cc/td/doc/product/rtrmgmt/cw2000/mgt_ids
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Release Notes for Management Center for IDS Sensors 2.0.1 and Monitoring Center for Security 2.0.1 on Windows and Solaris

Important Notes

New and Changed Features

Product Documentation

Related Documentation

Additional Information Online

Supplemental Documentation

Using the ConvertAndImport.pl Script after Upgrading from Security Monitor 1.2.3 to Security Monitor 2.0.1

Installation Notes

Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Windows

Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Solaris

Client System Requirements

Known and Resolved Problems

Obtaining Documentation

Cisco.com

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Release Notes for Management Center for IDS Sensors 2.0.1 and Monitoring Center for Security 2.0.1 on Windows and Solaris


These release notes are for use with Management Center for IDS Sensors 2.0.1 (IDS MC) and Monitoring Center for Security 2.0.1 (Security Monitor) on Windows 2000 or Solaris. The supported Windows version is Windows 2000, Service Pack 4; the supported Solaris version is 2.8.

These release notes provide:

Important Notes

New and Changed Features

Product Documentation

Additional Information Online

Installation Notes

Known and Resolved Problems

Obtaining Documentation

Documentation Feedback

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Important Notes

The following information is important to you as a user of IDS MC 2.0.1 or Security Monitor 2.0.1:

Cisco Host Intrusion Detection System is no longer supported. This functionality is replaced by Cisco Security Agent.

Use VMS Common Services 2.2, Service Pack 3, with IDS MC 2.0.1 and Security Monitor 2.0.1.

Before installing VMS 2.2, you may want to upgrade your sensors to IDS 4.1(1). For more information, refer to CSCeb33006.

Use static IP addresses for the host or hosts where IDS MC and Security Monitor are installed, because DHCP is not supported for IDS MC or Security Monitor.

Do not use download accelerator programs such as DAP, because they are not supported.

You cannot use SSH keys in IDS MC if you want to use a sensor as a master blocking sensor.

If the idsmdc.log file is growing too large with unwanted data, you can reset its size to 0 (zero) by backing up the database. Then, you can delete the backup file. (The idsmdc.log file is in the same directory as idsmdc.db, the directory that was specified for the database at installation.) Also, you can use IdsDbCompact to reduce the size of the database.

We strongly recommend that you avoid connecting to the database directly, because doing so can cause performance reductions and unexpected system behavior.

Do not run SQL queries against the database.

Event Viewer in Security Monitor 2.0 and later supports blocking when you are using sensors that are operating with IDS 4.x software.

If you do not specify the -f"filename" option when using the IdsImportIdiom command line utility, the program reads "standard input" for data. As a result, the program waits forever for input; it will not time out or return, and you must abort it. Although this is not a defect, you need to be aware of this behavior to avoid misunderstanding when you use this command line utility.


Caution If IDS_ReportScheduler (a CiscoWorks2000 process), CiscoWorks2000, or Windows 2000 is stopped, any scheduled report that is running at the time is interrupted and its content is lost. In IDS MC 1.2, Security Monitor 1.2, and later versions of both, the Audit Log Report contains an entry noting the interruption and the lost content. This caution is particularly important if reports are scheduled to be generated repeatedly.

You can forward syslog messages on the basis of IP address/hostname and port. The IP address/hostname is a required field whose default value is localhost. If a DNS name is entered, it must resolve to an IP address at data entry time. If at any time during syslog forwarding, a DNS name cannot be resolved to an IP address, an appropriate error message is logged to the Audit Log.

When firewall reports are generated, performance may be degraded as a result of configuring both WINS and DNS on Windows 2000 servers, because it may take a long time to resolve IP addresses to a hostname when the IP address does not exist in DNS or WINS. Security Monitor will automatically disable any further DNS lookup activity for that particular report instance if the cumulative time for doing lookup in a particular report exceeds 10 minutes. Another way to improve performance is to reconfigure your report generation filters to select a smaller subset of syslog messages to be included in the report.

When firewall reports are generated, no correlation is done for sessions that involve more than one connection (such as FTP and RTSP). Each connection in a session appears independently in the report. If the port numbers used by connections do not map to standard port numbers, they are categorized as Unknown TCP or UDP service.

An upgrade installation note applies if you use Cisco Secure Access Control Server and upgrade IDS MC 1.2.3 to IDS MC 2.0.1. Refer to "Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1" in the User Guide for Management Center for IDS Sensors 2.0 or to the same information in Installation Notes.

If an online help page displays blank in your browser view, refresh the browser.

New and Changed Features

IDS MC 2.0.1 has no new features. For information on resolved problems, see Resolved Problems in Management Center for IDS Sensors, Release 2.0.1.

Security Monitor 2.0.1 contains one changed feature: automatic archive of historical audit events. On upgrade from any release prior to 2.0, the audit events are automatically archived rather than upgraded to the new data format. You can upgrade your data at any time; however, to ensure upgrade integrity, you cannot upgrade the data while the system is being upgraded. All configuration data is upgraded.

Product Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 1 describes the product documentation that is available.

Table 1 Product Documentation 

Document Title
Available Formats

Release Notes for Management Center for IDS Sensors 2.0.1 and Monitoring Center for Security 2.0.1 on Windows and Solaris

On Cisco.com at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc20/cmrn201.htm

Using Management Center for IDS Sensors 2.0

On Cisco.com at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc20/ug/index.htm

Printed document available by order (part number DOC-7816093=).1

Using Monitoring Center for Security 2.0

On Cisco.com at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/index.htm

Printed document available by order (part number DOC-7816092=). 1

Supported Devices and Software Versions for Management Center for IDS Sensors 2.0

On Cisco.com at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc20/mcsdt20.htm

Supported Devices and Software Versions for Monitoring Center for Security 2.0

On Cisco.com at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/smsdt20.htm

Context-sensitive online help

Select an option from the navigation tree, then click Help.

Click the Help button in the dialog box.

1 See Obtaining Documentation.


Related Documentation


Note We sometimes update the printed and electronic documentation after original publication. Therefore, you should also review the documentation on Cisco.com for any updates.


Table 2 describes the additional documentation that is available.

Table 2 Related Documentation 

Document Title
Available Formats

Quick Start Guide for VPN/Security Management Solution 2.2

This document describes the basic tasks involved in preparing and configuring network devices using Management Centers.

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_2/brvms22.htm

Printed document available by order (part number DOC-7815636=)1 .

Readme for CiscoWorks VMS 2.2 Update 1.

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_2/vmsrm.htm

Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView 5.5) on Windows.

This document describes installing and setting up CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Windows.

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/ig_wincv/index.htm

Printed document available by order (part number DOC-7815430=) 1

Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView 5.5) on Solaris.

This document describes installing and setting up CiscoWorks Common Services 2.2 (includes CiscoView 5.5) on Solaris.

On Cisco.com at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/comser22/ig_solcv/index.htm

Printed document available by order (part number DOC-7815431=) 1

1 See Obtaining Documentation.


Additional Information Online

You can download signature updates for IDS MC and Security Monitor by logging in to Cisco.com at http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids.

