Cisco Network Security Troubleshooting Handbook

This section examines the following four case studies, which deal with the installation and upgrade of IDSM-2 software:

  • How to re-image the IDSM-2 with system image

  • How to upgrade the maintenance partition

  • How to upgrade the signature/service packs/minor/major software upgrades

  • How to upgrade the IDSM-2 blade from IDSM 4.x to 5.x

How to Re-image the IDSM-2 with System Image

If your application partition in the sensor is corrupted or if you need to recover the password, use the System Image to completely re-image the IDSM-2 sensor. Re-imaging System Image will reformat the storage media and load both a new application image and a new recovery image. The current sensor configuration and all log files will be lost. Hence, the System Image file should not be used to upgrade the current software. For example, 5.0(2) System Image should not be used to upgrade the current software version to 5.0(2) if you want to maintain your current configuration settings. To upgrade from 5.0(1), use the 5.0(2) Service Pack file.

As of the writing of this book, the latest service pack is 5.0(2), and the system file is also 5.0(2). So, if you intend to upgrade to the latest service pack, you should not use the System Image; instead, use the service pack. Also, to upgrade your IDSM-2 blade from 4.x to IPS 5.x, install the 5.0(1) Major Update file, followed by the 5.0(2) Service Pack file, which is explained in the next case study.

The 5.0(1) Major Update file and 5.0(2) Service Pack file can both be found at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips5

In this case study, we explain the procedure for upgrading the system file. Work through the following steps to re-image IDSM-2 with a switch that runs Native IOS or CatOS. As discussed before, it's important to understand that all information in the application will be lost when you use the following procedure:

Step 1.

Download the system file from the following location and put this in an FTP server:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-cat6500-IDSM-2-sys

Step 2.

Boot the IDSM-2 to the Maintenance Partition. To do this, in Native IOS, execute switch command hw-module module x reset cf:1 where x stands for the slot number and cf stands for compact flash. If a problem is encountered using cf:1, try hdd:2 as an alternative. Example 15-20 shows how to reset the module to maintenance partition.

Example 15-20. Resetting the Module to Maintenance Partition

Cat6506# hw-module module 5 reset cf:1 Device BOOT variable for reset = Warning: Device list is not verified. Proceed with reload of module? [confirm]y % reset issued for module 5 !Rest of the output is suppressed. Cat6506#

If you are running CatOS on the switch, use the switch command reset x hdd:2. If a problem is encountered using hdd:2, try to use cf:1 as an alternative.

Step 3.

Check that the IDSM-2 comes on line with the use of the switch command show module x. Be sure that the IDSM-2 software version has m located at the end and that the status is OK.

Step 4.

Connect to the IDSM-2 now that it has booted up into the maintenance partition. Use the switch command session slot x processor 1. Use the username/password of guest/cisco.

Cat6506#session slot 5 processor 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.51 ... Open Cisco Maintenance image login: guest Password: Maintenance image version: 1.3(2) guest@idsm2.localdomain#

In CatOS, connect to the IDSM-2 in the maintenance partition using switch command session x and use the username/password ofguest/cisco.

Step 5.

Be sure that the IDSM-2 has IP connectivity to the FTP server. Use the command ping ip_address to verify the connectivity.

Step 6.

If the IDSM-2 has IP connectivity, proceed to Step 12. Otherwise go to the next step.

Step 7.

Be sure that the Command and Control Interface is configured properly on the switch. Use the command show run | inc intrusion-detection as shown in Example 15-21.

Example 15-21. Verifying Whether the Command and Control Interface Is Configured Correctly on Native IOS

cat6506#show run | include intrusion-detection intrusion-detection module 5 management-port access-vlan 150 cat6506#

If you are running CatOS, be sure that the Command and Control Interface is configured properly on the switch using the command show port status x/ 2 as shown in Example 15-22.

Example 15-22. Verifying that the Command and Control Interface Is Configured Correctly on CatOS

Cat6509> (enable)show port status 5/2 Port Name Status Vlan Duplex Speed Type ----- -------------------- ---------- ---------- ------ ----- ------------ 5/2 connected 150 full 1000 Intrusion De Cat6509> (enable)

Step 8.

Be sure that the communication parameters are configured properly on the IDSM-2 Maintenance Partition executing the command show ip.

guest@idsm2 -sv-rack.localdomain#show ip IP address : 20.1.1.20 Subnet Mask : 255.255.255.0 IP Broadcast : 20.1.1.254 DNS Name : idsm2.localdomain Default Gateway : 20.1.1.1 Nameserver(s) : guest@idsm2-sv-rack.localdomain#

Step 9.

If none of the parameters are set, or if some of them need to be changed, clear them all. Use the command clear ip.

guest@idsm2.localdomain#clear ip guest@localhost.localdomain#show ip IP address : 0.0.0.0 Subnet Mask : 0.0.0.0 IP Broadcast : 0.0.0.0 DNS Name : localhost.localdomain Default Gateway : 0.0.0.0 Nameserver(s) : guest@idsm2-sv-rack.localdomain#

Step 10.

