command to apply the IPS 5.0 major upgrade file retains your configuration, including signature settings. The IPS 5.0 major upgrade file contains the major upgrade identifier maj. Example: IPS-K9-maj S149.rpm.pkg

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Recovering the Application Image Application Partition Maintenance Partition WS-SVC-IDSM2-K9-sys-1.1-a bin.gz

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Reimaging the Maintenance Partition Application Partition Maintenance Partition

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary The IDSM-2 is a line card for the Cisco Catalyst 6500 Series switches. The IDSM-2 runs the same code as the Cisco IPS sensor appliances. The IDSM-2 supports both inline and promiscuous- mode operations. Sensor initialization tasks specific to the IDSM-2 include the following: –Assigning the command and control port to the proper VLAN –(For promiscuous-mode operations only) Configuring the switch to capture traffic for intrusion detection analysis

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) The IDSM-2 must obtain its time setting from one of the following: –The host switch –An NTP server If the IDSM-2 obtains its time setting from the host switch, it is important to set the time zone and summertime settings on both the switch and the IDSM-2 to ensure that the GMT time settings are correct.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) You can use the CLI upgrade command to apply the IPS 5.0 major upgrade file to the IDSM-2 and retain your configuration. The IDSM-2 has an application partition and a maintenance partition. You can recover the application partition image by booting to the maintenance partition and using the upgrade command to install the IDSM-2 system image. When you install the system image, you lose all your configuration settings.