Supplemental Documentation

The following documentation supplements the current user guides.

Using the ConvertAndImport.pl Script after Upgrading from Security Monitor 1.2.3 to Security Monitor 2.0.1

This section applies to Security Monitor on both Windows and Solaris. It does not apply to IDS MC.

When you upgrade your Security Monitor 1.2.3 database during an upgrade to release 2.0.1, the data is archived; it is not updated into the 2.0.1 database. The archived data is placed in a subdirectory named "Archive12Data" off the currently specified IDS database directory. (The IDS database directory is located in ~CSCOpx\MDC\Sybase\Db\IDS by default.)

Security Monitor 2.0.1 includes a Perl script named ConfigAndImport.pl to enable you to convert your 1.2.3 data to the 2.0.1 format and then import your converted data into the 2.0.1 database. Both conversion and import are performed by ConfigAndImport.pl. This script works with Security Monitor 1.2 or Security Monitor 1.2.3 data that is archived during the upgrade to Security Monitor 2.0.1.

Using the ConfigAndImport.pl script is a complex procedure that has special requirements for execution time, system downtime, free disk space, and daemon management:

Using the ConfigAndImport.pl script may take several hours. More specifically, it causes your system to be unusable for some time during the import portion and to operate more slowly during the conversion portion. You should use the ConfigAndImport.pl script only when several hours of downtime will be acceptable.

Using ConfigAndImport.pl requires free disk space in the amount of three times the size of your database. Attempts using less than this amount are likely to fail.

You can leave the Security Monitor daemons running during conversion, but the script stops them during import. Many Security Monitor daemons are shut down during import. As a result, you must stop and restart the Daemon Manager after the import process is finished.

To use the ConvertAndImport.pl script after Upgrading from Security Monitor 1.2.3 to Security Monitor 2.0.1, follow these steps:


Step 1 Back up your Security Monitor 2.0.1 database before using the ConvertAndImport.pl script.

Step 2 Verify that your upgrade to Security Monitor 2.0.1 was successful. You can verify the installation of Security Monitor in the Packages Installed section of the About the Server page from the CiscoWorks Server desktop by following these steps:

a. Log in to CiscoWorks.

b. Select Server Configuration > About the Server > Applications and Versions. The About the Server page appears.

c. Scroll to the Applications Installed section of the About the Server page to verify that IDS MC and Security Monitor appear in the Applications Installed list.

Step 3 Access the Security Monitor server, either locally or through remote access. Be sure to use an account with adequate permissions.

Step 4 Verify that several hours of system downtime will be acceptable.

Step 5 Verify that you have adequate free disk space.

Step 6 Open a command window and navigate to the currently specified IDS database directory. (The IDS database directory is located in ~CSCOpx\MDC\Sybase\Db\IDS by default.)

Step 7 Execute the ConvertAndImport.pl script. (The ConvertAndImport.pl script is located in ~bin\ids.) See Help for ConvertAndImport.pl.

The conversion may take several hours. For example, converting a database containing 2,000,000 events may take 2 to 4 hours. There is no progress bar, but a notification appear in the command window after conversion and import have been completed by the script.

Your Security Monitor 1.2.3 data has been converted to the Security Monitor 2.0.1 format and imported into the Security Monitor 2.0.1 database.

Stop and restart the Daemon Manager by opening a command window and entering the following commands:

On Windows:

a. "net stop crmdmgtd"

b. "net start crmdmgtd"

On Solaris:

a. /etc/init.d/dmgtd stop

b. /etc/init.d/dmgtd start

This step is required because many Security Monitor daemons are shut down during import.

Table 3 Help for ConvertAndImport.pl

Note: This must be run with the version of perl that came with Common Services. This can be found in <Install Location>/bin/perl

ConvertAndImport.pl - Convert data archived during upgrade and import it back into the database.

This program will convert the data in the Archive12Data directory off the database directory with the specified date and time and re-import it into the database.

By Default, this utility will convert and import.

With command-line options, can choose just convert or just import.

usage:

  ConvertAndImport.pl <"date_time"> [-c] [-i]

  where:

    date_time     the date and time to delete alarms on and before (required)

                        The date_time format is "MMDDYYYY_HHmmSS"

    -c                 Convert data, don't import (default is convert/import)

    -i                  Import data, don't convert (default is convert/import)

    -help            This message


In the preceding table, "date_time" is derived from the filename of the archive. For example, in alert_1-2-3_12102004_123953.txt, the date is 12102004, or December 10, 2004, and the time is 123953, or 53 seconds past 12:39 a.m.

Installation Notes

This section contains information on installing, upgrading, and uninstalling IDS MC and Security Monitor 2.0, as well as defining the client requirements. The following topics are detailed:

Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Windows

Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Solaris

Client System Requirements

Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Windows

This section describes how to install, upgrade, and uninstall Management Center for IDS Sensors (IDS MC) and Monitoring Center for Security (Security Monitor) on Windows. It contains the following sections:

System Requirements

System Preparation

Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com

Installing IDS MC 2.0.1 and Security Monitor 2.0.1

Upgrading Existing Installations

Uninstalling IDS MC and Security Monitor

System Requirements

IDS MC and Security Monitor are components of the VPN/Security Management Solution (VMS). CiscoWorks Common Services 2.2, Service Pack 3, is required for IDS MC and Security Monitor to work. CiscoWorks Common Services 2.2, Service Pack 3, provides the CiscoWorks Server base components and software developed to support IDS MC and Security Monitor, including the necessary software libraries and packages. For more information, see Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView) on Windows.


Note For information about all bundle features and their requirements, see the Quick Start Guide for the VPN/Security Management Solution 2.2.


You can install IDS MC and Security Monitor on Windows 2000 and Solaris. Table 4 shows VMS bundle server requirements for Windows 2000 systems.


Note IDS MC and Security Monitor have been tested with the listed platforms, browsers, and service packs. If you install IDS MC and Security Monitor concurrently with software other than what is listed, IDS MC and Security Monitor might not function properly.


Table 4 Server Requirements for Windows 

System Component
Requirement

Hardware

IBM PC-compatible with a 1GHz or faster Pentium processor.

Color monitor with at least 800 x 600 resolution and a video card capable of 16-bit colors.

CD-ROM drive.

100BaseT or faster (100 Mbps or faster) network connection.

Single and multiple CPU computers.

Operating System

Windows 2000 Professional, Server, or Advanced Server with Service Pack 4 and Terminal Services turned off.

Note IDS MC and Security Monitor support only the US English versions of these operating systems. In addition, only the US English Regional Options setting is supported.

File System

NTFS

Memory

1 Gigabyte, minimum

Virtual Memory

2 Gigabytes, minimum

Hard Drive Space

9 Gigabytes of free hard drive space, minimum

Note The actual amount of hard drive space required depends upon the number of CiscoWorks Common Services client applications you are installing and the number of devices you are managing with the client applications.


