Excercise - Cisco Intrusion Detection System (IDS) Appliance Initial Configuration _ www.bit.ly/taiho123
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (365.35 KB, 16 trang )
Lab 1 Exercise—Cisco Intrusion Detection
System (IDS) Appliance Initial Configuration
Objectives
In this lab exercise you will complete the following tasks:
n
Check the version of the software loaded on the IDS appliance
n
Assign IP network settings to the IDS appliance.
n
Define the lists of hosts that are allowed to access the IDS appliance.
n
Define the time zone information and set the clock of the IDS appliance.
n
Check the configuration of the IDS appliance.
Required Resources
These are the resources and equipment required to complete this exercise:
n
Internet access
n
A PC or workstation with Internet Explorer, version 5.0 or greater
n
Username and password to gain access to a remote equipment pod
Note
The username will be of the form PXX-nnnnn, where XX is the number of the
equipment pod you will be using, and nnnnn is the Event Number for your lab session.
The password will be a short nonsense word. For example, the login information for a
pod 9 session could be something like: P09-341959 and a password of imjgk.
Passwords
Use the following passwords for this lab:
•
Lab Gear password: Your instructor will provide it.
•
IDS appliance username/password: The default account name and password are
cisco.
•
PC client: The username is Administrator and the password is cisco.
•
VNC password: When you connect to the PC, use a password of cisco at the VNC
screen.
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 1
Visual Objective
Figure-1 displays the lab topology you will use to complete this lab exercise:
Figure-1: Lab Network Topology
Accessing the Remote Lab Equipment
On your local PC or workstation, startup Internet Explorer and enter the following URL
to access the LabGear pods: . You will reach a login screen like
that shown in Figure-2:
Figure-2: LabGear login Page
Enter the User Name and password that should have been provided to you by your
instructor and click the Log in button.
IDS 4.0 Roadshow Lab 1
Copyright 2003, Cisco Systems, Inc.
After a Successful Login
After you have entered the correct user name and password, you will be presented with a
display like that shown below in Figure-3:
Figure-3: LabGear screen after a successful login
Connecting to Devices in the Pod
Some devices have Console or Desktop labels associated with them. The presence of
this type of label means that you can access the device. Console devices (like the IDS
appliance, for example) do not have a graphic display, but Desktop devices (like the
Windows 2000 PC) do. In Figure-4, the Console label for the IDS appliance is circled in
yellow and the Desktop label used to connect to a PC Client is circled in violet.
Figure-4: Desktops and Consoles
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 1
Connecting to Console (Non-Graphic) Devices
Figure-5: Example Console Window
Clicking on Console for a particular device will bring up a console window from which
you can control a device just as if you were sitting right in front of it. You may have to
press <Enter> a few times before the prompt appears.
Figure-5 shows a typical device console window. The title bar says P01 – IDS. This
indicates that we’re on pod 1 and connected to the console of the IDS appliance in that
pod.
Along the bottom of the console window are buttons that allow you to:
IDS 4.0 Roadshow Lab 1
•
Connect to a device
•
Disconnect from a device
•
Open scratch pads
•
Save console buffer contents to scratch pads
•
Send a “break” to the device
Copyright 2003, Cisco Systems, Inc.
Connecting to Desktop (Graphic) Devices
The procedure for connecting to the Desktop devices has an extra step- you must first
authenticate at the VNC (Virtual Network Console) screen. Figure-6 shows the VNC
login screen:
Figure-6: VNC Login Screen
Enter the password cisco and click OK or hit Enter. If you have entered the correct
password you will be given access to the desktop for that particular device. Figure-7
shows an example desktop for a Windows 2000 client:
Figure-7: Example Windows 2000 Desktop Screen
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 1
If You Get Stuck!
Rarely, a device’s console will not respond to your keystrokes (usually this happens if
you have left the console idle for an extended period of time). You can clear the console
line to regain access to a device by performing the following procedure.
Along the top of your pod display screen is a menu bar with a number of buttons as
shown below in Figure-8. To clear a console line or power on/off a device, first click on
the Device Management button (circled in yellow).
Figure-8: Accessing the Device Management window
Clicking on Device Management button will bring up a Device Control window shown
below in Figure-9:
Figure-9: Device Control window
From the Device Control window you can control device power, clear console lines, and
check general device status. Click on a device’s name (such as IDS circled in pink above)
and then the right side of the window will tell you the various functions you can perform
on that device. For the IDS appliance in this example, you can apply or remove power
and also clear the console line (to free up a hung console session) by clicking on the
Clear Console Line button.
IDS 4.0 Roadshow Lab 1
Copyright 2003, Cisco Systems, Inc.
