Lab 1 Exercise—Cisco Intrusion Detection System (IDS) Appliance Initial Configuration Objectives In this lab exercise you will complete the following tasks: n Check the version of the software loaded on the IDS appliance n Assign IP network settings to the IDS appliance. n Define the lists of hosts that are allowed to access the IDS appliance. n Define the time zone information and set the clock of the IDS appliance. n Check the configuration of the IDS appliance. Required Resources These are the resources and equipment required to complete this exercise: n Internet access n A PC or workstation with Internet Explorer, version 5.0 or greater n Username and password to gain access to a remote equipment pod Note The username will be of the form PXX-nnnnn, where XX is the number of the equipment pod you will be using, and nnnnn is the Event Number for your lab session. The password will be a short nonsense word. For example, the login information for a pod 9 session could be something like: P09-341959 and a password of imjgk. Passwords Use the following passwords for this lab: • Lab Gear password: Your instructor will provide it. • IDS appliance username/password: The default account name and password are cisco. • PC client: The username is Administrator and the password is cisco. • VNC password: When you connect to the PC, use a password of cisco at the VNC screen. Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 1 Visual Objective Figure-1 displays the lab topology you will use to complete this lab exercise: Figure-1: Lab Network Topology Accessing the Remote Lab Equipment On your local PC or workstation, startup Internet Explorer and enter the following URL to access the LabGear pods: http://www.labgear.net. You will reach a login screen like that shown in Figure-2: Figure-2: LabGear login Page Enter the User Name and password that should have been provided to you by your instructor and click the Log in button. IDS 4.0 Roadshow Lab 1 Copyright  2003, Cisco Systems, Inc. After a Successful Login After you have entered the correct user name and password, you will be presented with a display like that shown below in Figure-3: Figure-3: LabGear screen after a successful login Connecting to Devices in the Pod Some devices have Console or Desktop labels associated with them. The presence of this type of label means that you can access the device. Console devices (like the IDS appliance, for example) do not have a graphic display, but Desktop devices (like the Windows 2000 PC) do. In Figure-4, the Console label for the IDS appliance is circled in yellow and the Desktop label used to connect to a PC Client is circled in violet. Figure-4: Desktops and Consoles Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 1 Connecting to Console (Non-Graphic) Devices Figure-5: Example Console Window Clicking on Console for a particular device will bring up a console window from which you can control a device just as if you were sitting right in front of it. You may have to press a few times before the prompt appears. Figure-5 shows a typical device console window. The title bar says P01 – IDS. This indicates that we’re on pod 1 and connected to the console of the IDS appliance in that pod. Along the bottom of the console window are buttons that allow you to: IDS 4.0 Roadshow Lab 1 • Connect to a device • Disconnect from a device • Open scratch pads • Save console buffer contents to scratch pads • Send a “break” to the device Copyright  2003, Cisco Systems, Inc. Connecting to Desktop (Graphic) Devices The procedure for connecting to the Desktop devices has an extra step- you must first authenticate at the VNC (Virtual Network Console) screen. Figure-6 shows the VNC login screen: Figure-6: VNC Login Screen Enter the password cisco and click OK or hit Enter. If you have entered the correct password you will be given access to the desktop for that particular device. Figure-7 shows an example desktop for a Windows 2000 client: Figure-7: Example Windows 2000 Desktop Screen Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 1 If You Get Stuck! Rarely, a device’s console will not respond to your keystrokes (usually this happens if you have left the console idle for an extended period of time). You can clear the console line to regain access to a device by performing the following procedure. Along the top of your pod display screen is a menu bar with a number of buttons as shown below in Figure-8. To clear a console line or power on/off a device, first click on the Device Management button (circled in yellow). Figure-8: Accessing the