Configuring the Sensor

Configuring the Sensor

Configuring the sensor is a fundamental step in deploying an IDS infrastructure. The first step in configuring the sensor is running the sysconfig-sensor command and going through each option, filling in the required information along the way. Any of the options that pertain to addressing—options 1–5—will require a reboot if modified.

1. Execute the command sysconfig-sensor. The configuration utility menu is shown in Figure 3.5

   
   Figure 3.5: sysconfig-sensor

2. Select option 1, IP Address. Figure 3.6 shows the screen for entering the sensor's IP address. The sensor comes out of the box with a default IP address of 10.1.9.201. Change this address to reflect your network. Remember the address! You will be prompted to write the information. Check your entry and select yes or no.

   
   Figure 3.6: The IP Address

   Note

   Options 1–6 must be configured for the sensor to communicate properly.

3. Select option 2, IP Netmask. For option 2 of the sysconfig-sensor menu, you must enter the subnet mask of your network, as shown in Figure 3.7. The subnet mask defines boundaries that can vary depending on the extent of the subnetting being implemented. If it is entered incorrectly, the sensor may not communicate properly with the management host or the rest of the network. Check with the network engineers in your organization.

   
   Figure 3.7: The IP Netmask

4. Select option 3, IP Host Name. The default host name for the sensor is sensor, shown in Figure 3.8. Add a unique name for your sensor here. It would be wise to enter a name that can easily be identified on the network. The example shows sensor1. If you add other sensors, increment the number to reflect the number of sensors on the network.

   
   Figure 3.8: The IP Host Name

   Note

   The IP Host Name of the sensor can be up to 256 alphanumeric characters in length with no spaces. "-" and "_" are valid special characters, and case is important.

5. Select option 4, Default Route. The default route tells the sensor what path to take to reach other hosts in the IDS infrastructure. This setting is usually a router or a firewall interface. Enter the default route for your network, as shown in Figure 3.9. Again, check with your network engineers to verify your route.

   
   Figure 3.9: The Default Route

6. Select option 5, Access Control List. The Access Control List (ACL) is imperative if you are not able to physically access the sensor. Figure 3.10 shows a default access list of the entire 10. network. Enter a network address or the individual IP addresses of hosts that should have access to the sensor. The ACL works via a standard TCP wrapper application. The TCP connection is automatically closed if a host attempts to log in to the sensor without the host's IP in the ACL.

   
   Figure 3.10: The Access Control List

   Note

   Cisco's best practices tell us that we should be as specific as possible and only enter the IP addresses that will be able to connect to the sensor.

7. Select option 6, Communications Infrastructure. The configurations in option 6 (shown in Figure 3.11) are critical for proper communication between the sensor and IDS Manager. Make sure to verify each setting and document them. Table 3.1 shows the values for each field. Several of the settings have already been configured in previous steps. Those settings are in brackets and can be kept by pressing Enter during that specific configuration step.

   
   Figure 3.11: Communications Infrastructure