Task 1—Access the IDS Appliance in the Remote Lab
Environment
Access the remote lab environment via a web browser and an Internet connection. You will
login to the lab pod environment and access the IDS appliance console.
Step 1
Access your lab pod using the Internet Explorer web browser. If you need help,
review the Accessing the Remote Lab Equipment section of this lab guide (Figure2).
Step 2
Access the IDS appliance console by clicking on the green oval labeled Console (near
center of the figure below). If you need help, review the After a Successful Login
section of this lab guide (Figure-3).
Step 3
With the IDS appliance console window as the active window, press Enter on your
keyboard to begin the console session. You should see the sensor login: prompt. If
you need help, review the Connecting to Devices in the Pod section of this lab guide
(Figure-4).
Note
If you don’t get a prompt on the IDS appliance console after pressing Enter a few
times, you may need to clear the console line by accessing the controls available via
the Device Management button at the top of the web page. Read the If You Get
Stuck! section of this lab guide (Figures 8 & 9).
Figure-10: The Remote Lab Pod
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 1
Task 2—Log in to the IDS Appliance, Check the Software
Version, and Clear the Current Configuration.
You should have a console session into the IDS appliance. Log in to the IDS appliance, check
the version of the software loaded on the IDS appliance, and then be sure you are starting the lab
with an unconfigured IDS appliance by erasing any existing configuration:
Step 1
Login to the IDS appliance with a username of cisco and a password of cisco. If this
password doesn’t work, you may be accessing an IDS appliance that was configured
in another lab or is not in the proper state to begin your lab. Contact your instructor in
this case.
Step 2
Since this IDS appliance has not been configured yet and this is the first login to the
appliance, you will be immediately prompted to change the password. Change the
password from the default of cisco to a new password of emmapeel. (Note that this is
not an ideal password, but for the purposes of this series of labs it satisfies the
minimum requirements and is easy to type.).
login: cisco <Enter>
Password: cisco <Enter>
You are required to change your password immediately (password aged)
Changing password for cisco
(current) UNIX password: cisco <Enter>
New password: emmapeel <Enter>
Retype new password: emmapeel <Enter>
sensor#
Step 3
Check the software loaded on the IDS appliance with the show version command:
sensor# show version <Enter>
Application Partition:
Cisco Systems Intrusion Detection Sensor, Version 4.0(1)S37
OS Version 2.4.18-5smpbigphys
Platform: IDS-4210
Sensor up-time is 14:53.
Using 257572864 out of 261312512 bytes of available memory (98% usage)
Using 579M out of 17G bytes of available disk space (4% usage)
MainApp
Running
AnalysisEngine
Running
Authentication
Running
Logger
Running
NetworkAccess
Running
TransactionSource
Running
IDS 4.0 Roadshow Lab 1
2003_Jan_23_02.00
(Release)
2003-01-23T02:00:25-0600
2003_Jan_23_02.00
(Release)
2003-01-23T02:00:25-0600
2003_Jan_23_02.00
(Release)
2003-01-23T02:00:25-0600
2003_Jan_23_02.00
(Release)
2003-01-23T02:00:25-0600
2003_Jan_23_02.00
(Release)
2003-01-23T02:00:25-0600
2003_Jan_23_02.00
(Release)
2003-01-23T02:00:25-0600
Copyright 2003, Cisco Systems, Inc.
WebServer
Running
CLI
2003_Jan_23_02.00
(Release)
2003-01-23T02:00:25-0600
2003_Jan_17_18.33
(Release)
2003-01-17T18:33:18-0600
Upgrade History:
IDS-K9-maj-4.0-1-S36
20:08:14 UTC Tue Jun 10 2003
Recovery Partition Version 1.1 - 4.0(1)S37
Step 4
Check the user accounts configured on the IDS appliance with the show user
command. (You may see additional users besides cisco if the IDS appliance has been
previously configured):
sensor# show user <Enter>
CLI ID User
Privilege
* 1325
cisco administrator
sensor#
Step 5
Erase the currently running configuration with the erase current-config command:
sensor# erase ?
backup-config
Delete the backup-configuration file
current-config
Delete the current-configuration file
sensor# erase current-config <Enter>
Warning: Removing the current-config file will result in all configuration being
reset to default, including system information such as IP address.
User accounts will not be erased. They must be removed manually using the "no
username" command.
Continue? : yes <Enter>
sensor#
Step 6
Reboot the IDS appliance with the reset command. After a short while you should be
back to the sensor login: prompt. (You may need to press Enter to get the prompt):
sensor# reset ?
<cr>
powerdown
Shutdown the applications and power off if possible.
sensor# reset <Enter>
Warning: Executing this command will stop all applications and reboot the node.
