Lab 2 Exercise—Cisco IDS Appliance Software Upgrade and Cisco IDS Event Viewer Objectives In this lab exercise you will complete the following tasks: n Update IDS appliance software using the IDS Device Manager (IDM). n Check the IDS appliance software version. n Install the Cisco IDS Event Viewer (IEV) software on the PC. n Add the IDS appliance to the list of devices monitored by the IEV. n Monitor IDS appliance events using the IEV. Visual Objective Figure-1 displays the lab topology you will use to complete this lab exercise: Figure-1: Lab Network Topology Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 2 Passwords Use the following passwords for this lab: • Lab Gear password: Your instructor will provide it. • IDS appliance username/password: The default account name and password are cisco. However, the password for the cisco user should have been changed to emmapeel in Lab 1. • PC client: The username is Administrator and the password is cisco • VNC password: When you connect to the PC, use a password of cisco at the VNC screen. Task 1—Access the Remote Pod and Login to the PC Access the remote lab environment via a web browser and an Internet connection. You will login to the lab pod environment, access the appropriate device console(s), and login to the actual device(s) used in the lab. Step 1 Access your lab pod using the Internet Explorer web browser. If you need help, review the Accessing the Remote Lab Equipment section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-2). Step 2 Access the PC by first clicking on the green oval labeled PC Desktop. If you need help, review the instructions starting with the After a Successful Login section of the IDS 4.0 Roadshow Lab 1 lab guide (Figure-3). Step 3 The VNC login screen should appear. Login with password cisco. Step 4 You may need to login to the PC itself. If so, click on Send Ctrl-Alt-Del near the top of the window. Login as Administrator with password cisco. Step 5 You will be presented with a view of the PC desktop. Figure-2: Example PC Desktop IDS 4.0 Roadshow Lab 2 Copyright  2003, Cisco Systems, Inc. Task 2—Check Network Connectivity Between the PC and the IDS Appliance. To do this lab, the IDS appliance should be configured as per Lab 1 (Cisco Intrusion Detection System (IDS) Appliance Initial Configuration). You should now be logged into the PC. Check connectivity between the PC and the IDS appliance by doing the following steps. Step 1 At the PC desktop, click on the Start->Run… menu and open a command window by typing cmd into the Run window. Click OK and a command window should appear. Step 2 At the command prompt, type ping 10.0.01. The output should look similar to that shown in the figure below: Figure-3: Successful ping of the IDS appliance Step 3 If the pings are not successful, check that the IDS appliance is configured properly as per Lab 1. You may want to double-check the PC network configuration settings if the IDS appliance appears to be configured properly. Step 4 Launch Internet Explorer on the PC by double clicking its icon on the PC desktop or by selecting it from the Start->Programs->Internet Explorer menu. Step 5 Access the IDS appliance by specifying a URL of https://10.0.0.1. Note IDS Device Manager Traffic is encrypted, so make sure you use HTTPS. Step 6 In the first Security Alert window, click OK. Step 7 Click Yes when prompted to accept the IDS appliance certificate. Step 8 Login to the IDS Device Manager as the cisco user using the password that was configured in Lab 1 (the instructions said to use emmapeel). Step 9 You should now be at the IDS Device Manager home page. Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 2 Task 3—Upgrade the IDS Appliance Software. This task involves accessing the Cisco IDS Device Manager (IDM), and upgrading the IDS appliance software to the latest version. The first step would be to go to Cisco’s web site and download the new patch or IDS appliance signature update. As part of the lab, we have done that for you already. The software you will need already resides on the PC. Note You can use SCP, FTP, HTTP, or HTTPS. In this lab, we will be using HTTP. Complete the following steps to upgrade the IDS appliance software: Step 1 You should now be at the IDS Device Manager home page. Click on the Administration tab (arrow 1 in the figure below) on the area bar. The Administration sub-area bar is displayed. Your IDS Device Manager window should look like the one below in Figure 4: 1 2 Figure-4: IDS Device Manager Administration page Step 2 Now click on Update (arrow 2) in Figure 4 (above). Step 3 You should now be at the Update area of the Administration tab as show in the figure below: IDS 4.0 Roadshow Lab 2 Copyright  2003, Cisco Systems, Inc. Figure-5: IDS Device Manager Update page Step 4 Enter the following into the URI section of the Update settings box: http://anonymous@10.0.0.11/IDS-K9-sp-4.0-2-S42.rpm.pkg Note Step 5 Click Apply to Sensor. After about five minutes, the update will complete and the IDS appliance will reboot automatically with the updated system image. Note Step 6 There may not be any messages that inform you of the completion. The IDS appliance will not communicate via the console or IDM during the upgrade process. Try logging back into the IDS appliance via the console. If you get a console prompt, the update should be complete. Note Step 7 If you are also logged into the IDS appliance via the console, log out before doing the software update. No password is needed since we are using anonymous HTTP. This process will take about 5 minutes to complete. If you try to log back in using IDM, you may get a message that an update is in progress. Login to the IDM application. Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 2 Task 4—Check the IDS Appliance Software Version This task involves checking to make sure that the software upgrade completed. Complete the following steps to check the IDS appliance software version by using the IDS Device Manager application. Note You could also check the software version by using the show version command from the IDS appliance CLI. Step 1 If you are not already logged into the IDS Device Manager, login as the cisco user using the appropriate password. Step 2 Click on the Administration tab (arrow 1 in the figure below) on the area bar. The Administration sub-area bar is displayed. Then click on Support in the Administration sub-area bar (arrow 2): 1 2 Figure-6: IDS Device Manager Administration page Step 3 IDS 4.0 Roadshow Lab 2 A Table of Contents (TOC) area opens on the left side of the Support window. Click on System Information (arrow 3 in Figure-7 below) to get the IDS appliance software version along with various other important pieces of information (arrow 4 in Figure-7 below). Verify that the IDS appliance version is now 4.0(2)S42: Copyright  2003, Cisco Systems, Inc. 3 4 Figure-7: IDS Device Manager System Information Output Task 5—Install the IDS Event Viewer Software on the PC This task involves installing the IDS Event Viewer (IEV) application. The first step would be to go the Cisco website and download the latest IEV installation package available. For this lab, that download has already been done for you. The installation software you will need, IEV-4.0-1-S37, resides on the PC desktop. Complete the following steps to install the IEV software on the PC: Step 1 Launch the IEV installation application from the PC’s desktop by double clicking on the icon for the file IEV-4.0-1-S37 (arrow 1 in Figure-8 below). Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 2 1 Figure-8: IDS Event Viewer Installer on PC Desktop Step 2 The Cisco IDS Event Viewer 4.0 Welcome window opens. Click Next to continue the installation wizard process. The Select Destination Location window opens. Step 3 Accept the default installation location and click Next to continue with the wizard installation process. The Select Program Manager Group window opens. Step 4 Accept the default Program Manager group and click Next to continue with the installation wizard process. The Start Installation window opens. Step 5 Click Back if any mistakes were made. Otherwise, click Next to continue with the installation. The Installing window displays the IEV installation progress. Step 6 The IEV application files are copied to the destination location. The IEV file copy process takes approximately 2–4 minutes depending on system performance. Step 7 Once the files are copied, the Installation Complete window opens. Step 8 Click Finish to complete the IEV installation wizard process. Step 9 The Install dialog window opens. Step 10 Click OK to restart the system and complete the installation process. Note When the PC reboots, you will lose connectivity to it and the VNC window will contain an error message. Just wait a minute and go back to the main lab diagram and click on the PC and establish a new session. Step 11 After the PC has rebooted, login again as Administrator with password cisco. You should see a Cisco IDS Event Viewer shortcut icon on the PC desktop (arrow 2 in Figure-9 below). IDS 4.0 Roadshow Lab 2 Copyright  2003, Cisco Systems, Inc. 2 Figure-9: IDS Event Viewer Application Shortcut on PC Desktop Task 6—Add the IDS Appliance as a Device to be Monitored by the IEV This task involves launching the IEV application and adding the IDS appliance as a device that IEV will monitor. Complete the following steps to add the IDS appliance to the list of devices monitored by the IEV: Step 1 Double click on the Cisco IDS Event Viewer icon on the desktop to launch the IEV OR choose Start>Programs>Cisco Systems>Cisco IDS Event Viewer>Cisco IDS Event Viewer. The Cisco IDS Event Viewer application opens. Step 2 Choose File>New>Device… from the main menu. The Device Properties window opens. Step 3 The following table contains the IDS appliance parameters to enter and a description of each. Figure-10 shows what the Device Properties window should look like after the information has been entered: Cisco IDS Settings