Device Management window Clicking on Device Management button will bring up a Device Control window shown below in Figure-9: Figure-9: Device Control window From the Device Control window you can control device power, clear console lines, and check general device status. Click on a device’s name (such as IDS circled in pink above) and then the right side of the window will tell you the various functions you can perform on that device. For the IDS appliance in this example, you can apply or remove power and also clear the console line (to free up a hung console session) by clicking on the Clear Console Line button. IDS 4.0 Roadshow Lab 1 Copyright  2003, Cisco Systems, Inc. Task 1—Access the IDS Appliance in the Remote Lab Environment Access the remote lab environment via a web browser and an Internet connection. You will login to the lab pod environment and access the IDS appliance console. Step 1 Access your lab pod using the Internet Explorer web browser. If you need help, review the Accessing the Remote Lab Equipment section of this lab guide (Figure2). Step 2 Access the IDS appliance console by clicking on the green oval labeled Console (near center of the figure below). If you need help, review the After a Successful Login section of this lab guide (Figure-3). Step 3 With the IDS appliance console window as the active window, press Enter on your keyboard to begin the console session. You should see the sensor login: prompt. If you need help, review the Connecting to Devices in the Pod section of this lab guide (Figure-4). Note If you don’t get a prompt on the IDS appliance console after pressing Enter a few times, you may need to clear the console line by accessing the controls available via the Device Management button at the top of the web page. Read the If You Get Stuck! section of this lab guide (Figures 8 & 9). Figure-10: The Remote Lab Pod Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 1 Task 2—Log in to the IDS Appliance, Check the Software Version, and Clear the Current Configuration. You should have a console session into the IDS appliance. Log in to the IDS appliance, check the version of the software loaded on the IDS appliance, and then be sure you are starting the lab with an unconfigured IDS appliance by erasing any existing configuration: Step 1 Login to the IDS appliance with a username of cisco and a password of cisco. If this password doesn’t work, you may be accessing an IDS appliance that was configured in another lab or is not in the proper state to begin your lab. Contact your instructor in this case. Step 2 Since this IDS appliance has not been configured yet and this is the first login to the appliance, you will be immediately prompted to change the password. Change the password from the default of cisco to a new password of emmapeel. (Note that this is not an ideal password, but for the purposes of this series of labs it satisfies the minimum requirements and is easy to type.). login: cisco Password: cisco You are required to change your password immediately (password aged) Changing password for cisco (current) UNIX password: cisco New password: emmapeel Retype new password: emmapeel sensor# Step 3 Check the software loaded on the IDS appliance with the show version command: sensor# show version Application Partition: Cisco Systems Intrusion Detection Sensor, Version 4.0(1)S37 OS Version 2.4.18-5smpbigphys Platform: IDS-4210 Sensor up-time is 14:53. Using 257572864 out of 261312512 bytes of available memory (98% usage) Using 579M out of 17G bytes of available disk space (4% usage) MainApp Running AnalysisEngine Running Authentication Running Logger Running NetworkAccess Running TransactionSource Running IDS 4.0 Roadshow Lab 1 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Copyright  2003, Cisco Systems, Inc. WebServer Running CLI 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 2003_Jan_17_18.33 (Release) 2003-01-17T18:33:18-0600 Upgrade History: IDS-K9-maj-4.0-1-S36 20:08:14 UTC Tue Jun 10 2003 Recovery Partition Version 1.1 - 4.0(1)S37 Step 4 Check the user accounts configured on the IDS appliance with the show user command. (You may see additional users besides cisco if the IDS appliance has been previously configured): sensor# show user CLI ID User Privilege * 1325 cisco administrator sensor# Step 5 Erase the currently running configuration with the erase current-config command: sensor# erase ? backup-config Delete the backup-configuration file current-config Delete the current-configuration file sensor# erase current-config Warning: Removing the current-config