Continue with reset? : yes <Enter>
Broadcast message from root (Mon Jun 16 22:08:39 2003):
A system reboot has been requested. The reboot may not start for 90 seconds.
Request Suceeded.
sensor#
Broadcast message from root (Mon Jun 16 22:08:44 2003):
The system is going down for reboot NOW!
ATV0E0Q1X3S8=8S0=1
sensor login:
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 1
Task 3—Initially Configure the IDS Appliance using the setup
Command.
This task involves using the setup command to assign basic configuration information to the
IDS appliance. Performing this initial configuration will allow the IDS appliance to be accessed
via a web browser for further configuration using the IDS Device Manager graphical tool.
Note
The IDS appliance can be configured totally through its Command Line Interface (CLI),
but after this initial lab the web-based Device Manager application is used.
Use the setup command to configure the IDS appliance with the following information:
Step 1
IDS Appliance Options/Parameters
Lab Settings
IP Address
10.0.0.1
IP Netmask
255.255.255.0 (the default)
IP HostName
sensor (the default)
Default Route
10.0.0.254
Host to be allowed network access
10.0.0.11 (the PC in your pod)
If you are not currently logged in to the sensor, do so now by entering the following:
Sensor login: cisco <Enter>
Password: emmapeel <Enter>
Step 2
Enter the setup command. The command first displays the current configuration. You
are then asked if you want to continue with the configuration dialog. Enter yes and
then follow the prompts to enter the configuration information given above. There
will be additional configurations performed after this initial step, so do not reboot the
IDS appliance at the end of setup:
sensor# setup <Enter>
--- System Configuration Dialog --At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Current Configuration:
service host
networkParams
hostname sensor
ipAddress 10.1.9.201
netmask 255.255.255.0
defaultGateway 10.1.9.1
IDS 4.0 Roadshow Lab 1
Copyright 2003, Cisco Systems, Inc.
telnetOption disabled
exit
exit
!
service webServer
general
ports 443
exit
exit
Current time: Mon Jun 16 22:16:41 2003
Setup Configuration last modified: Mon Jun 16 22:12:27 2003
Continue with configuration dialog?[yes]: <Enter>
Enter host name[sensor]: <Enter>
Enter IP address[10.1.9.201]: 10.0.0.1 <Enter>
Enter netmask[255.255.255.0]: <Enter>
Enter default gateway[10.1.9.1]: 10.0.0.254 <Enter>
Enter telnet-server status[disabled]: <Enter>
Enter web-server port[443]: <Enter>
The following configuration was entered.
service host
networkParams
hostname sensor
ipAddress 10.0.0.1
netmask 255.255.255.0
defaultGateway 10.0.0.254
telnetOption disabled
exit
exit
!
service webServer
general
ports 443
exit
exit
Use this configuration?[yes]: <Enter>
Configuration Saved.
Warning: The node must be rebooted for the changes to go into effect.
Continue with reboot? [yes]: no <Enter>
Warning: The changes will not go into effect until the node is rebooted. Please use
the reset command to complete the configuration.
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 1
Note
Step 3
The default is for the IDS appliance web server to be available via secure HTTP at the
default HTTPS port of 443. This will allow the further configuration of the IDS appliance
via the Device Manager web tool.
Next, define the lists of hosts or networks that will be allowed to access the IDS
appliance via the network. For this lab, we will configure to allow only a single host
access- the PC in your pod using IP address 10.0.0.11:
Note
The command names often have a mixture of upper and lower case (e.g.,
networkParams), but are not actually case sensitive. That is, networkParams could be
entered as networkparams or NETWORKPARAMS.
sensor#
sensor# configure terminal <Enter>
sensor(config)# service host <Enter>
sensor(config-Host)# ?
exit
Exit service configuration mode
networkParams
Network configuration parameters
no
Remove an entry or selection setting
optionalAutoUpgrade
Optional AutoUpgrade configuration
show
Display system settings and/or history information
timeParams
Time configuration parameters
sensor(config-Host)# networkParams <Enter>
sensor(config-Host-net)# show settings <Enter>
networkParams
----------------------------------------------ipAddress: 10.0.0.1
netmask: 255.255.255.0 default: 255.255.255.0
defaultGateway: 10.0.0.254
hostname: sensor
telnetOption: disabled default: disabled
accessList (min: 0, max: 512, current: 1)
----------------------------------------------ipAddress: 10.0.0.0
netmask: 255.0.0.0 default: 255.255.255.255
------------------------------------------------------------------------------------------------------------------------------------------Note
The default access list entry for network 10.0.0.0/255.0.0.0 should be removed. This
access list allows ALL hosts on the 10 network to access the sensor.
sensor(config-Host-net)# no accesslist ipaddress 10.0.0.0 netmask 255.0.0.0 <Enter>
sensor(config-Host-net)# accesslist ipaddress 10.0.0.11 <Enter>
sensor(config-Host-net)# exit <Enter>
sensor(config-Host)#
Step 4
IDS 4.0 Roadshow Lab 1
Configure the time zone, Daylight Savings Time, and set the clock. (Do not reboot at
the end of this step):
Copyright 2003, Cisco Systems, Inc.