Parameters Description Sensor IP Address 10.0.0.1 The IP address of the IDS appliance Sensor Name sensor Alphanumeric identifier for the IDS appliance User Name cisco User name to use for communications Password emmapeel Password to use with User Name Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 2 Figure-10: Device Properties for IDS appliance Step 4 Enter the new IDS appliance information and click OK to save the information. A Certificate Information window will open and you will be prompted with “Do you want to trust the following certificate?” Click on Yes to accept the certificate. The IDS appliance with the name sensor should appear in the Devices folder (as shown below in Figure-11). Figure-11: IDS Appliance “sensor” Added to Devices Note IDS 4.0 Roadshow Lab 2 If IDS Event Viewer cannot connect to the IDS appliance, a red X appears next to the device name to indicate that no connection is present. Copyright  2003, Cisco Systems, Inc. Task 7—Monitor IDS Appliance Events Using the IDS Event Viewer This task involves using the IEV to monitor events detected by the IDS appliance. The Hack Server (show in Figure-1, Visual Objective) is constantly generating a variety of attacks. Complete the following steps to monitor the IDS appliance using IEV: Step 1 Right click on the sensor entry under Devices. Select Device Status. Figure-12 shows what this step should look like: Figure-12: Choosing Device Status for Device “sensor” Step 2 The Device Status window opens. Take a few moments to examine the information returned. Figure-13 shows what this step should look like: Figure-13: Device Status for Device “sensor” Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 2 Step 3 Double-click Sig Name Group in the Views folder. The Sig Name Group view is displayed in the right pane. Figure-14 shows this step: Figure-14: The “Sig Name Group” View Step 4 You can expand the columns in order to make the information a bit more readable. Position the cursor over a line which delineates a column; when the cursor changes to a double-arrow line hold the mouse button down and drag the column line to make the column wider. Figure-15 shows this step: Figure-15: Expanding a Column in the View Note IDS 4.0 Roadshow Lab 2 If you don’t see any alarms, try refreshing the alarm view by clicking on the Refresh Views icon (circle arrow) in the icon menu bar. You can also double-click on Sig Name Group in the Views folder. If the number of alarms doesn’t increase, or there still aren’t any alarms, it could be that the Hack Server isn’t generating alarms. Contact the instructor in this case. Copyright  2003, Cisco Systems, Inc. Step 5 Right-click an alarm and choose Expand Whole Details from the drop-down menu. The Expanded Details Dialog window opens. Figure-16 and Figure-17 show this step: Figure-16: “Expand Whole Details” Menu Note The alarm named WWW IIS Internet Printing Overflow is a good one to use. This alarm will have all the properties mentioned in this Task. Figure-17: “Expand Whole Details” View Copyright  2003, Cisco Systems, Inc. IDS 4.0 Roadshow Lab 2 Step 6 Right-click on an alarm in the Expanded Details Dialog window and choose View Alarms. The Alarm Information Dialog window opens. Figure-18 and Figure-19 show this step: Figure-18: “View Alarms” Menu Figure-19: “Alarm Information” Dialog View Step 7 Right-click a column heading and choose Show All Columns from the drop-down menu to display all the data associated with the alarm. Figure-20 shows this step: Figure-20: “Show All Columns” Menu IDS 4.0 Roadshow Lab 2 Copyright  2003, Cisco Systems, Inc. Step 8 Right-click the alarm and choose Show Context from the drop-down menu to view the context data associated with the alarm. The Decoded Alarm Context window opens and displays the context data. Figure-21 and Figure-22 show this step: Figure-21: “Show Context” Menu Note Context data will show details of the packet that triggered the alarm. Not all signatures provide context data, so if Show Context is grayed out, pick another alarm and try again. Figure-22: “Decoded Alarm Context” Window Step 9 Close the Decoded Alarm Context, Alarm Information Dialog, and the Expanded Details Dialog windows. You should be back at the Sig Name Group view. Note Copyright  2003, Cisco Systems, Inc. You may need to drag a window in order to see the close box in the upper right of the window. You can also close windows by selecting the appropriate window in the Windows Task Bar (usually at the bottom of the screen), right-clicking on the name, and then selecting Close. IDS 4.0 Roadshow Lab 2 Step 10 Right-click an alarm and choose NSDB Link… from the drop-down menu to view the Network Security Database entry associated with the alarm. The Network Security Database window opens as a web browser window and displays the signature description. Figure-23 and Figure-24 show this step: Figure-23: NSDB Link Menu Figure-24: Example Network Security Database (NSDB) Entry Step 11 Close the Network Security Database window. Step 12 Repeat Steps 5−9 to view the context data associated with the other IDS appliance events that have been generated. You have successfully completed this Lab when you have updated the IDS appliance system software, installed the IDS Event Viewer software, and monitored IDS appliance events using the IEV software. IDS 4.0 Roadshow Lab 2 Copyright  2003, Cisco Systems, Inc. [...]