Additionally, you should not install any VMS products on a Windows server that is running any of the following services:

Primary domain controller

Backup domain controller

Terminal Server

System Preparation

After you have verified that your system meets the requirements outlined in System Requirements, you can prepare your system for installation. Before you install or upgrade IDS MC and Security Monitor, make sure that the following components and patches have been installed:

CiscoWorks Common Services 2.2 is installed as described in Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView) on Windows.

CiscoWorks VMS 2.2 Update 1 is installed as described in the Readme for CiscoWorks VMS 2.2 Update 1. CiscoWorks VMS 2.2 Update 1 and associated readme are available for download and installation at http://www.cisco.com/cgi-bin/tablebuild.pl/vms-3des.


Note You should periodically check the VMS downloads site at http://www.cisco.com/kobayashi/sw-center/cw2000/vms-planner.shtml for additional patches and updates that affect IDS MC, Security Monitor, or CiscoWorks Server.

If you have questions about which major or minor updates you are eligible to download and you have a service contract, check the Cisco Product Upgrade tool at www.cisco.com/upgrade for help.


The OpenSSL 0.9.7d security patch for CiscoWorks Common Services 2.2 (Includes CiscoView) on Windows is installed as described in the ReadMe for OpenSSL 0.9.7d security patch for CiscoWorks Common Services 2.2 (Includes CiscoView) on Windows . The OpenSSL 0.9.7d security patch and associated readme are available for download and installation at http://www.cisco.com/cgi-bin/tablebuild.pl/cd-one-3des.

Additional Security Measures

The least secure component of a system defines how secure the system is. Before installing your server software, you should take some basic steps to secure the target server and operating system:

Install the operating system on its own partition. Installing the operating system on one partition, and your software and data on another, protects your data and applications from viruses and attempted security breaches.

Use strong passwords. A strong password has at least eight characters and contains numbers, letters (both uppercase and lowercase), and symbols. You can edit the Local Security Policy to configure Windows 2000 to require strong passwords.

Avoid creating network shares. If you must create a network share, secure the shared resources with strong passwords. However, network shares are strongly discouraged, and you should disable NETBIOS completely.

Disable unnecessary accounts. Remove the default Guest account. Make sure that all remaining accounts are protected with strong passwords and require a password to log in.

Secure the Registry. Disable or limit remote access to the Registry.

Apply all hotfixes and security patches. Visit the Microsoft website regularly and apply the most recent security patches. Use the Windows Update feature regularly to ensure that the most recent critical updates are installed on the server.

Disable unused and unneeded services. At a minimum, Windows requires the following services to run: DNS Client, Event Log, Plug & Play, Protected Storage, and Security Accounts Manager. Check your software documentation for any additional Windows services required by your software.


Caution Do not install Microsoft Internet Information Server (IIS).

Disable all network protocols except Internet Protocol (TCP/IP). Other protocols can be used to gain access to your server. Limiting the network protocols used limits the access points to your server. If you are not using network shares on the server, disable NETBIOS.

Monitor the security of your system regularly. Log and review system activity. Use security tools, such as the Microsoft Security Configuration Tool Set (MSCTS) and Fport, to periodically review the security configuration of your system. You can obtain MSCTS from the Microsoft website.

Limit physical access to your server. If your server contains removable media drives, set the server to boot from the hard drive first. Your data can be compromised if someone boots your server from a floppy disk. You can typically set the boot order in the system BIOS. Make sure you protect the BIOS with a strong password.

Do not install remote access or administration tools on the server. These tools provide a point of entry to your server and are considered a security risk.

Run a virus scanning application on the server. Virus scanning software can prevent trojan horse applications from infecting your server. Update the virus signatures regularly.

Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com

To download IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com, follow these steps:


Step 1 Create a temporary directory to which you want to download the software.

Step 2 Log in to Cisco.com.

Step 3 Go to the Software Download page for Management Center for IDS Sensors and Monitoring Center for Security, located at: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids-app.

Step 4 Click fcs-IDSMDC-v2.0.1-win-K9.exe and proceed with the download.


Installing IDS MC 2.0.1 and Security Monitor 2.0.1

This section describes how to install IDS MC 2.0.1 and Security Monitor 2.0.1. You can install either IDS MC or Security Monitor, or you can install both. If you are upgrading from a previous version, see Upgrading Existing Installations.


Note For optimal performance, we recommend that you install IDS MC and Security Monitor on separate servers.


Before you begin

Verify that your system meets the minimum requirements as defined in System Requirements.

Verify that CiscoWorks Common Services 2.2 and all necessary patches have been installed as described in System Preparation.

Download the installation application from Cisco.com as described in Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com.

To install IDS MC and/or Security Monitor, follow these steps:


Step 1 Log in as the local administrator on the system on which CiscoWorks Common Services is installed.

Step 2 Start the installer, and then click Yes to begin the installation. The Welcome page appears.

Step 3 Click Next to begin the installation. The Software License Agreement page appears.

Step 4 To accept the terms of the license agreement, click Yes.


Note If you do not accept the terms of the license agreement, click No. The install wizard closes.


Step 5 Do one of the following:

To install both IDS MC and Security Monitor, select the Typical installation radio button. Then, click Next.

To install IDS MC only:

Click the Custom installation radio button. Then, click Next.

Click the IDS MC only radio button. Then, click Next.

To install Security Monitor only:

Click the Custom installation radio button. Then, click Next.

Click the Security Monitor only radio button. Then, click Next.

The System Requirements page appears.

Step 6 Verify that your system meets the minimum disk space and memory requirements. Then, click Next. The Select Database Location page appears.

Step 7 By default, the database will be created in the directory where CiscoWorks Common Services is installed. To specify a different directory for the IDS database, enter a directory path in the Database File Location field. Then, click Next. The Select Database Password page appears.

Step 8 Enter the database password in the Password field. Then, to confirm the password, reenter it in the Confirm Password field. Then, click Next.

If you are installing Security Monitor, the Select CiscoWorks Syslog Port page appears. If you are installing only IDS MC, the Summary page appears, and you should skip to Step 11.

Step 9 Specify which UDP port CiscoWorks uses. The value can be between 1 and 65535. By default, CiscoWorks uses UDP port 52514. We recommend that you use the default port value. Then, click Next. The Configure Communication Properties page appears.

Step 10 To submit the communication properties for this host, type a unique Host ID, Organization ID, IP Address, Host Name, and Organization Name into the appropriate fields. The Host ID and Organization ID can contain only uppercase and lowercase letters, numerals 0 through 9, minus signs (-), and underscores (_). Then, click Next.

The properties are used to establish communication between this host and the IDS postoffice device. The Summary page appears.

Step 11 Review your installation settings. Then, click Next.

The selected applications are installed. After installation, the Restart page appears.

Step 12 Select Yes, I want to restart my computer now and click Finish to restart the computer. Or, select No, I will restart my computer later and click Finish to restart the computer at a later time.


Note You must restart the computer before you use IDS MC or Security Monitor.



Upgrading Existing Installations

If you have an earlier version of IDS MC or Security Monitor installed on your server, you should review the information in Table 5 to determine how to upgrade to version 2.0.1.

