Command-Line Interface
The command-line interface (CLI) of a Cisco IPS sensor is much like an IOS router, but with fewer commands and different modes. You can access the CLI using
- Telnet (disabled by default)
- Secure Shell (SSH)
- Serial interface
The default username is cisco, with a default password of cisco. You are prompted to change these upon the first login.
The CLI can be used to
- Initialize the sensor
- Configure
- Administer
- Troubleshoot
- Monitor
Two modes of the CLI differ from a router:
- Service mode: Used to edit a service. You enter it using the command service service-name.
- Multi-instance service mode: Some of the services are multi-instance services to support virtualization. To enter this mode, use the command service service-name logical-instance-name.
Initializing the Sensor
The setup command at the CLI walks you through initialization. You can do the following:
- Assign a hostname to the sensor. This is case sensitive. It defaults to sensor.
- Assign an IP address to the command and control interface. The default is 10.1.9.201/24.
- Assign a default gateway. The default is 10.1.9.1.
- Enable or disable the Telnet server. Telnet is disabled by default.
- Specify the web server port. The default is 443.
- Create network access control lists (ACL) that can access the sensor for management.
- Configure the date and time.
- Configure the sensor interfaces.
- Configure virtual sensors. This enables the configuration of promiscuous and inline interface pairs.
- Configure threat prevention. An event action override denies high-risk network traffic with a risk rating of 90 to 100. This option lets you disable this feature.
Common CLI Configuration Tasks
Here are some common commands available for use at the CLI:
- ping
- trace
- banner login
- show version
- copy /erase source-url destination-url (The erase option erases the destination file before copying.)
- copy current-config backup-config
- copy /erase backup-config current-config
- more keyword (Displays configs.)
- show settings
- show events
Using Cisco IPS Device Manager
The Cisco IPS Device Manager (IDM), shown in Figure 2-1, is a superb web-based graphical user interface (GUI) for managing a single IPS device. To maintain security, the IDM and the client engage in Transport Layer Security (TLS) and Secure Sockets Layer (SSL). The server uses a trusted host certificate to verify the identity of the management workstation. The client uses a server certificate to ensure the identity of the IPS device.
)
Figure 2-1 Cisco IDM
The Cisco IPS Sensor Software Version 7.0 uses Security Device Event Exchange (SDEE) for communication, but it still relies on Remote Data Exchange Protocol (RDEP2) to communicate configuration and IP log information.
SDEE is an IPS communications protocol developed by Cisco. Through SDEE, IPS Sensor Software Version 7.0 provides an application programming interface (API) for the sensor itself. SDEE is an enhancement to the earlier RDEP.
The Cisco IDM runs on the following:
- Windows XP Professional (32 bit)
- Windows Vista, Business and Ultimate (32 bit)
- Windows 2003 Server
- U.S. or Japanese versions of the previously listed Windows versions
- Red Hat Linux Desktop Version 4
- Red Hat Enterprise Linux Server Version 4
- Java SE 5.0 or 6.0
- Internet Explorer 6.0 or 7.0, or Firefox 2.0
To log in to the IDM, enter https://sensor_ip_address. The default address is 10.1.9.201 if you did not provide one during setup.
After you are in the IDM, you can configure the general network settings (such as hostname and IP address) by choosing Configuration, Sensor Setup, Network.
To display or re-create the sensor's SSH host key, choose Configuration, Sensor Setup, SSH, Sensor Key.
To reboot the sensor, choose Configuration, Reboot.
To shut down the sensor, choose Configuration, Shut Down Sensor. For both the reboot and shutdown, the sensor delays for 30 seconds. The logged-in users are notified that the sensor is shutting down.