... Steps 5−9 to view the context data associated with the other IDS appliance events that have been generated You have successfully completed this Lab when you have updated the IDS appliance system software, installed the IDS Event Viewer software, and monitored IDS appliance events using the IEV software IDS 4.0 Roadshow Lab 2 Copyright  2003, Cisco Systems, Inc ... Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 2 Step 6 Right-click on an alarm in the Expanded Details Dialog window and choose View Alarms The Alarm Information Dialog window opens Figure-18 and Figure-19 show this step: Figure-18: “View Alarms” Menu Figure-19: “Alarm Information” Dialog View Step 7 Right-click a column heading and choose Show All Columns from the drop-down menu to display...Task 7—Monitor IDS Appliance Events Using the IDS Event Viewer This task involves using the IEV to monitor events detected by the IDS appliance The Hack Server (show in Figure-1, Visual Objective) is constantly generating a variety of attacks Complete the following steps to monitor the IDS appliance using IEV: Step 1 Right click on the sensor entry under Devices Select Device Status Figure-12 shows what... with the alarm Figure-20 shows this step: Figure-20: “Show All Columns” Menu IDS 4.0 Roadshow Lab 2 Copyright  2003, Cisco Systems, Inc Step 8 Right-click the alarm and choose Show Context from the drop-down menu to view the context data associated with the alarm The Decoded Alarm Context window opens and displays the context data Figure-21 and Figure-22 show this step: Figure-21: “Show Context” Menu... right-clicking on the name, and then selecting Close IDS 4.0 Roadshow Lab 2 Step 10 Right-click an alarm and choose NSDB Link… from the drop-down menu to view the Network Security Database entry associated with the alarm The Network Security Database window opens as a web browser window and displays the signature description Figure-23 and Figure-24 show this step: Figure-23: NSDB Link Menu Figure-24:... Copyright  2003, Cisco Systems, Inc Step 5 Right-click an alarm and choose Expand Whole Details from the drop-down menu The Expanded Details Dialog window opens Figure-16 and Figure-17 show this step: Figure-16: “Expand Whole Details” Menu Note The alarm named WWW IIS Internet Printing Overflow is a good one to use This alarm will have all the properties mentioned in this Task Figure-17: “Expand Whole Details”... right pane Figure-14 shows this step: Figure-14: The “Sig Name Group” View Step 4 You can expand the columns in order to make the information a bit more readable Position the cursor over a line which delineates a column; when the cursor changes to a double-arrow line hold the mouse button down and drag the column line to make the column wider Figure-15 shows this step: Figure-15: Expanding a Column... Figure-12 shows what this step should look like: Figure-12: Choosing Device Status for Device “sensor” Step 2 The Device Status window opens Take a few moments to examine the information returned Figure-13 shows what this step should look like: Figure-13: Device Status for Device “sensor” Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab 2 Step 3 Double-click Sig Name Group in the Views folder The Sig... signatures provide context data, so if Show Context is grayed out, pick another alarm and try again Figure-22: “Decoded Alarm Context” Window Step 9 Close the Decoded Alarm Context, Alarm Information Dialog, and the Expanded Details Dialog windows You should be back at the Sig Name Group view Note Copyright  2003, Cisco Systems, Inc You may need to drag a window in order to see the close box in the... the column line to make the column wider Figure-15 shows this step: Figure-15: Expanding a Column in the View Note IDS 4.0 Roadshow Lab 2 If you don’t see any alarms, try refreshing the alarm view by clicking on the Refresh Views icon (circle arrow) in the icon menu bar You can also double-click on Sig Name Group in the Views folder If the number of alarms doesn’t increase, or there still aren’t any ... file IEV -4.0- 1-S37 (arrow in Figure-8 below) Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab Figure-8: IDS Event Viewer Installer on PC Desktop Step The Cisco IDS Event Viewer 4.0 Welcome... now be at the IDS Device Manager home page Copyright  2003, Cisco Systems, Inc IDS 4.0 Roadshow Lab Task 3—Upgrade the IDS Appliance Software This task involves accessing the Cisco IDS Device Manager... certificate The IDS appliance with the name sensor should appear in the Devices folder (as shown below in Figure-11) Figure-11: IDS Appliance “sensor” Added to Devices Note IDS 4.0 Roadshow Lab If IDS Event