Before you begin

Before upgrading, you should back up your database using the VMS backup process. For more information on the VMS backup, refer to the following instructions: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/dbrules.htm#wp330468

Verify that CiscoWorks VMS 2.2 Update 1 and all other necessary patches have been installed as described in System Preparation.

Download the installation application from Cisco.com as described in Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com.

Table 5 Recommended Upgrade Sequence 

If the following product is already installed...
And you want to...
You should upgrade in the following order...

IDS MC 2.0

upgrade to IDS MC 2.0.1

or

upgrade to IDS MC 2.0.1 and install Security Monitor 2.0.1

1. Upgrade to IDS MC 2.0.1 and, optionally, install Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

Security Monitor 2.0

upgrade to Security Monitor 2.0.1

or

upgrade to Security Monitor 2.0.1 and install IDS MC 2.0.1

1. Upgrade to Security Monitor 2.0.1 and, optionally, install IDS MC 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC 2.0 and Security Monitor 2.0

upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1

Note If both components are installed on the same server, you cannot upgrade one component without upgrading the other.

1. Upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC 1.2.3

upgrade to IDS MC 2.0.1

or

upgrade to IDS MC 2.0.1 and install Security Monitor 2.0.1

1. Upgrade to IDS MC 2.0.1 and, optionally, install Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

Security Monitor 1.2.3

upgrade to Security Monitor 2.0.1

or

upgrade to Security Monitor 2.0.1 and install IDS MC 2.0.1

1. Upgrade to Security Monitor 2.0.1 and, optionally, install IDS MC 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC 1.2.3 and Security Monitor 1.2.3

upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1

Note If both components are installed on the same server, you cannot upgrade one component without upgrading the other.

1. Upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC prior to version 1.2.3

upgrade to IDS MC 2.0.1

or

upgrade to IDS MC 2.0.1 and install Security Monitor 2.0.1

1. Upgrade to IDS MC 1.2.3 by following the steps listed in Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3.

Note You do not need to install Security Monitor 1.2.3. If you want to install Security Monitor on a server that is already running IDS MC, wait and install it using the 2.0.1 installer.

2. Upgrade to IDS MC 2.0.1 and, optionally, install Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

3. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

Security Monitor prior to version 1.2.3

upgrade to Security Monitor 2.0.1

or

upgrade to Security Monitor 2.0.1 and install IDS MC 2.0.1

1. Upgrade to Security Monitor 1.2.3 by following the steps listed in Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3.

Note You do not need to install IDS MC 1.2.3. If you want to install IDS MC on a server that is already running Security Monitor, wait and install it using the 2.0.1 installer.

2. Upgrade to Security Monitor 2.0.1 and, optionally, install IDS MC 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

3. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC prior to
version 1.2.3 and Security Monitor prior to version 1.2.3

upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1

Note If both components are installed on the same server, you cannot upgrade one component without upgrading the other.

1. Upgrade to IDS MC 1.2.3 and Security Monitor 1.2.3 by following the steps listed in Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3.

2. Upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

3. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.


Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3

This section describes how to upgrade to IDS MC 1.2.3 and Security Monitor 1.2.3. If you are running a version of IDS MC or Security Monitor prior to version 1.2.3, you must first upgrade to 1.2.3 before you can upgrade to version 2.0.1.

If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component (IDS MC or Security Monitor) is installed on the server, and you want to install the other component on the same server, you should wait and install it using the 2.0.1 installer.

To upgrade to IDS MC 1.2.3 and/or Security Monitor 1.2.3, follow these steps:


Step 1 Log in as the local administrator on the system on which CiscoWorks Common Services is installed.

Step 2 To download version 1.2.3, perform steps a through c; otherwise, skip to Step 3:

a. Log in to Cisco.com.

b. Go to the Software Download page for Management Center for IDS Sensors and Monitoring Center for Security, located at: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids-app.

c. Click fcs-IDSMC-V1.2.3-w2k-k9.exe and proceed with the download.

Step 3 Start the installer, and then click Yes to begin the installation. The Welcome page appears.

Step 4 Click Next to begin the installation. The Software License Agreement page appears.

Step 5 To accept the terms of the license agreement, click Yes.


Note If you do not accept the terms of the license agreement, click No. The install wizard closes.


Step 6 Do one of the following:

To upgrade Security Monitor and IDS MC, click the Typical installation radio button. Then, click Next.

To upgrade IDS MC:

Click the Custom installation radio button, and then click Next.

Click the IDS MC only radio button, and then click Next.

To upgrade Security Monitor:

Click the Custom installation radio button, and then click Next.

Click the Security Monitor only radio button, and then click Next.

The System Requirements page appears.

Step 7 Verify that your system meets the minimum disk space and memory requirements. Then, click Next. The Summary page appears.

Step 8 Verify the selected components. Then, click Next.

The applications are upgraded, and then the Setup Complete page appears.

Step 9 Click Finish to complete the upgrade.


Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1

This section describes how to upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1. If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component is installed on the server, you can optionally install the current version of the other component on the same server during the upgrade process.

To upgrade IDS MC, Security Monitor, or both, or to upgrade one component while installing the other, follow these steps:


Step 1 Log in as the local administrator on the system on which CiscoWorks Common Services is installed.

Step 2 Start the installer, and then click Yes to begin the installation. For instructions on downloading the installer, see Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com. The Welcome page appears.

Step 3 Click Next to begin the installation. The Software License Agreement page appears.

Step 4 To accept the terms of the license agreement, click Yes.


Note If you do not accept the terms of the license agreement, click No. The install wizard closes.


Step 5 Do one of the following:

To upgrade IDS MC and Security Monitor, to upgrade IDS MC and install Security Monitor, or to upgrade Security Monitor and install IDS MC, click the Typical installation radio button. Then, click Next.

To upgrade IDS MC without installing Security Monitor:

Click the Custom Installation radio button. Then, click Next.

Click the IDS MC only(upgrade) radio button. Then, click Next.

To upgrade Security Monitor without installing IDS MC:

Click the Custom installation radio button. Then, click Next.

Click the Security Monitor only(upgrade) radio button. Then, click Next.

The following message appears:

NOTE: Security Monitor attack records will be archived on disk. See online help to import archived records.
IMPORTANT: You are performing an upgrade, it is strongly recommended that you first make a VMS backup. Click [Yes] if you would like to proceed.

Step 6 Do one of the following:

To cancel this upgrade and perform a VMS backup, click No and then follow the instructions found at: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/dbrules.htm#wp330468

After you have completed the VMS back up, restart this procedure.

To proceed with the upgrade, click Yes.

The System Requirements page appears.

Step 7 Verify that your system meets the minimum disk space and memory requirements. Then, click Next.

If you are installing Security Monitor (not upgrading), the Select CiscoWorks Syslog Port page appears. If you are not installing Security Monitor, the Summary page appears, and you should skip to Step 10.

Step 8 Specify which UDP port CiscoWorks uses. The value can be between 1 and 65535. By default, CiscoWorks uses UDP port 52514. We recommend that you use the default port value. Then, click Next. The Configure Communication Properties page appears.

