Lab 2 Exercise—Cisco IDS Appliance Software Upgrade and Cisco IDS Event Viewer Objectives In this lab exercise you will complete the following tasks: n Update IDS appliance software u
Trang 1Lab 2 Exercise—Cisco IDS Appliance Software Upgrade and Cisco IDS Event Viewer
Objectives
In this lab exercise you will complete the following tasks:
n Update IDS appliance software using the IDS Device Manager (IDM)
n Check the IDS appliance software version
n Install the Cisco IDS Event Viewer (IEV) software on the PC
n Add the IDS appliance to the list of devices monitored by the IEV
n Monitor IDS appliance events using the IEV
Visual Objective
Figure-1 displays the lab topology you will use to complete this lab exercise:
Figure-1: Lab Network Topology
Trang 2Passwords
Use the following passwords for this lab:
• Lab Gear password: Your instructor will provide it
• IDS appliance username/password: The default account name and password are
cisco However, the password for the cisco user should have been changed to emmapeel in Lab 1
• PC client: The username is Administrator and the password is cisco
• VNC password: When you connect to the PC, use a password of cisco at the VNC
screen
Task 1—Access the Remote Pod and Login to the PC
Access the remote lab environment via a web browser and an Internet connection You will login to the lab pod environment, access the appropriate device console(s), and login to the actual device(s) used in the lab
Step 1 Access your lab pod using the Internet Explorer web browser If you need help,
review the Accessing the Remote Lab Equipment section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-2)
Step 2 Access the PC by first clicking on the green oval labeled PC Desktop If you need
help, review the instructions starting with the After a Successful Login section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-3)
Step 3 The VNC login screen should appear Login with password cisco
Step 4 You may need to login to the PC itself If so, click on Send Ctrl-Alt-Del near the top
of the window Login as Administrator with password cisco
Step 5 You will be presented with a view of the PC desktop
Figure-2: Example PC Desktop
Trang 3Task 2—Check Network Connectivity Between the PC and the IDS Appliance
To do this lab, the IDS appliance should be configured as per Lab 1 (Cisco Intrusion Detection System (IDS) Appliance Initial Configuration)
You should now be logged into the PC
Check connectivity between the PC and the IDS appliance by doing the following steps
Step 1 At the PC desktop, click on the Start->Run… menu and open a command window by
typing cmd into the Run window Click OK and a command window should appear Step 2 At the command prompt, type ping 10.0.01 The output should look similar to that
shown in the figure below:
Figure-3: Successful ping of the IDS appliance
Step 3 If the pings are not successful, check that the IDS appliance is configured properly as
per Lab 1 You may want to double-check the PC network configuration settings if the IDS appliance appears to be configured properly
Step 4 Launch Internet Explorer on the PC by double clicking its icon on the PC desktop or
by selecting it from the Start->Programs->Internet Explorer menu
Step 5 Access the IDS appliance by specifying a URL of https://10.0.0.1
Note IDS Device Manager Traffic is encrypted, so make sure you use HTTPS
Step 6 In the first Security Alert window, click OK
Step 7 Click Yes when prompted to accept the IDS appliance certificate
Step 8 Login to the IDS Device Manager as the cisco user using the password that was
configured in Lab 1 (the instructions said to use emmapeel)
Step 9 You should now be at the IDS Device Manager home page
Trang 4Task 3—Upgrade the IDS Appliance Software.