file will result in all configuration being reset to default, including system information such as IP address. User accounts will not be erased. They must be removed manually using the "no username" command. Continue? : yes sensor# Step 6 Reboot the IDS appliance with the reset command. After a short while you should be back to the sensor login: prompt. (You may need to press Enter to get the prompt): sensor# reset ? powerdown Shutdown the applications and power off if possible. sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? : yes Broadcast message from root (Mon Jun 16 22:08:39 2003): A system reboot has been requested. The reboot may not start for 90 seconds. Request Suceeded. sensor# Broadcast message from root (Mon Jun 16 22:08:44 2003): The system is going down for reboot NOW! ATV0E0Q1X3S8=8S0=1 sensor login: Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 1 Task 3—Initially Configure the IDS Appliance using the setup Command. This task involves using the setup command to assign basic configuration information to the IDS appliance. Performing this initial configuration will allow the IDS appliance to be accessed via a web browser for further configuration using the IDS Device Manager graphical tool. Note The IDS appliance can be configured totally through its Command Line Interface (CLI), but after this initial lab the web-based Device Manager application is used. Use the setup command to configure the IDS appliance with the following information: Step 1 IDS Appliance Options/Parameters Lab Settings IP Address 10.0.0.1 IP Netmask 255.255.255.0 (the default) IP HostName sensor (the default) Default Route 10.0.0.254 Host to be allowed network access 10.0.0.11 (the PC in your pod) If you are not currently logged in to the sensor, do so now by entering the following: Sensor login: cisco Password: emmapeel Step 2 Enter the setup command. The command first displays the current configuration. You are then asked if you want to continue with the configuration dialog. Enter yes and then follow the prompts to enter the configuration information given above. There will be additional configurations performed after this initial step, so do not reboot the IDS appliance at the end of setup: sensor# setup --- System Configuration Dialog --At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host networkParams hostname sensor ipAddress 10.1.9.201 netmask 255.255.255.0 defaultGateway 10.1.9.1 IDS 4.0 Roadshow Lab 1 Copyright  2003, Cisco Systems, Inc. telnetOption disabled exit exit ! service webServer general ports 443 exit exit Current time: Mon Jun 16 22:16:41 2003 Setup Configuration last modified: Mon Jun 16 22:12:27 2003 Continue with configuration dialog?[yes]: Enter host name[sensor]: Enter IP address[10.1.9.201]: 10.0.0.1 Enter netmask[255.255.255.0]: Enter default gateway[10.1.9.1]: 10.0.0.254 Enter telnet-server status[disabled]: Enter web-server port[443]: The following configuration was entered. service host networkParams hostname sensor ipAddress 10.0.0.1 netmask 255.255.255.0 defaultGateway 10.0.0.254 telnetOption disabled exit exit ! service webServer general ports 443 exit exit Use this configuration?[yes]: Configuration Saved. Warning: The node must be rebooted for the changes to go into effect. Continue with reboot? [yes]: no Warning: The changes will not go into effect until the node is rebooted. Please use the reset command to complete the configuration. Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 1 Note Step 3 The default is for the IDS appliance web server to be available via secure HTTP at the default HTTPS port of 443. This will allow the further configuration of the IDS appliance via the Device Manager web tool. Next, define the lists of hosts or networks that will be allowed to access the IDS appliance via the network. For this lab, we will configure to allow only a single host access- the PC in your pod using IP address 10.0.0.11: Note The command names often have a mixture of upper and lower case (e.g., networkParams), but are not actually case sensitive. That is, networkParams could be entered as networkparams or NETWORKPARAMS. sensor# sensor# configure terminal sensor(config)# service host sensor(config-Host)# ? exit Exit service configuration mode networkParams Network configuration parameters no Remove an entry or selection setting optionalAutoUpgrade Optional AutoUpgrade configuration show Display system settings and/or history information timeParams Time configuration parameters sensor(config-Host)# networkParams sensor(config-Host-net)# show settings networkParams ----------------------------------------------ipAddress: 10.0.0.1 netmask: 255.255.255.0 default: 255.255.255.0 defaultGateway: 10.0.0.254 hostname: sensor telnetOption: disabled default: disabled accessList (min: 0, max: 512, current: 1) ----------------------------------------------ipAddress: 10.0.0.0 netmask: 255.0.0.0 default: 255.255.255.255 ------------------------------------------------------------------------------------------------------------------------------------------Note The default access list entry for network 10.0.0.0/255.0.0.0 should be removed. This access list allows ALL hosts on the 10 network to access the sensor. sensor(config-Host-net)# no accesslist ipaddress 10.0.0.0 netmask 255.0.0.0 sensor(config-Host-net)# accesslist ipaddress 10.0.0.11 sensor(config-Host-net)# exit sensor(config-Host)# Step 4 IDS 4.0 Roadshow Lab 1 Configure the time zone, Daylight Savings Time, and set the clock. (Do not reboot at the end of this step): Copyright  2003, Cisco Systems, Inc. Note This example uses Pacific Standard Time and Pacific Daylight Savings Time. You can use whatever time information you prefer. sensor(config-Host)# timeParams sensor(config-Host-tim)# offset –480 sensor(config-Host-tim)# standardTimeZoneName PST sensor(config-Host-tim)# summertimeparams sensor(config-Host-tim-sum)# active-selection recurringparams sensor(config-Host-tim-sum)# recurringparams sensor(config-Host-tim-sum-rec)# summertimezonename PDT sensor(config-Host-tim-sum-rec)# exit sensor(config-Host-tim-sum)# exit sensor(config-Host-tim)# exit sensor(config-Host)# exit Apply Changes:?[yes]: Warning: The node must be rebooted for the changes to go into effect. Continue with reboot? [yes]: no Warning: The changes will not go into effect until the node is rebooted. Please use the reset command to complete the configuration. sensor(config)# exit Step 5 Reboot the IDS appliance: sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? : yes Broadcast message from root (Tue Jun 17 00:24:28 2003): A system reboot has been requested. The reboot may not start for 90 seconds. Request Suceeded. sensor# Broadcast message from root (Tue Jun 17 00:24:29 2003): The system is going down for reboot NOW! ATV0E0Q1X3S8=8S0=1 Step 6 After the IDS appliance has rebooted, login, set the clock, and examine the configuration: sensor login: sensor login: cisco Password: Last login: Mon Jun 16 15:16:03 on ttyS0 ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 1 A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto If you require further assistance please contact us by sending email to export@cisco.com. sensor# sensor# clock set 07:22 June 17 2003 sensor# show clock *07:22:04 PDT Tue Jun 17 2003 sensor# more current-config ! -----------------------------service Authentication general attemptLimit 0 methods method Local exit exit exit ! -----------------------------service Host networkParams ipAddress 10.0.0.1 netmask 255.255.255.0 defaultGateway 10.0.0.254 hostname sensor telnetOption disabled accessList ipAddress 10.0.0.11 netmask 255.255.255.255 exit optionalAutoUpgrade active-selection none exit timeParams offset -480 standardTimeZoneName PST summerTimeParams active-selection recurringParams recurringParams summerTimeZoneName PDT startSummerTime exit endSummerTime exit exit exit exit exit ! -----------------------------service Logger masterControl enable-debug false exit zoneControl zoneName Cid severity debug IDS 4.0 Roadshow Lab 1 Copyright  2003, Cisco Systems, Inc. exit zoneControl zoneName AuthenticationApp severity warning exit zoneControl zoneName Cli severity warning exit zoneControl zoneName ctlTransSource severity warning exit zoneControl zoneName IdapiCtlTrans severity warning exit zoneControl zoneName IdsEventStore severity warning exit zoneControl zoneName MpInstaller severity warning exit zoneControl zoneName tls severity warning exit exit ! -----------------------------service NetworkAccess general allow-sensor-shun false shun-enable true exit exit ! -----------------------------service SshKnownHosts exit ! -----------------------------service TrustedCertificates exit ! -----------------------------service WebServer general ports 443 exit exit sensor# Note Copyright  2003, Cisco Systems, Inc. The default is for the IDS appliance web server to be available via secure HTTP at the default HTTPS port of 443. This will allow the further configuration of the IDS appliance via the Device Manager web tool. IDS 4.0 Roadshow Lab 1 You have successfully completed this Lab when the summary configuration matches the information you were instructed to enter, and the new configuration information saved correctly. IDS 4.0 Roadshow Lab 1 Copyright  2003, Cisco Systems, Inc. [...]