Step 9 To submit the communication properties for this host, type a unique Host ID, Organization ID, IP Address, Host Name, and Organization Name into the appropriate fields. The Host ID and Organization ID can contain only uppercase and lowercase letters, numerals 0 through 9, minus signs (-), and underscores (_). Then, click Next.

The properties are used to establish communication between this host and the IDS postoffice device. The Summary page appears.

Step 10 Verify the selected components. Then, click Next.

You are prompted to save the existing IDS MC/Security Monitor database.

Step 11 To save the existing IDS MC/Security Monitor database, click Yes. To erase the existing data and start with a new database, click No.

The applications are upgraded, and then the Setup Complete page appears.

Step 12 Click Finish to complete the upgrade.


Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1

This post-upgrade installation note applies when both of the following conditions are met:

1. You are upgrading IDS MC 1.2.3 to IDS MC 2.0.1 or you are upgrading Security Monitor 1.2.3 to Security Monitor 2.0.1.


Note This condition does not apply if you are performing a new (also called "clean") installation rather than an upgrade installation.


2. You are using Cisco Secure Access Control Server (ACS) to define user accounts.

To ensure a proper upgrade installation after installing IDS MC 2.0.1 or Security Monitor 2.0.1, follow these steps:


Step 1 If you upgraded IDS MC, select and delete the Help Desk command set for IDS MC from the Shared Profile Components page of ACS.

Step 2 If you installed Security Monitor, select and delete the Help Desk command set for Security Monitor from the Shared Profile Components page of ACS.

Step 3 If you installed IDS MC, register IDS MC on the CiscoWorks server at VPN/Security Management Solution > Administration > Configuration > AAA Server.

Step 4 If you installed Security Monitor, register Security Monitor on the CiscoWorks server at VPN/Security Management Solution > Administration > Configuration > AAA Server.


Uninstalling IDS MC and Security Monitor

This section describes how to uninstall IDS MC and Security Monitor. You can uninstall either IDS MC or Security Monitor, or you can uninstall both.

To uninstall IDS MC and/or Security Monitor, follow these steps:


Step 1 Select Start > Programs > CiscoWorks > Uninstall CiscoWorks. The Uninstallation page appears.

Step 2 Select which components to uninstall.

a. To uninstall IDS MC, select the IDS Management Center check box and deselect all the other check boxes. Then, click Next.

b. To uninstall Security Monitor, select the Security Monitor check box and deselect all the other check boxes. Then, click Next.

c. To uninstall both IDS MC and Security Monitor, select the IDS Management Center and Security Monitor check boxes and deselect all remaining check boxes. Then, click Next.


Note If you are uninstalling earlier versions of IDS MC and Security Monitor, you might also need to select the IDS MC/Security Monitor Common Framework check box. However, you should not select this check box if you are uninstalling one component (IDS MC or Security Monitor) but are leaving the other component installed.

The IDS MC/Security Monitor Common Framework component is not listed in the uninstaller for IDS MC 2.0.1 and Security Monitor 2.0.1.


A page displays the components that you have selected to delete.

Step 3 Verify the components selected for deletion. Then, click Next.

Messages display the progress of the uninstallation. Then, an information message states that uninstallation is complete.

Step 4 Click OK. Uninstallation is complete.


Installing, Upgrading, and Uninstalling IDS MC and Security Monitor on Solaris

This chapter describes how to install, upgrade, and uninstall IDS MC and Security Monitor on the Sun Solaris operating system. It contains the following sections:

System Requirements

System Preparation

System Parameter Tuning on Solaris

Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com

Installing IDS MC 2.0.1 and Security Monitor 2.0.1

Upgrading Existing Installations

Uninstalling IDS MC and Security Monitor

System Requirements

IDS MC and Security Monitor are components of the VPN/Security Management Solution (VMS). CiscoWorks Common Services 2.2 is required for IDS MC and Security Monitor to work. CiscoWorks Common Services 2.2 provides the CiscoWorks Server base components and software developed to support IDS MC and Security Monitor, including the necessary software libraries and packages. For more information, see Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView 5.5) on Solaris.


Note For information about all bundle features and their requirements, see the Quick Start Guide for the VPN/Security Management Solution 2.2.


You can install IDS MC and Security Monitor on Windows 2000 and Solaris. Table 6 shows the server requirements for Solaris systems.


Note IDS MC and Security Monitor have been tested with the listed platforms, browsers, and service packs. If you install IDS MC and Security Monitor concurrently with software other than what is listed, IDS MC and Security Monitor might not function properly.


Table 6 Server Requirements for Solaris 

System Component
Requirement

System Hardware

Sun UltraSPARC 60 MP with 440 MHz or faster processor.

Sun UltraSPARC III (Sun Blade 2000 Workstation or Sun Fire 280R Workgroup Server)1 .

Color monitor with at least 800x600 resolution and a video card capable of 16-bit colors.

CD-ROM drive.

100BaseT or faster (100 Mbps or faster) network connection.

Single and multiple CPU machines.

System Software

Sun Solaris 2.8 with these patches:

109742 has been replaced by 108528-13

109322 has been replaced by 108827-15

109279 has been replaced by 108528-13

108991 has been replaced by 108827-15

Note CiscoWorks Common Services 2.2 supports only US-English and Japanese versions of Solaris Operating Systems. It does not support any other language version. Set the default locale to US-English for US-English version and Japanese for Japanese version.

Memory

1 GB minimum memory.

Virtual Memory

2 GB virtual memory2 .

Hard Drive Space

12 GB minimum available disk drive space.

Note The actual amount of hard drive space required depends upon the number of CiscoWorks Common Services client applications you are installing and the number of devices you are managing with the client applications.

1 Solaris SPARC station or Sun Ultra 10 is the minimum hardware requirement.

2 Virtual Memory should be twice the Main Memory size.


To verify the amount of available disk space in each of the specified partitions and directories, enter:

# df -k directory

where directory is the partition or directory for which you want to check the available disk space.


Note The Solaris patches required by IDS MC and Security Monitor are the same as those required by CiscoWorks Common Services 2.2 for Solaris. For more information on the required Solaris patches, see Installation and Setup Guide for CiscoWorks Common Services (Includes CiscoView) on Solaris.


System Preparation

After you have verified that your system meets the requirements outlined in System Requirements, you can prepare your system for installation. Before you install or upgrade IDS MC and Security Monitor, make sure that the following components and patches have been installed:

CiscoWorks Common Services 2.2 is installed as described in Installation and Setup Guide for CiscoWorks Common Services 2.2 (Includes CiscoView) on Solaris.

CiscoWorks VMS 2.2 Update 1 is installed as described in the Readme for CiscoWorks VMS 2.2 Update 1. CiscoWorks VMS 2.2 Update 1 and associated readme are available for download and installation at http://www.cisco.com/cgi-bin/tablebuild.pl/vms-3des.


Note You should periodically check the VMS downloads site at http://www.cisco.com/kobayashi/sw-center/cw2000/vms-planner.shtml for additional patches and updates that affect IDS MC, Security Monitor, or CiscoWorks Server.