Note
This example uses Pacific Standard Time and Pacific Daylight Savings Time. You can
use whatever time information you prefer.
sensor(config-Host)# timeParams <Enter>
sensor(config-Host-tim)# offset –480 <Enter>
sensor(config-Host-tim)# standardTimeZoneName PST <Enter>
sensor(config-Host-tim)# summertimeparams <Enter>
sensor(config-Host-tim-sum)# active-selection recurringparams <Enter>
sensor(config-Host-tim-sum)# recurringparams <Enter>
sensor(config-Host-tim-sum-rec)# summertimezonename PDT <Enter>
sensor(config-Host-tim-sum-rec)# exit <Enter>
sensor(config-Host-tim-sum)# exit <Enter>
sensor(config-Host-tim)# exit <Enter>
sensor(config-Host)# exit <Enter>
Apply Changes:?[yes]:
Warning: The node must be rebooted for the changes to go into effect.
Continue with reboot? [yes]: no
Warning: The changes will not go into effect until the node is rebooted. Please use
the reset command to complete the configuration.
sensor(config)# exit
Step 5
Reboot the IDS appliance:
sensor# reset <Enter>
Warning: Executing this command will stop all applications and reboot the node.
Continue with reset? : yes <Enter>
Broadcast message from root (Tue Jun 17 00:24:28 2003):
A system reboot has been requested. The reboot may not start for 90 seconds.
Request Suceeded.
sensor#
Broadcast message from root (Tue Jun 17 00:24:29 2003):
The system is going down for reboot NOW!
ATV0E0Q1X3S8=8S0=1
Step 6
After the IDS appliance has rebooted, login, set the clock, and examine the
configuration:
sensor login:
sensor login: cisco <Enter>
Password:
Last login: Mon Jun 16 15:16:03 on ttyS0
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
Copyright 2003, Cisco Systems, Inc.
IDS 4.0 Roadshow Lab 1
A summary of U.S. laws governing Cisco cryptographic products may be found at:
/>If you require further assistance please contact us by sending email to
sensor#
sensor# clock set 07:22 June 17 2003 <Enter>
sensor# show clock <Enter>
*07:22:04 PDT Tue Jun 17 2003
sensor# more current-config <Enter>
! -----------------------------service Authentication
general
attemptLimit 0
methods method Local
exit
exit
exit
! -----------------------------service Host
networkParams
ipAddress 10.0.0.1
netmask 255.255.255.0
defaultGateway 10.0.0.254
hostname sensor
telnetOption disabled
accessList ipAddress 10.0.0.11 netmask 255.255.255.255
exit
optionalAutoUpgrade
active-selection none
exit
timeParams
offset -480
standardTimeZoneName PST
summerTimeParams
active-selection recurringParams
recurringParams
summerTimeZoneName PDT
startSummerTime
exit
endSummerTime
exit
exit
exit
exit
exit
! -----------------------------service Logger
masterControl
enable-debug false
exit
zoneControl zoneName Cid
severity debug
IDS 4.0 Roadshow Lab 1
Copyright 2003, Cisco Systems, Inc.
exit
zoneControl zoneName AuthenticationApp
severity warning
exit
zoneControl zoneName Cli
severity warning
exit
zoneControl zoneName ctlTransSource
severity warning
exit
zoneControl zoneName IdapiCtlTrans
severity warning
exit
zoneControl zoneName IdsEventStore
severity warning
exit
zoneControl zoneName MpInstaller
severity warning
exit
zoneControl zoneName tls
severity warning
exit
exit
! -----------------------------service NetworkAccess
general
allow-sensor-shun false
shun-enable true
exit
exit
! -----------------------------service SshKnownHosts
exit
! -----------------------------service TrustedCertificates
exit
! -----------------------------service WebServer
general
ports 443
exit
exit
sensor#
Note
Copyright 2003, Cisco Systems, Inc.
The default is for the IDS appliance web server to be available via secure HTTP at the
default HTTPS port of 443. This will allow the further configuration of the IDS appliance
via the Device Manager web tool.
IDS 4.0 Roadshow Lab 1
You have successfully completed this Lab when the summary configuration matches
the information you were instructed to enter, and the new configuration information
saved correctly.
IDS 4.0 Roadshow Lab 1
Copyright 2003, Cisco Systems, Inc.