This task involves accessing the Cisco IDS Device Manager (IDM), and upgrading the IDS appliance software to the latest version The first step would be to go to Cisco’s web site and download the new patch or IDS appliance signature update As part of the lab, we have done that for you already The software you will need already resides on the PC
Note You can use SCP, FTP, HTTP, or HTTPS In this lab, we will be using HTTP
Complete the following steps to upgrade the IDS appliance software:
Step 1 You should now be at the IDS Device Manager home page Click on the
Administration tab (arrow 1 in the figure below) on the area bar The Administration
sub-area bar is displayed Your IDS Device Manager window should look like the one below in Figure 4:
1
2
Figure-4: IDS Device Manager Administration page
Step 2 Now click on Update (arrow 2) in Figure 4 (above)
Step 3 You should now be at the Update area of the Administration tab as show in the
figure below:
Trang 5Figure-5: IDS Device Manager Update page
Step 4 Enter the following into the URI section of the Update settings box:
http://anonymous@10.0.0.11/IDS-K9-sp-4.0-2-S42.rpm.pkg
Note If you are also logged into the IDS appliance via the console, log out before doing the
software update No password is needed since we are using anonymous HTTP
Step 5 Click Apply to Sensor After about five minutes, the update will complete and the
IDS appliance will reboot automatically with the updated system image
Note There may not be any messages that inform you of the completion The IDS appliance
will not communicate via the console or IDM during the upgrade process
Step 6 Try logging back into the IDS appliance via the console If you get a console prompt,
the update should be complete
Note This process will take about 5 minutes to complete If you try to log back in using IDM,
you may get a message that an update is in progress
Step 7 Login to the IDM application
Trang 6Task 4—Check the IDS Appliance Software Version
This task involves checking to make sure that the software upgrade completed Complete the following steps to check the IDS appliance software version by using the IDS Device Manager application
Note You could also check the software version by using the show version command from
the IDS appliance CLI
Step 1 If you are not already logged into the IDS Device Manager, login as the cisco user
using the appropriate password
Step 2 Click on the Administration tab (arrow 1 in the figure below) on the area bar The
Administration sub-area bar is displayed Then click on Support in the Administration sub-area bar (arrow 2):
1
2
Figure-6: IDS Device Manager Administration page
Step 3 A Table of Contents (TOC) area opens on the left side of the Support window Click
on System Information (arrow 3 in Figure-7 below) to get the IDS appliance software version along with various other important pieces of information (arrow 4 in
Figure-7 below) Verify that the IDS appliance version is now 4.0(2)S42:
Trang 73
4
Figure-7: IDS Device Manager System Information Output
Task 5—Install the IDS Event Viewer Software on the PC
This task involves installing the IDS Event Viewer (IEV) application The first step would be to go the Cisco website and download the latest IEV installation package available For this lab, that download has already been done for you The installation
software you will need, IEV-4.0-1-S37, resides on the PC desktop
Complete the following steps to install the IEV software on the PC:
Step 1 Launch the IEV installation application from the PC’s desktop by double clicking on
the icon for the file IEV-4.0-1-S37 (arrow 1 in Figure-8 below)
Trang 81
Figure-8: IDS Event Viewer Installer on PC Desktop
Step 2 The Cisco IDS Event Viewer 4.0 Welcome window opens Click Next to continue
the installation wizard process The Select Destination Location window opens Step 3 Accept the default installation location and click Next to continue with the wizard
installation process The Select Program Manager Group window opens
Step 4 Accept the default Program Manager group and click Next to continue with the
installation wizard process The Start Installation window opens
Step 5 Click Back if any mistakes were made Otherwise, click Next to continue with the
installation The Installing window displays the IEV installation progress
Step 6 The IEV application files are copied to the destination location The IEV file copy
process takes approximately 2–4 minutes depending on system performance
Step 7 Once the files are copied, the Installation Complete window opens
Step 8 Click Finish to complete the IEV installation wizard process
Step 9 The Install dialog window opens
Step 10 Click OK to restart the system and complete the installation process
Note When the PC reboots, you will lose connectivity to it and the VNC window will contain
an error message Just wait a minute and go back to the main lab diagram and click on the PC and establish a new session
Step 11 After the PC has rebooted, login again as Administrator with password cisco You
should see a Cisco IDS Event Viewer shortcut icon on the PC desktop (arrow 2 in
Figure-9 below)
Trang 92
Figure-9: IDS Event Viewer Application Shortcut on PC Desktop
Task 6—Add the IDS Appliance as a Device to be Monitored
by the IEV
This task involves launching the IEV application and adding the IDS appliance as a device that IEV will monitor Complete the following steps to add the IDS appliance
to the list of devices monitored by the IEV:
Step 1 Double click on the Cisco IDS Event Viewer icon on the desktop to launch the IEV
OR choose Start>Programs>Cisco Systems>Cisco IDS Event Viewer>Cisco IDS Event Viewer The Cisco IDS Event Viewer application opens
Step 2 Choose File>New>Device… from the main menu The Device Properties window
opens
Step 3 The following table contains the IDS appliance parameters to enter and a description
of each Figure-10 shows what the Device Properties window should look like after the information has been entered:
Cisco IDS Settings Parameters Description
Sensor IP Address 10.0.0.1 The IP address of the IDS appliance Sensor Name sensor Alphanumeric identifier for the IDS
appliance User Name cisco User name to use for communications Password emmapeel Password to use with User Name
Trang 10Figure-10: Device Properties for IDS appliance
Step 4 Enter the new IDS appliance information and click OK to save the information A
Certificate Information window will open and you will be prompted with “Do you want to trust the following certificate?” Click on Yes to accept the certificate The IDS appliance with the name sensor should appear in the Devices folder (as shown
below in Figure-11)
Figure-11: IDS Appliance “sensor” Added to Devices
Note If IDS Event Viewer cannot connect to the IDS appliance, a red X appears next to the
device name to indicate that no connection is present
Trang 11Task 7—Monitor IDS Appliance Events Using the IDS Event Viewer
This task involves using the IEV to monitor events detected by the IDS appliance
The Hack Server (show in Figure-1, Visual Objective) is constantly generating a
variety of attacks Complete the following steps to monitor the IDS appliance using IEV:
Step 1 Right click on the sensor entry under Devices Select Device Status Figure-12 shows
what this step should look like:
Figure-12: Choosing Device Status for Device “sensor”
Step 2 The Device Status window opens Take a few moments to examine the information
returned Figure-13 shows what this step should look like:
Trang 12Step 3 Double-click Sig Name Group in the Views folder The Sig Name Group view is
displayed in the right pane Figure-14 shows this step:
Figure-14: The “Sig Name Group” View
Step 4 You can expand the columns in order to make the information a bit more readable
Position the cursor over a line which delineates a column; when the cursor changes to
a double-arrow line hold the mouse button down and drag the column line to make the column wider Figure-15 shows this step:
Figure-15: Expanding a Column in the View
Note If you don’t see any alarms, try refreshing the alarm view by clicking on the Refresh Views icon (circle arrow) in the icon menu bar You can also double-click on Sig Name Group in the Views folder If the number of alarms doesn’t increase, or there still aren’t
any alarms, it could be that the Hack Server isn’t generating alarms Contact the instructor in this case
Trang 13Step 5 Right-click an alarm and choose Expand Whole Details from the drop-down menu
The Expanded Details Dialog window opens Figure-16 and Figure-17 show this
step:
Figure-16: “Expand Whole Details” Menu
Note The alarm named WWW IIS Internet Printing Overflow is a good one to use This
alarm will have all the properties mentioned in this Task
Figure-17: “Expand Whole Details” View
Trang 14Step 6 Right-click on an alarm in the Expanded Details Dialog window and choose View
Alarms The Alarm Information Dialog window opens Figure-18 and Figure-19
show this step:
Figure-18: “View Alarms” Menu
Figure-19: “Alarm Information” Dialog View
Step 7 Right-click a column heading and choose Show All Columns from the drop-down
menu to display all the data associated with the alarm Figure-20 shows this step:
Figure-20: “Show All Columns” Menu
Trang 15Step 8 Right-click the alarm and choose Show Context from the drop-down menu to view
the context data associated with the alarm The Decoded Alarm Context window
opens and displays the context data Figure-21 and Figure-22 show this step:
Figure-21: “Show Context” Menu
Note Context data will show details of the packet that triggered the alarm Not all signatures provide context data, so if Show Context is grayed out, pick another alarm and try
again
Figure-22: “Decoded Alarm Context” Window
Step 9 Close the Decoded Alarm Context, Alarm Information Dialog, and the Expanded
Details Dialog windows You should be back at the Sig Name Group view
Note You may need to drag a window in order to see the close box in the upper right of the
window You can also close windows by selecting the appropriate window in the Windows Task Bar (usually at the bottom of the screen), right-clicking on the name, and
then selecting Close
Trang 16Step 10 Right-click an alarm and choose NSDB Link… from the drop-down menu to view the
Network Security Database entry associated with the alarm The Network Security Database window opens as a web browser window and displays the signature
description Figure-23 and Figure-24 show this step:
Figure-23: NSDB Link Menu
Figure-24: Example Network Security Database (NSDB) Entry
Step 11 Close the Network Security Database window
Step 12 Repeat Steps 5−9 to view the context data associated with the other IDS appliance
events that have been generated
You have successfully completed this Lab when you have updated the IDS appliance system software, installed the IDS Event Viewer software, and monitored IDS appliance events using the IEV software