If you have questions about which major or minor updates you are eligible to download and you have a service contract, check the Cisco Product Upgrade tool at www.cisco.com/upgrade for help.


The OpenSSL 0.9.7d security patch for CiscoWorks Common Services 2.2 (Includes CiscoView) on Solaris is installed as described in the ReadMe for OpenSSL 0.9.7d security patch for CiscoWorks Common Services 2.2 (Includes CiscoView) on Solaris . The OpenSSL 0.9.7d security patch and associated readme are available for download and installation at http://www.cisco.com/cgi-bin/tablebuild.pl/cd-one-3des.

All required Solaris patches have been installed. The Solaris patches required by IDS MC and Security Monitor are the same as those required by CiscoWorks Common Services 2.2 for Solaris. For more information on the required Solaris patches, see Installation and Setup Guide for CiscoWorks Common Services (Includes CiscoView) on Solaris.

Additional Security Measures

The least secure component of a system defines how secure the system is. Before installing your server software, you should take some basic steps to secure the target server and operating system.

This section contains important information that you should read before you begin

installation:

CiscoWorks applications are installed in the following default directory: /opt/CSCOpx.

If you select another directory during installation, the application is installed in that directory.

If you select an installation directory different from the default, the /opt/CSCOpx directory is created as a link to the directory you selected. If you remove the link after installation, the component might malfunction.

If errors occur during installation, check the installation log file /var/tmp/ciscoinstall.log.

You can press Ctrl-C at any time to end the installation. However, any changes to your system (for example, installation of new files or changes to system files) will not be undone.


Caution We do not recommend ending the installation using Ctrl-C. If you do so, you must manually clean up the installation directories.

If you want to use secure access between the client browser and the management server, you can enable or disable SSL from the CiscoWorks desktop.

If SSL is enabled:

The URL begins with https instead of http to indicate a secure connection.

The port number succeeding the server name is 1742 instead of 1741.

You cannot enable SSL on the CiscoWorks Server if there is an application that is not SSL-compliant installed on the server.


Note We recommend that you have SSL enabled during installation unless you are using other CiscoWorks components that do not support SSL. For help with SSL, consult the User Guide for CiscoWorks Common Services 2.2 at http://www.cisco.com/en/US/partner/products/sw/cscowork/ps3996/products_user_guide_chapter09186a008017b754.html.


Make sure that you disabled DHCP or assign a permanent, static lease for all CiscoWorks Servers and AutoUpdate Servers. The Dynamic Host Control Protocol (DHCP) enables hosts to receive dynamically assigned IP addresses. Because these IP addresses are not permanently assigned to the hosts, we recommend that you disable DHCP or assign a permanent, static lease for all CiscoWorks Servers and AutoUpdate Servers.

Network inconsistencies might cause installation errors if you are installing from a remote mount point.

System Parameter Tuning on Solaris

During installation, IDS MC sets the following system parameters in the /etc/system file on Solaris:

set shmsys:shminfo_shmmax=4294967295
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=100
set shmsys:shminfo_shmseg=10
set semsys:seminfo_semmsl=160
set semsys:seminfo_semopm=100
set semsys:seminfo_semvmx=32767
set semsys:seminfo_semaem=16384
set semsys:seminfo_semmap=66
set semsys:seminfo_semume=20
set semsys:seminfo_semmns=510
set semsys:seminfo_semmni=170
set semsys:seminfo_semmnu=120
set rlim_fd_cur=120

If you are running other applications that use these parameters, you must increment them according to application documentation. If you change these parameters, you must reboot the system for the changes to take effect.

You can find general information about tuning the system parameters on the Sun Microsystem website:

http://docs.sun.com/db/doc/806-7009

Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Solaris from Cisco.com

To download IDS MC 2.0.1 and Security Monitor 2.0.1 for Solaris from Cisco.com, follow these steps:


Step 1 Create a temporary directory to which you want to download the software.

Step 2 Log in to Cisco.com.

Step 3 Go to the Software Download page for Management Center for IDS Sensors and Monitoring Center for Security, located at: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids-app.

Step 4 Click fcs-IDSMDC-v2.0.1-sol-K9.zip and proceed to download the software to the temporary directory you created in Step 1.

Step 5 After downloading the file, unzip the files into the temporary directory that you created:

# cd tempdir
# unzip fcs-IDSMDC-v2.0.1-sol-K9.zip

where tempdir is the location where you downloaded the installation software.


Installing IDS MC 2.0.1 and Security Monitor 2.0.1

This section describes how to install IDS MC 2.0.1 and Security Monitor 2.0.1. You can install either IDS MC or Security Monitor, or you can install both. If you are upgrading from a previous version, see Upgrading Existing Installations.


Note For optimal performance, we recommend that you install IDS MC and Security Monitor on separate servers.


Before you begin

Verify that your system meets the minimum requirements as defined in System Requirements.

Verify that you have root privileges on the server.

Verify that CiscoWorks Common Services 2.2, and all necessary patches have been installed as described in System Preparation.

Download the installation application from Cisco.com as described in Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com.

To install IDS MC and/or Security Monitor, follow these steps:


Step 1 Log in as root on the Solaris server.

Step 2 To run the installation program, enter:

# cd tempdir
# ./setup.sh

where tempdir is the location where you extracted the installation files.

The following message appears:

Press Enter to read/browse the following license agreement:

Step 3 Press Enter to read the license agreement.

The following message appears at the end of the license agreement:

You must accept this License agreement for the installation to proceed.
If you enter N/n, the installation will exit. Do you accept all the terms of the preceding License Agreement? (y/n) [y]

Step 4 To accept the terms of the license agreement and proceed with the installation, enter y.


Note If you do not accept the terms of the license agreement, enter n to stop the installation.


The following options appear:

(1) IDS Management Center
(2) Security Monitor
(3) All of the Above (IDS Management Center + Security Monitor)

Step 5 Select one of the items using its number or enter q to quit.

Step 6 If you selected (1) IDS Management Center or (3) All of the Above (IDS Management Center + Security Monitor), enter the following details:

Database password

Database location

Host IP address

Step 7 If you selected (2) Security Monitor or (3) All of the Above (IDS Management Center + Security Monitor), enter the following postoffice setting information:

Host ID

Host name

Organization ID

Organization name

Host IP address

If you selected (3) All of the Above (IDS Management Center + Security Monitor), you should enter the Host IP address twice—once for setting the IP address of the host system and again when entering postoffice settings.

The installation proceeds.

During installation, a warning message appears if the /etc/system file is modified for tuning system parameters. You should reboot the system for the changes to the /etc/system file to take effect. If you do not reboot the system, IDS MC and Security Monitor may not work as expected.

You should enable and configure syslogd service for IDS_Receiver to receive syslog events from remote hosts.

After the installation is completed, Daemon Manager starts.


Note Error messages or warning messages appear if the required and recommended Solaris patches are not present on your system. Before running Security Monitor and IDS MC, download and install the most recent recommended patches from http://www.sunsolve.sun.com.


