|
Sensor Bootstrap
Mar 10,2010 00:00
by
alperen
When a new sensor is installed on the network, it lacks any
specific configuration information. In its default state, the sensor has no way
of communicating on the network or with any management platform. Before a sensor
can be operational, it must first be bootstrapped. Bootstrapping a sensor consists of building a basic
configuration, which allows the sensor to communicate with remote hosts.
If you’re using CSPM to configure and manage your CIDS, you’re
required to reboot the sensor when PostOffice parameters are changed. For
example, if you add a new CSPM platform and you want to manage an existing
sensor with the new CSPM server, you rebootstrap the sensor. If you upgrade an
existing CSPM with another, yet retain all the settings from the older CSPM
platform, you won’t have to rebootstrap the sensor.
The IDS Device Manager isn’t affected by the PostOffice parameters
configured on the sensor. The IDS Device Manager connects to and configures the
sensor via an IP address and a web interface, so it isn’t affected by changes in
the PostOffice protocol.
To bootstrap a server, you must log in to the sensor using the
root user account. Stored on each sensor is a configuration script named sysconfig-sensor, which provides a menu-driven system that
enables you to create a basic configuration on the sensor.
Before running the sysconfig-sensor script, you need to collect
and record the relevant information needed to configure the sensor. Table 25-3
is a worksheet that lists the information you should collect and record before
running the sysconfig-sensor script.
Table 25-3: Bootstrap Information
|
Menu Item Number |
Information needed for bootstrap |
|
1 |
What is the IP address of the sensor? |
|
2 |
What is the netmask to be used by the sensor? |
|
3 |
What is the sensor's host name? |
|
4 |
What are the IP address of the sensor's default
gateway? |
|
5 |
What are the IP addresses and/or network range addresses
that will be permitted to access the sensor via Telnet, FTP, and TFTP? You must
specify the IP addresses of hosts that will be allowed to configure and manage
the sensor. |
|
6 |
What are the values for the following PostOffice
communications parameters?
Sensor Host ID—A unique numeric identifier for the sensor.
The expected value is a whole number between 1 and 65,535.
Sensor Organization ID—A unique numeric identifier for a
collection of sensors. The expected value is a whole number between 1 and
65,535.
Sensor Host Name—A logical name associated with the host ID
(not the IP host name). Cisco recommends you use only lowercase letters.
Sensor Organization Name—A logical name associated with the
Sensor Organization ID. Cisco recommends you use only lowercase letters.
CSPM IP Address—The IP address of your CSPM server.
CSPM Host ID—A unique numeric identifier for the CSPM host.
This value must match the value specified when CSPM was installed.
CSPM Host Name—A logical name associated with the CSPM Host
ID. This value must match the value specified when CSPM was
installed. |
|
7 |
What is the current date, time, and time zone for this
sensor? |
|
8 |
What should the passwords be for both the root and netrangr
accounts? |
|
9 |
For IPSec, you must supply the following values:
What is the security parameter index (SPI) for default
inbound configuration?
If you use custom keys, what are the values for the
following inbound and outbound configurations?
Cipher key
Authentication key |
Performing a Sensor Bootstrap in 12 Easy Steps
The following 12 steps are required to bootstrap a
sensor:
-
Step 1 Log in to the sensor using the user
name root and the password attack.
You’ll be prompted to change the password if this is the first time you’ve used
this account. If you don’t know how to log in to the sensor, see the previous
section, “Connecting to Your Network Sensor.”
-
Step 2 At the command prompt, type sysconfig-sensor. When this command is issued, a menu will
appear. The following is an example of the menu you’ll see on your screen.
Cisco IDS Sensor Initial Configuration Utility
Select Options 1 through 6 to initially configure the Sensor.
1 - IP Address
2 - IP Netmask
3 - IP Host Name
4 - Default Route
5 - Access Control List
6 - Communications Infrastructure
7 - Date/Time and Time Zone
8 - Passwords
9 - Secure Communications
10 - Display
11 - IDS Device Manager
x - Exit
Selection:
-
Step 3 Type 1 to enter
the IP Address screen: IP Address
Enter the TCP/IP address the Sensor uses. The new value won’t be
activated until you restart the Sensor. Write down the new address. You’ll need
to update the information on the Access Control List menu (Option 5 on the main
menu).
WARNING: If you do not update the IP address on the Access Control List menu, you will not be able to log in once the Sensor has rebooted with the new address:
Current address:10.1.9.201
New address: This screen enables you to configure the new IP address. The
existing default IP address is 10.1.9.201. The new IP address won’t be activated
until the sensor is restarted.
|
Note |
You must enter this IP address in the list of allowed hosts
in the Access Control List screen (Option 5, discussed in a later
step). |
-
Step 4 Type 2 to enter
the IP Netmask screen:
IP Netmask
Enter the TCP/IP netmask that the Sensor uses. The new value will not be activated until you restart the Sensor.
