© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lesson 5 Configuring the Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Allowed Hosts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Allowed Hosts Sensor Setup Allowed Hosts Add Configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Allowed Hosts (Cont.) IP Address Network Mask

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Allowed Hosts (Cont.) Delete ResetApply Edit

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Setting the Time

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Time Considerations The sensor must have a reliable time source so that events display correct time stamps. Otherwise, you cannot correctly analyze the logs after an attack. For sensor appliances, you can set the time in the following ways: –Manually –By using NTP (recommended)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Time Settings Apply Standard Time Zone Sensor Setup Summertime NTP Server Apply Time to Sensor Configuration Reset Time

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Time Settings (Cont.) Summertime Duration End Time Start Time Offset Summer Zone Name

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring User Accounts

© 2005 Cisco Systems, Inc. All rights reserved. IPS v User Accounts Users access a sensor by logging in to a user account. Multiple user accounts can be created on a sensor. Each user account is associated with a role that determines the users privileges. The following roles can be assigned to an account: –Administrator –Operator –Viewer –Service

© 2005 Cisco Systems, Inc. All rights reserved. IPS v The Service Account This is a special account that enables root access. Sensor allows only one service account. It is not created by default. It should be created for troubleshooting. !Caution! Do not make modifications to the Sensor through the service account except under the direction of TAC.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating User Accounts Sensor Setup Configuration Users Add Username User Role Password Confirm Password

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating User Accounts (Cont.) Edit Apply Reset Delete Status Role

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring the Interfaces

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Interface Overview There is only one command and control interface per sensor. You can configure up to eight monitoring interfaces, depending on the type of sensor. All monitoring interfaces use the same configuration. Multiple monitoring interfaces enable the following: –Simultaneous protection of multiple network subnets –Inline sensing mode

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Interface Overview (Cont.) 4215 sensor Packets Copies of Packets Command and Control Interface Monitoring Interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Sensor Interface Overview (Cont.) 4215 Sensor Packets Command and Control Interface Monitoring Interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Enabling the Interfaces Configuration Interface Configuration InterfacesEnable Select All Apply Reset Disable Edit

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Editing the Interfaces Select Interface Description Enabled Duplex Speed Use Alternate TCP Reset Interface

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating Interface Pairs Interface Configuration Interface Pairs Configuration Add

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating Interface Pairs (Cont.) Interface Pair Name Select two interfaces Description

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Creating Interface Pairs (Cont.) Select All Apply Reset Edit Delete

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Assigning Interfaces to the Virtual Sensor Edit Virtual Sensor Analysis Engine Configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Assigning Interfaces to the Virtual Sensor (Cont.) Assigned Interfaces (or Pairs) Add Remove Available Interfaces (or Pairs)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Traffic Flow Notification Configuration Interface Configuration Traffic Flow Notifications Interface Idle Threshold Notification Interval Missed Packets Threshold Reset Apply

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Software Bypass

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Software Bypass The software bypass feature ensures that packets continue to flow through the sensor even if the sensor hangs or an application crashes. Here are some major characteristics of software bypass: It applies only to inline paired interfaces. It causes traffic inspection to cease without impacting network traffic. It can be used for the following purposes: –Troubleshooting –To ensure that traffic continues to flow during sensor upgrades –As a failover mechanism It can be configured to automatically start and stop.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Configuring Software Bypass Modes You. Configuration Interface Configuration Bypass Bypass Mode ApplyReset

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary You can use the IDM to edit the settings configured via the setup commands interactive prompts. You can use the IDM to define the time, time zone, and daylight saving time for the sensor. You can use the IDM to create and remove users from the sensor. Users access a sensor by logging in to user accounts that you create on the sensor. User accounts have roles that determine the users privileges on the sensor. Use the service account only under the direction of TAC for troubleshooting.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Summary (Cont.) All sensors have only one command and control interface. Several sensor models can have multiple monitoring interfaces. All monitoring interfaces use the same configuration. For the sensor to monitor your networks you must enable the monitoring interfaces and assign them to the default virtual sensor. For a sensor to operate in inline mode, you must configure two monitoring interfaces as a pair. You can configure the sensor to monitor the flow of packets across an interface and send a notification if the flow changes. The software bypass feature ensures that packets continue to flow through the sensor even if the Analysis Engine ceases to function.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v Q.0 Lab Visual Objective Q Web FTP RBB Q P.0.4 sensorQ Student PC 10.0.Q.12 RTS sensorP Student PC 10.0.P.12 RTS P.0 rPrQ prQ prP 10.0.P.0