Lab 1 Exercise—Cisco Intrusion Detection System IDS Appliance Initial Configuration Objectives In this lab exercise you will complete the following tasks: n Check the version of the
Trang 1Lab 1 Exercise—Cisco Intrusion Detection System (IDS) Appliance Initial Configuration
Objectives
In this lab exercise you will complete the following tasks:
n Check the version of the software loaded on the IDS appliance
n Assign IP network settings to the IDS appliance
n Define the lists of hosts that are allowed to access the IDS appliance
n Define the time zone information and set the clock of the IDS appliance
n Check the configuration of the IDS appliance
Required Resources
These are the resources and equipment required to complete this exercise:
n Internet access
n A PC or workstation with Internet Explorer, version 5.0 or greater
n Username and password to gain access to a remote equipment pod
Note The username will be of the form PXX-nnnnn, where XX is the number of the
equipment pod you will be using, and nnnnn is the Event Number for your lab session The password will be a short nonsense word For example, the login information for a
pod 9 session could be something like: P09-341959 and a password of imjgk
Passwords
Use the following passwords for this lab:
• Lab Gear password: Your instructor will provide it
• IDS appliance username/password: The default account name and password are
cisco
• PC client: The username is Administrator and the password is cisco
• VNC password: When you connect to the PC, use a password of cisco at the VNC
screen
Trang 2Visual Objective
Figure-1 displays the lab topology you will use to complete this lab exercise:
Figure-1: Lab Network Topology
Accessing the Remote Lab Equipment
On your local PC or workstation, startup Internet Explorer and enter the following URL
to access the LabGear pods: http://www.labgear.net You will reach a login screen like that shown in Figure-2:
Figure-2: LabGear login Page
Enter the User Name and password that should have been provided to you by your
instructor and click the Log in button
Trang 3After a Successful Login
After you have entered the correct user name and password, you will be presented with a display like that shown below in Figure-3:
Figure-3: LabGear screen after a successful login
Connecting to Devices in the Pod
Some devices have Console or Desktop labels associated with them The presence of this type of label means that you can access the device Console devices (like the IDS appliance, for example) do not have a graphic display, but Desktop devices (like the Windows 2000 PC) do In Figure-4, the Console label for the IDS appliance is circled in yellow and the Desktop label used to connect to a PC Client is circled in violet
Trang 4Connecting to Console (Non-Graphic) Devices
Figure-5: Example Console Window
Clicking on Console for a particular device will bring up a console window from which
you can control a device just as if you were sitting right in front of it You may have to press <Enter> a few times before the prompt appears
Figure-5 shows a typical device console window The title bar says P01 – IDS This
indicates that we’re on pod 1 and connected to the console of the IDS appliance in that pod
Along the bottom of the console window are buttons that allow you to:
• Connect to a device
• Disconnect from a device
• Open scratch pads
• Save console buffer contents to scratch pads
• Send a “break” to the device
Trang 5
Connecting to Desktop (Graphic) Devices
The procedure for connecting to the Desktop devices has an extra step- you must first
authenticate at the VNC (Virtual Network Console) screen Figure-6 shows the VNC
login screen:
Figure-6: VNC Login Screen
Enter the password cisco and click OK or hit Enter If you have entered the correct password you will be given access to the desktop for that particular device Figure-7 shows an example desktop for a Windows 2000 client:
Figure-7: Example Windows 2000 Desktop Screen
Trang 6If You Get Stuck!