... sensor(config-Host)# timeParams sensor(config-Host-tim)# offset –480 sensor(config-Host-tim)# standardTimeZoneName PST sensor(config-Host-tim)# summertimeparams sensor(config-Host-tim-sum)# active-selection recurringparams sensor(config-Host-tim-sum)# recurringparams sensor(config-Host-tim-sum-rec)# summertimezonename PDT sensor(config-Host-tim-sum-rec)#... severity warning exit exit ! -service NetworkAccess general allow-sensor-shun false shun-enable true exit exit ! -service SshKnownHosts exit ! -service TrustedCertificates exit ! -service WebServer general ports 443 exit exit sensor# Note Copyright  2003, Cisco Systems, Inc The default is for the IDS appliance web server to be available via secure... service host sensor(config-Host)# ? exit Exit service configuration mode networkParams Network configuration parameters no Remove an entry or selection setting optionalAutoUpgrade Optional AutoUpgrade configuration show Display system settings and/or history information timeParams Time configuration parameters sensor(config-Host)# networkParams sensor(config-Host-net)# show settings ... the sensor sensor(config-Host-net)# no accesslist ipaddress 10.0.0.0 netmask 255.0.0.0 sensor(config-Host-net)# accesslist ipaddress 10.0.0.11 sensor(config-Host-net)# exit sensor(config-Host)# Step 4 IDS 4.0 Roadshow Lab 1 Configure the time zone, Daylight Savings Time, and set the clock (Do not reboot at the end of this step): Copyright  2003, Cisco Systems, Inc Note This... sensor(config-Host-tim-sum)# exit sensor(config-Host-tim)# exit sensor(config-Host)# exit Apply Changes:?[yes]: Warning: The node must be rebooted for the changes to go into effect Continue with reboot? [yes]: no Warning: The changes will not go into effect until the node is rebooted Please use the reset command to complete the configuration sensor(config)# exit Step 5 Reboot the IDS appliance: ... Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 1 A summary of U.S laws governing Cisco cryptographic products may be found at: http://www .cisco. com/wwl/export/crypto If you require further assistance please contact us by sending email to export @cisco. com sensor# sensor# clock set 07:22 June 17 2003 sensor# show clock *07:22:04 PDT Tue Jun 17 2003 sensor# more current-config ... Use this configuration? [yes]: Configuration Saved Warning: The node must be rebooted for the changes to go into effect Continue with reboot? [yes]: no Warning: The changes will not go into effect until the node is rebooted Please use the reset command to complete the configuration Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 1 Note Step 3 The default is for the IDS appliance. .. HTTPS port of 443 This will allow the further configuration of the IDS appliance via the Device Manager web tool IDS 4.0 Roadshow Lab 1 You have successfully completed this Lab when the summary configuration matches the information you were instructed to enter, and the new configuration information saved correctly IDS 4.0 Roadshow Lab 1 Copyright  2003, Cisco Systems, Inc ... offset -4 80 standardTimeZoneName PST summerTimeParams active-selection recurringParams recurringParams summerTimeZoneName PDT startSummerTime exit endSummerTime exit exit exit exit exit ! -service Logger masterControl enable-debug false exit zoneControl zoneName Cid severity debug IDS 4.0 Roadshow Lab 1 Copyright  2003, Cisco Systems, Inc exit zoneControl zoneName AuthenticationApp severity... (Tue Jun 17 00:24:28 2003): A system reboot has been requested The reboot may not start for 90 seconds Request Suceeded sensor# Broadcast message from root (Tue Jun 17 00:24:29 2003): The system is going down for reboot NOW! ATV0E0Q1X3S8=8S0=1 Step 6 After the IDS appliance has rebooted, login, set the clock, and examine the configuration: sensor login: sensor login: cisco Password: Last login: ... says P01 – IDS This indicates that we’re on pod and connected to the console of the IDS appliance in that pod Along the bottom of the console window are buttons that allow you to: IDS 4.0 Roadshow... Systems, Inc IDS 4.0 Roadshow Lab Task 2—Log in to the IDS Appliance, Check the Software Version, and Clear the Current Configuration You should have a console session into the IDS appliance... 2003-01-17T18:33:18-0600 Upgrade History: IDS- K9-maj -4.0- 1-S36 20:08:14 UTC Tue Jun 10 2003 Recovery Partition Version 1.1 - 4.0( 1)S37 Step Check the user accounts configured on the IDS appliance with the show