If errors occurred during installation, check the installation log file: /var/tmp/ciscoinstall.log. Each installation appends to this file.


Upgrading Existing Installations

If you have an earlier version of IDS MC or Security Monitor installed on your server, you should review the information in Table 7 to determine how to upgrade to version 2.0.1.

Before you begin

Before upgrading, you should back up your database using the VMS backup process. For more information on the VMS backup, refer to the following instructions: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/dbrules.htm#wp330468

Verify that CiscoWorks VMS 2.2 Update 1 and all other necessary patches have been installed as described in System Preparation.

Download the installation application from Cisco.com as described in Downloading IDS MC 2.0.1 and Security Monitor 2.0.1 for Windows from Cisco.com.

Table 7 Recommended Upgrade Sequence 

If the following product is already installed...
And you want to...
You should upgrade in the following order...

IDS MC 2.0

upgrade to IDS MC 2.0.1

or

upgrade to IDS MC 2.0.1 and install Security Monitor 2.0.1

1. Upgrade to IDS MC 2.0.1 and, optionally, install Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

Security Monitor 2.0

upgrade to Security Monitor 2.0.1

or

upgrade to Security Monitor 2.0.1 and install IDS MC 2.0.1

1. Upgrade to Security Monitor 2.0.1 and, optionally, install IDS MC 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC 2.0 and Security Monitor 2.0

upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1

Note If both components are installed on the same server, you cannot upgrade one component without upgrading the other.

1. Upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC 1.2.3

upgrade to IDS MC 2.0.1

or

upgrade to IDS MC 2.0.1 and install Security Monitor 2.0.1

1. Upgrade to IDS MC 2.0.1 and, optionally, install Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

Security Monitor 1.2.3

upgrade to Security Monitor 2.0.1

or

upgrade to Security Monitor 2.0.1 and install IDS MC 2.0.1

1. Upgrade to Security Monitor 2.0.1 and, optionally, install IDS MC 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC 1.2.3 and Security Monitor 1.2.3

upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1

Note If both components are installed on the same server, you cannot upgrade one component without upgrading the other.

1. Upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

2. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC prior to version 1.2.3

upgrade to IDS MC 2.0.1

or

upgrade to IDS MC 2.0.1 and install Security Monitor 2.0.1

1. Upgrade to IDS MC 1.2.3 by following the steps listed in Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3.

Note You do not need to install Security Monitor 1.2.3. If you want to install Security Monitor on a server that is already running IDS MC, wait and install it using the 2.0.1 installer.

2. Upgrade to IDS MC 2.0.1 and, optionally, install Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

3. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

Security Monitor prior to version 1.2.3

upgrade to Security Monitor 2.0.1

or

upgrade to Security Monitor 2.0.1 and install IDS MC 2.0.1

1. Upgrade to Security Monitor 1.2.3 by following the steps listed in Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3.

Note You do not need to install IDS MC 1.2.3. If you want to install IDS MC on a server that is already running Security Monitor, wait and install it using the 2.0.1 installer.

2. Upgrade to Security Monitor 2.0.1 and, optionally, install IDS MC 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

3. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.

IDS MC prior to
version 1.2.3 and Security Monitor prior to version 1.2.3

upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1

Note If both components are installed on the same server, you cannot upgrade one component without upgrading the other.

1. Upgrade to IDS MC 1.2.3 and Security Monitor 1.2.3 by following the steps listed in Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3.

2. Upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1 by following the steps listed in Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1.

3. If you are using Cisco Secure Access Control Server (ACS) to define user accounts, follow the steps outlined in Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1, to re-register the components.


Upgrading to IDS MC 1.2.3 and Security Monitor 1.2.3

This section describes how to upgrade to IDS MC 1.2.3 and Security Monitor 1.2.3. If you are running a version of IDS MC or Security Monitor prior to version 1.2.3, you must first upgrade to 1.2.3 before you can upgrade to version 2.0.1.

If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component (IDS MC or Security Monitor) is installed on the server, and you want to install the other component on the same server, you should wait and install it using the 2.0.1 installer.

To upgrade to IDS MC 1.2.3 and/or Security Monitor 1.2.3, follow these steps:


Step 1 Log in as root.

Step 2 To download IDS MC 1.2.3 and Security Monitor 1.2.3 for Solaris from Cisco.com, perform steps a through e; otherwise, skip to Step 3:

a. Create a temporary directory to which you want to download the software.

b. Log in to Cisco.com.

c. Go to the Software Download page for Management Center for IDS Sensors and Monitoring Center for Security, located at: http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids-app.

d. Click fcs-IDSMDC-v1.2.3-sol-K9.zip and proceed to download the software to the temporary directory you created in Step a.

e. After downloading the file, unzip the files into the temporary directory that you created:

# cd tempdir
# unzip fcs-IDSMDC-v1.2.3-sol-K9.zip

where tempdir is the location where you downloaded the installation software.

Step 3 To run the installation program, enter:

# cd tempdir
# ./setup.sh

where tempdir is the location where you extracted the installation files.

The following message appears:

Press Enter to read/browse the following license agreement:

Step 4 Press Enter to read the license agreement.

The following message appears at the end of the license agreement:

You must accept this License agreement for the installation to proceed.
If you enter N/n, the installation will exit. Do you accept all the terms of the preceding License Agreement? (y/n) [y]

Step 5 To accept the terms of the license agreement and proceed with the installation, enter y.


Note If you do not accept the terms of the license agreement, enter n to stop the installation.


One of the following applies depending on which components are installed on your server:

If both IDS MC and Security Monitor are installed on your server, the installation application automatically upgrades both components. Skip to Step 7.

If only IDS MC is installed on your server, the following message appears:

(1) IDS Management Center
(2) Both IDS Management Center and Security Monitor

If only Security Monitor is installed on your server, the following message appears:

(1) Security Monitor
(2) Both IDS Management Center and Security Monitor

Step 6 Enter 1 to upgrade the component that is installed on the server.


Note If only one component (IDS MC or Security Monitor) is installed on the server, and you want to install the other component on the same server, you should wait and install it using the 2.0.1 installer.


Step 7 If you are upgrading Security Monitor, you might need to enter the following postoffice setting information:

Host ID

Host name

Organization ID

Organization name

Host IP address

Upgrade proceeds and the installation is completed.

During upgrade, a warning message is displayed if the /etc/system file is modified for tuning system parameters. You should reboot the system for the changes to the /etc/system file to take effect. If you do not reboot the system, IDS MC and Security Monitor may not work as expected.

You should enable and configure syslogd service for IDS_Receiver to receive syslog events from remote hosts.

After the installation is completed, Daemon Manager starts.


Note Error messages or warning messages appear if the required and recommended Solaris patches are not present on your system. Before running Security Monitor and IDS MC, download and install the most recent recommended patches from http://www.sunsolve.sun.com.


If errors occurred during installation, check the installation log file: /var/tmp/ciscoinstall.log. Each installation appends to this file.