Rarely, a device’s console will not respond to your keystrokes (usually this happens if you have left the console idle for an extended period of time) You can clear the console line to regain access to a device by performing the following procedure
Along the top of your pod display screen is a menu bar with a number of buttons as shown below in Figure-8 To clear a console line or power on/off a device, first click on
the Device Management button (circled in yellow)
Figure-8: Accessing the Device Management window
Clicking on Device Management button will bring up a Device Control window shown
below in Figure-9:
Figure-9: Device Control window
From the Device Control window you can control device power, clear console lines, and check general device status Click on a device’s name (such as IDS circled in pink above)
and then the right side of the window will tell you the various functions you can perform
on that device For the IDS appliance in this example, you can apply or remove power
and also clear the console line (to free up a hung console session) by clicking on the Clear Console Line button
Trang 7Task 1—Access the IDS Appliance in the Remote Lab Environment
Access the remote lab environment via a web browser and an Internet connection You will login to the lab pod environment and access the IDS appliance console
Step 1 Access your lab pod using the Internet Explorer web browser If you need help,
review the Accessing the Remote Lab Equipment section of this lab guide
(Figure-2)
Step 2 Access the IDS appliance console by clicking on the green oval labeled Console (near
center of the figure below) If you need help, review the After a Successful Login
section of this lab guide (Figure-3)
Step 3 With the IDS appliance console window as the active window, press Enter on your
keyboard to begin the console session You should see the sensor login: prompt If you need help, review the Connecting to Devices in the Pod section of this lab guide
(Figure-4)
Note If you don’t get a prompt on the IDS appliance console after pressing Enter a few times, you may need to clear the console line by accessing the controls available via
the Device Management button at the top of the web page Read the If You Get
Stuck! section of this lab guide (Figures 8 & 9)
Figure-10: The Remote Lab Pod
Trang 8Task 2—Log in to the IDS Appliance, Check the Software Version, and Clear the Current Configuration
You should have a console session into the IDS appliance Log in to the IDS appliance, check the version of the software loaded on the IDS appliance, and then be sure you are starting the lab with an unconfigured IDS appliance by erasing any existing configuration:
Step 1 Login to the IDS appliance with a username of cisco and a password of cisco If this
password doesn’t work, you may be accessing an IDS appliance that was configured
in another lab or is not in the proper state to begin your lab Contact your instructor in this case
Step 2 Since this IDS appliance has not been configured yet and this is the first login to the
appliance, you will be immediately prompted to change the password Change the
password from the default of cisco to a new password of emmapeel (Note that this is
not an ideal password, but for the purposes of this series of labs it satisfies the minimum requirements and is easy to type.)
login: cisco <Enter>
Password: cisco <Enter>
You are required to change your password immediately (password aged) Changing password for cisco
(current) UNIX password: cisco <Enter>
New password: emmapeel <Enter>
Retype new password: emmapeel <Enter>
sensor#
Step 3 Check the software loaded on the IDS appliance with the show version command:
sensor# show version <Enter>
Application Partition:
Cisco Systems Intrusion Detection Sensor, Version 4.0(1)S37
OS Version 2.4.18-5smpbigphys Platform: IDS-4210
Sensor up-time is 14:53
Using 257572864 out of 261312512 bytes of available memory (98% usage) Using 579M out of 17G bytes of available disk space (4% usage)
MainApp 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Running
AnalysisEngine 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Running
Authentication 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Running
Logger 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Running
NetworkAccess 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Running
TransactionSource 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Running
Trang 9WebServer 2003_Jan_23_02.00 (Release) 2003-01-23T02:00:25-0600 Running
CLI 2003_Jan_17_18.33 (Release) 2003-01-17T18:33:18-0600
Upgrade History:
IDS-K9-maj-4.0-1-S36 20:08:14 UTC Tue Jun 10 2003
Recovery Partition Version 1.1 - 4.0(1)S37
Step 4 Check the user accounts configured on the IDS appliance with the show user
command (You may see additional users besides cisco if the IDS appliance has been
previously configured):
sensor# show user <Enter>
CLI ID User Privilege
* 1325 cisco administrator sensor#
Step 5 Erase the currently running configuration with the erase current-config command:
sensor# erase ?
backup-config Delete the backup-configuration file current-config Delete the current-configuration file
sensor# erase current-config <Enter>
Warning: Removing the current-config file will result in all configuration being reset to default, including system information such as IP address
User accounts will not be erased They must be removed manually using the "no username" command
Continue? : yes <Enter>
sensor#
Step 6 Reboot the IDS appliance with the reset command After a short while you should be
back to the sensor login: prompt (You may need to press Enter to get the prompt):
sensor# reset ?
<cr>
powerdown Shutdown the applications and power off if possible
sensor# reset <Enter>
Warning: Executing this command will stop all applications and reboot the node
Continue with reset? : yes <Enter>
Broadcast message from root (Mon Jun 16 22:08:39 2003):
A system reboot has been requested The reboot may not start for 90 seconds
Request Suceeded
sensor#
Broadcast message from root (Mon Jun 16 22:08:44 2003):
The system is going down for reboot NOW!