Configure all the parameters to establish IP connectivity from the module to the rest of the network, as shown in Example 15-23.

Example 15-23. Configuration Steps Required for the Maintenance Partition on IDSM-2 Module

! Configure the IP address and mask information on the IDSM-2 Maintenance ! Partition. Use the command ip address ip_address netmask . guest@localhost.localdomain#ip address 10.1.1.10 255.255.255.0 ! Configure the default gateway on the IDSM-2 Maintenance Partition. Use the ! command ip gateway gateway-address . guest@localhost.localdomain#ip gateway 10.1.1.1 ! Configure the hostname on the IDSM-2 Maintenance Partition. Use the command ip ! host hostname . Although this is not necessary, it does help to identify the ! device since this also sets the prompt. guest@localhost.localdomain#ip host idsm2 guest@idsm2.localdomain# ! You might possibly need to configure your broadcast address explicitly. Use ! the command ip broadcast broadcast-address . The default setting usually ! suffices. guest@idsm2.localdomain#ip broadcast 10.1.1.254 guest@idsm2.localdomain#

Step 11.

Check the IP Connectivity again and be sure you are able to ping to the FTP server.

Step 12.

Re-image the IDSM-2 Application Partition. Use the command upgrade ftp-url --install.

guest@idsm2.localdomain# upgrade ftp://cisco@10.1.1.40//tftpboot/ WS- SVC-idsm2 Downloading the image. This may take several minutes... Password for cisco@10.1.1.40: 500 'SIZE WS-SVC-idsm2-K9-sys-1.1-a-5.0-2.bin.gz': command not understood. ftp://cisco@10.1.1.40//tftpboot/ WS-SVC-idsm2-K9-sys-1.1-a-5.0- 2.bin.gz (unknown size)/tmp/upgrade.gz [|] 65259K 66825226 bytes transferred in 71.40 sec (913.99k/sec) Upgrade file ftp://cisco@10.1.1.40//tftpboot/ WS-SVC-idsm2-K9-sys-1.1- a-5.0-2.bin.gz is downloaded. Upgrading will wipe out the contents on the hard disk. Do you want to proceed installing it [y|N]: y Proceeding with upgrade. Please do not interrupt. If the upgrade is interrupted or fails, boot into Maintenance image again and restart upgrade. Creating IDS application image file... Initializing the hard disk... Applying the image, this process may take several minutes... Performing post install, please wait... Application image upgrade complete. You can boot the image now. guest@idsm2.localdomain#

Step 13.

Verify the boot device variable setting for the IDSM-2 with the show bootvar device module x command and boot the Application Partition using the Native IOS switch command hw-module module x reset hdd:1 as shown in Example 15-24.

Example 15-24. Resetting the Module to Application Partition on Native IOS

Cat6506#show bootvar device module 5 [mod:5 ]: Cat6506# hw-module module 5 reset hdd:1 Device BOOT variable for reset = Warning: Device list is not verified. Proceed with reload of module? [Confirm]y % reset issued for module 5 !Output is suppressed. Cat6506#

In CatOS, boot the IDSM-2 to the Application Partition. Use the switch command reset x hdd:1. Alternatively, you can use the reset command on the IDSM-2 if the boot device variable is set correctly.

Step 14.

This step is an alternative to the previous step. To reset the IDSM-2 via the Maintenance Partition CLI, use the command reset as follows:

guest@idsm2.localdomain#reset !Output is suppressed.

Step 15.

Check that the IDSM-2 comes online. Use the switch command show module x. Be sure that the IDSM-2 software version is an application partition version, for example, 5.0(2), and that the status is OK.

Step 16.

Connect to the IDSM-2 now that it has booted up into the application partition. Use the switch command session slot x processor 1. Use the username/password of cisco/cisco as shown in Example 15-25.

Example 15-25. How to Session into the Application Partition

Cat6506#session slot 5 processor 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.51 ... Open login: cisco Password: You are required to change your password immediately (password aged) Changing password for cisco (current) UNIX password: New password: Retype new password: ! Output is suppressed. Cat6506#

If you are running CatOS, connect to the IDSM-2 using command session x. The username/password is the cisco/cisco.

Step 17.

Configure the IDSM-2 using the setup command.

How to Upgrade the Maintenance Partition

The Maintenance Partition is used to re-image the Application Partition as you have seen in the preceding section. As of the writing of this book, the latest version of the Maintenance Partition is c6svc-mp.2-1-2.bin.gz. This and the new version of the image can be found at the following location:

http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-serv-maint

Work through the following steps to upgrade the Maintenance Partition on the IDSM-2 blade:

Step 1.

Download the IDSM-2 maintenance partition file from the following location(c6svc-mp.2-1-2.bin.gz) to the FTP root directory of a FTP server that is accessible from your IDSM-2:

http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-serv-maint

Step 2.