Current address:
Current netmask:255.255.255.0
New netmask: The default netmask is 255.255.255.0. Enter the new netmask
to be used by this sensor. The new netmask won’t be activated until you restart
the sensor.
-
Step 5 Type 3 to access
the IP Host Name screen:
IP Host Name
Enter a new host name for the Sensor. The new value will not be activated until you restart the Sensor.
Current name: sensor
New name: Enter the new hostname to be used by this sensor, such as sensor1.
-
Step 6 Type 4 to enter
the Default Route screen. This is the address of the router
that services the local subnet. All nonlocal traffic will be sent to this
address.
Default Route
Enter the default route for the TCP/IP traffic coming from the Sensor. The default route is the IP address of the primary router attached to the same LAN as the Sensor. The new value will not be activated until you restart the Sensor.
Current default route:
New default route: The current default address is 10.1.9.1. Enter the new
default gateway address.
-
Step 7 Type 5 to enter
the Access Control List screen. Listed here are the IP network
and host addresses that should have telnet, TFTP, and FTP access to this sensor.
The IP address of the CSPM and the local sensor must be listed here to allow
communications between the two hosts.
Access Control List
You can modify the list of IP addresses and networks that are allowed to log into the Sensor. A TCP wrapper application enforces this list. If a host with an IP address that is not in this list attempts to log into the Sensor, the TCP connection will automatically be closed.
WARNING: If you have changed the IP address of the Sensor, list the host addresses from which you log in remotely.
This list must contain only host IP addresses and not host names. The Sensor by default does not use ANY type of name service (for example, DNS, NIS, NIS+). List the network addresses with just the network portion of the address: 192.9.200.
Current list:
10.
Enter an address to add to the list. If the address entered is already in the list, it will be deleted from it.
IP address: As you can see, by default, any host with an IP address that
starts with 10. is allowed to communicate with this sensor. To delete the 10.
entry, simply type 10. again and it will be removed from the
list. To enter an address range, simply type the network portion of the IP
address and nothing more, and then press ENTER. For example, to allow all hosts
in the 192.168.10.0 /24 network, type 192.168.10. and press
ENTER.
|
Note |
You should limit the number of hosts that have access to
your servers. The more hosts allowed to communicate with your sensor, the
greater the potential for an intruder to use the systems to attack your IDS
sensors. The IP address of the director platform must be
entered. |
-
Step 8 Type 6 to enter
the Communications Infrastructure screen.
|
Note |
The communication setting must be configured properly. If a
host ID, orgID, or any other ID is inputted incorrectly, the sensor will be
unable to communicate with the rest of the CIDS infrastructure.
Communications Infrastructure
To create the configuration files necessary to enable communication between the Sensor and the IDS Manager, enter the following values:
*Sensor Host ID
*Sensor Organization ID
*Sensor Host Name
*Sensor Organization Name
*Sensor IP Address
*IDS Manager Host ID
*IDS Manager Organization ID
*IDS Manager Host Name
*IDS Manager Organization Name
*IDS Manager IP Address
Do you want to continue (y/n)? |
Type y to enter the PostOffice
communications information. Table 25-2 lists these parameters with the acceptable
values for each. You must specify this sensor’s host and organization
information. The Host ID must be unique, however, the organization ID must be
the same as the one configured on the other CIDS sensors and infrastructure.
-
Step 9 Type 7 to enter
the Date/Time and Time Zone screen. Date/Time and Time Zone
1 - Synchronize Date/Time with Another Host
2 - Set Date/Time
3 - Change Time Zone
x - Exit
Selection:
Choose the method you want to use to set the date, time, and
time zone information.
-
Step 10 Type 8 to enter
the Password screen. Select the account whose password you want to change.
1 - netrangr
2 - root
x - Exit
Selection:
Change the passwords for both the netrangr and the root user
accounts.
-
Step 11 Type 10 to view
the Display screen. Display
Display Mode: VGA/Terminal
1 - Toggle Display Mode
x - Exit
Selection:
Within the Display screen, you can toggle between VGA/Terminal
mode and Terminal mode. In VGA/Terminal mode, you can
connect to the sensor via a console cable or by using a monitor and a keyboard.
In this mode, boot messages are only sent to the VGA port.
Terminal mode limits the sensor’s display to a terminal
connected to the console port, while disabling the VGA port. If you choose
Terminal mode, the VGA port won’t provide any access to the system. In Terminal
mode, boot messages are sent to the terminal, not to the VGA port.
-
Step 12 Type 11 to view
the IDS Device Manager screen. IDS Device Manager
Current Mode: Enabled
1 - Disable
x - Exit
Selection:
Because you’re using IDS Device Manager, this option should
be enabled. By default, it is enabled.
|