ATV0E0Q1X3S8=8S0=1 sensor login:
Trang 10Task 3—Initially Configure the IDS Appliance using the setup
Command
This task involves using the setup command to assign basic configuration information to the
IDS appliance Performing this initial configuration will allow the IDS appliance to be accessed
via a web browser for further configuration using the IDS Device Manager graphical tool
Note The IDS appliance can be configured totally through its Command Line Interface (CLI),
but after this initial lab the web-based Device Manager application is used
Use the setup command to configure the IDS appliance with the following information:
IDS Appliance Options/Parameters Lab Settings
IP Address 10.0.0.1
IP Netmask 255.255.255.0 (the default)
IP HostName sensor (the default)
Default Route 10.0.0.254
Host to be allowed network access 10.0.0.11 (the PC in your pod)
Step 1 If you are not currently logged in to the sensor, do so now by entering the following:
Sensor login: cisco <Enter>
Password: emmapeel <Enter>
Step 2 Enter the setup command The command first displays the current configuration You
are then asked if you want to continue with the configuration dialog Enter yes and
then follow the prompts to enter the configuration information given above There
will be additional configurations performed after this initial step, so do not reboot the IDS appliance at the end of setup:
sensor# setup <Enter>
- System Configuration Dialog -
At any point you may enter a question mark '?' for help
User ctrl-c to abort configuration dialog at any prompt
Default settings are in square brackets '[]'
Current Configuration:
service host networkParams hostname sensor ipAddress 10.1.9.201 netmask 255.255.255.0 defaultGateway 10.1.9.1
Trang 11telnetOption disabled exit
exit
! service webServer general
ports 443 exit exit
Current time: Mon Jun 16 22:16:41 2003
Setup Configuration last modified: Mon Jun 16 22:12:27 2003
Continue with configuration dialog?[yes]: <Enter>
Enter host name[sensor]: <Enter>
Enter IP address[10.1.9.201]: 10.0.0.1 <Enter>
Enter netmask[255.255.255.0]: <Enter>
Enter default gateway[10.1.9.1]: 10.0.0.254 <Enter>
Enter telnet-server status[disabled]: <Enter>
Enter web-server port[443]: <Enter>
The following configuration was entered
service host networkParams
hostname sensor ipAddress 10.0.0.1 netmask 255.255.255.0 defaultGateway 10.0.0.254
telnetOption disabled exit
exit
! service webServer general
ports 443 exit exit
Use this configuration?[yes]: <Enter>
Configuration Saved
Warning: The node must be rebooted for the changes to go into effect
Continue with reboot? [yes]: no <Enter>
Warning: The changes will not go into effect until the node is rebooted Please use the reset command to complete the configuration
Trang 12Note The default is for the IDS appliance web server to be available via secure HTTP at the
default HTTPS port of 443 This will allow the further configuration of the IDS appliance via the Device Manager web tool
Step 3 Next, define the lists of hosts or networks that will be allowed to access the IDS
appliance via the network For this lab, we will configure to allow only a single host access- the PC in your pod using IP address 10.0.0.11:
Note The command names often have a mixture of upper and lower case (e.g.,
networkParams), but are not actually case sensitive That is, networkParams could be entered as networkparams or NETWORKPARAMS
sensor#
sensor# configure terminal <Enter>
sensor(config)# service host <Enter>
sensor(config-Host)# ?
exit Exit service configuration mode networkParams Network configuration parameters
no Remove an entry or selection setting optionalAutoUpgrade Optional AutoUpgrade configuration show Display system settings and/or history information timeParams Time configuration parameters
sensor(config-Host)# networkParams <Enter>
sensor(config-Host-net)# show settings <Enter>
networkParams - ipAddress: 10.0.0.1
netmask: 255.255.255.0 default: 255.255.255.0 defaultGateway: 10.0.0.254
hostname: sensor telnetOption: disabled default: disabled
accessList (min: 0, max: 512, current: 1) - ipAddress: 10.0.0.0
netmask: 255.0.0.0 default: 255.255.255.255
- - -
Note The default access list entry for network 10.0.0.0/255.0.0.0 should be removed This
access list allows ALL hosts on the 10 network to access the sensor
sensor(config-Host-net)# no accesslist ipaddress 10.0.0.0 netmask 255.0.0.0 <Enter> sensor(config-Host-net)# accesslist ipaddress 10.0.0.11 <Enter>
sensor(config-Host-net)# exit <Enter>
sensor(config-Host)#
Step 4 Configure the time zone, Daylight Savings Time, and set the clock (Do not reboot at
the end of this step):