Session into the Application Partition with session slot_number if you are running CatOS. If you are running Native IOS, you can log in to Application partition; you can use the session slot slot_number processor 1 command.

Step 3.

Once you are in Application Partition of IDSM-2 blade, enter into the configuration mode with configure terminal command.

Step 4.

Upgrade the maintenance partition:

IDSM-2# upgrade ftp://user@ftp_server_IP_address/directory_path/c6svc- mp.2-1-1.bin.gz

Step 5.

You are asked to enter the password to log in to the FTP server and whether you want to continue. Enter the password and type y to continue.

Step 6.

The maintenance partition file is upgraded.

How to Upgrade the Signature/Service Packs/Minor/Major Software Upgrade

You must have a valid maintenance contract for each IDSM-2 blade to receive and use software upgrades, including signature updates from Cisco.com. Beginning with IPS 5.0, an IPS Subscription Service License is required to install signature updates. As the license is tied to the serial number, you can move the IDSM-2 blade to a different chassis, and you do not need any additional license.

You can request an IPS Subscription Service License for all sensors covered by a maintenance contract at this URL:

http://www.cisco.com/go/license

To manage your maintenance contracts, use the Service Contract Center found at this URL:

http://www.cisco.com/cgi-bin/front.x/scccibdispatch?AppName=ContractAgent

With the initial release of 5.0, the first several signature updates will be released without the license enforcement to allow you time to get your maintenance contracts in order and your sensors licensed.

The upgrading procedure for the Signature, Service Packs, and minor or major releases is the same on the IDSM-2. The procedure that follows discusses the signature upgrade procedure, which also can be used for upgrading the Service Packs/Minor/Major software.

Before installing a new signature update, it is highly recommended that you back up your configuration file to a remote system. Refer to the following link on how to perform a backup using the copy command:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cmdref/crcmds.htm#wp458440

Caution

Do not reboot the sensor during the installation process. Doing so will leave the IDSM-2 blade in an unknown state and may require that the IDSM-2 be re-imaged.

The procedure explained in the following steps is taken from the ReadMe file of the signature upgrade of Signature S155. To install the version S155 signature update on a 5.0(1) or 5.0(2) IDSM-2, follow these steps:

Step 1.

Download the binary file IPS-sig-S166-minreq-5.0-1.pkg to an FTP, SCP, HTTP, or HTTPS server on your network from:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup You must be sure to preserve the original file name.

For the Service Packs, minor and major releases, go to the following link:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips5

Step 2.

Log in to the IPS CLI using an account with administrator privileges.

Step 3.

Type the following command to enter Configuration mode:

IDSM-2# configure terminal

Step 4.

Execute the upgrade command by typing the following:

upgrade [URL]/IPS-sig-S166-minreq-5.0-1.pkg

Where the [URL] is a uniform resource locator pointing to where the signature update package is located. For example, to retrieve the update via FTP, type the following:

IDSM-2(config)#upgrade ftp://<username>@<ip-address>//<directory>/IPS- sig-S166-minreq-5.0-1.pkg

The available transport methods are: SCP, FTP, HTTP, or HTTPS.

Step 5.

Enter the required password when prompted.

Step 6.

To complete the upgrade, type yes when prompted.

To uninstall the version S166 signature update on a 5.0(1) or 5.0(2) sensor and return the sensor to its previous state, follow these steps:

Step 1.

Log in to the CLI using an account with administrator privileges.

Step 2.

Type the following command to enter Configuration mode:

IDSM-2#configure terminal

Step 3.

Type the following command to start the downgrade:

IDSM-2(config)#downgrade

Note

The downgrade may take a long time to complete depending on the configuration of the sensor and the amount of traffic the sensor is processing. Do not reboot the sensor while the signature update is occurring, as the sensor may be left in an unknown state requiring the sensor to be re-imaged. For the major upgrade, you cannot downgrade to the earlier version. For example, you cannot downgrade from 5.0(1) to the 4.x version.

How to Upgrade the IDSM-2 Blade from IDSM 4.x to 5.x

Your IDSM-2 blade must be upgraded to the version 4.1(1) S47 or later before you can apply the 5.0(1) S149 major (IPS-K9-maj-5.0-1-S149.rpm.pkg) update.

To determine the current sensor version, log in to the CLI and type the show version command.

Before you upgrade your IDSM-2 blade to Cisco IPS version 5.0, be sure you have installed Maintenance version 2.1(2) on IDSM-2 (refer to section How to upgrade the Maintenance Partition for more details for upgrading Maintenance Partition).

All custom signatures will be renumbered to the 60,000 range in a 4.X to 5.X conversion. After 5.0 has been installed, you cannot downgrade to 4.1 using the downgrade command. You must reinstall 4.1 from a System Image or a CD. This results in the loss of any configuration settings.

Категории