Upgrading to IDS MC 2.0.1 and Security Monitor 2.0.1

This section describes how to upgrade to IDS MC 2.0.1 and Security Monitor 2.0.1. If IDS MC and Security Monitor are installed on the same server, you must upgrade both. If only one component is installed on the server, you can optionally install the current version of the other component on the same server during the upgrade process.

To upgrade IDS MC, Security Monitor, or both from version 1.2.3 to 2.0.1, or to upgrade one component while installing the other, follow these steps:


Step 1 Log in as root.

Step 2 To run the installation program, enter:

# cd tempdir
# ./setup.sh

where tempdir is the location where you extracted the installation files.

The following message appears:

Press Enter to read/browse the following license agreement:

Step 3 Press Enter to read the license agreement.

The following message appears at the end of the license agreement:

You must accept this License agreement for the installation to proceed.
If you enter N/n, the installation will exit. Do you accept all the terms of the preceding License Agreement? (y/n) [y]

Step 4 To accept the terms of the license agreement and proceed with the installation, enter y.


Note If you do not accept the terms of the license agreement, enter n to stop the installation.


One of the following applies depending on which components are installed on your server:

If both IDS MC and Security Monitor are installed on your server, the installation application upgrades both components. Skip to Step 9.

If only IDS MC is installed on your server, the following message appears:

(1) IDS Management Center
(2) Both IDS Management Center and Security Monitor

If only Security Monitor is installed on your server, the following message appears:

(1) Security Monitor
(2) Both IDS Management Center and Security Monitor

Step 5 Enter 1 to upgrade the component that is installed on the server or enter 2 to upgrade the component and to install the other component.


Note If only one component (IDS MC or Security Monitor) is installed on the server, and you want to install the other component on the same server, you should wait and install it using the 2.0.1 installer.


The following message appears:

NOTE: Security Monitor attack records will be archived on disk. See online help to import archived records, if desired.
IMPORTANT: You are performing an upgrade, it is strongly recommended that you first make a VMS backup. Enter y if you have a backup and are ready to proceed.

Step 6 Do one of the following:

To cancel this upgrade and perform a VMS backup, enter n and then follow the instructions found at: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/dbrules.htm#wp330468

After you have completed the VMS backup, restart this procedure.

To proceed with the upgrade, enter y.

Step 7 If you are installing IDS Management Center while upgrading Security Monitor, enter the following details:

Database password

Database location

Host IP address

Step 8 If you are installing Security Monitor while updating IDS MC, enter the following postoffice setting information:

Host ID

Host name

Organization ID

Organization name

Host IP address

The installation proceeds.

Step 9 Verify that the upgrade was successful and reboot the system if required.

During installation, a warning message appears if the /etc/system file is modified for tuning system parameters. You should reboot the system for the changes to the /etc/system file to take effect. If you do not reboot the system, IDS MC and Security Monitor may not work as expected.

You should enable and configure syslogd service for IDS_Receiver to receive syslog events from remote hosts.

After the installation is completed, Daemon Manager starts.


Note Error messages or warning messages appear if the required and recommended Solaris patches are not present on your system. Before running Security Monitor and IDS MC, download and install the most recent recommended patches from http://www.sunsolve.sun.com.


If errors occurred during installation, check the installation log file: /var/tmp/ciscoinstall.log. Each installation appends to this file.


Post-Upgrade Installation Note for IDS MC 2.0.1 and Security Monitor 2.0.1

This post-upgrade installation note applies when both of the following conditions are met:

1. You are upgrading IDS MC 1.2.3 to IDS MC 2.0.1 or you are upgrading Security Monitor 1.2.3 to Security Monitor 2.0.1.


Note This condition does not apply if you are performing a new (also called "clean") installation rather than an upgrade installation.


2. You are using Cisco Secure Access Control Server (ACS) to define user accounts.

To ensure a proper upgrade installation after installing IDS MC 2.0.1 or Security Monitor 2.0.1, follow these steps:


Step 1 If you upgraded IDS MC, select and delete the Help Desk command set for IDS MC from the Shared Profile Components page of ACS.

Step 2 If you installed Security Monitor, select and delete the Help Desk command set for Security Monitor from the Shared Profile Components page of ACS.

Step 3 If you installed IDS MC, register IDS MC on the CiscoWorks server at VPN/Security Management Solution > Administration > Configuration > AAA Server.

Step 4 If you installed Security Monitor, register Security Monitor on the CiscoWorks server at VPN/Security Management Solution > Administration > Configuration > AAA Server.


Uninstalling IDS MC and Security Monitor

This section describes how to uninstall IDS MC and Security Monitor on Solaris. You can uninstall either IDS MC or Security Monitor, or you can uninstall both.

To uninstall IDS MC or Security Monitor, or both, follow these steps:

Use the uninstall script to remove IDS MC and Security Monitor files and settings.


Caution You must use the uninstall script to remove the product. If you try to remove IDS MC or Security Monitor or any of their components manually, you may damage your system.

To uninstall IDS MC and/or Security Monitor:


Step 1 As root, enter the following commands to start the uninstall script:

# cd /
# /opt/CSCOpx/bin/uninstall.sh

/opt/CSCOpx is the default installation directory. If you specified a different directory when you installed CiscoWorks Common Services, use that directory.

A list of components similar to the following appears:

1) IDS Management Center
2) CiscoWorks Common Services
3) IDS MC/Security Monitor Common Framework
4) Security Monitor
5) All of the above

Enter the number corresponding to the uninstall option you require or press q to quit. You can select more than one component; if you do, use commas to separate the numbers corresponding to the components.

The uninstall script lets you confirm whether you want to uninstall each selected component.

Step 2 Enter y to confirm the uninstallation of the selected component or components.


Note The /etc directory contains all system file changes. The uninstall messages are written to the /var/tmp/ciscouninstall.log file.


After uninstallation is complete, the following message appears:

All files were deleted successfully.

Client System Requirements

You can access all product features from a client that fulfills the hardware, software, and browser requirements. Table 8 shows client hardware and software requirements.

Table 8 Client Hardware and Software Requirements 

System Component
Requirement

Hardware/Software

IBM PC-compatible computer with 300 MHz or faster Pentium processor running one of the following:

Windows 2000 Server

Windows 2000 Server or Professional Edition with Service Pack 3 or later

Windows XP, Service Pack 1 with Microsoft Virtual Machine

Solaris SPARC station or Sun Ultra 10 with a 333MHz processor running the Solaris 2.8 operating system

Note IDS MC and Security Monitor support only the US English versions of these operating systems.

Hard Drive Space

400 MB virtual memory (for Windows)

512 MB swap space (for Solaris)

Memory

256 MB, minimum

Java

Java Plug-in 1.4.1_02

Web Browser

You must enable cookies and Java for whichever web browser you use as the web client. You can choose either of the following web browsers:

Microsoft Internet Explorer 6.0 with Service Pack 1 on Windows operating systems

Netscape Navigator 7.1 on Windows operating systems

Note There is no Netscape browser support on Solaris operating systems.


Known and Resolved Problems

Table 9 describes problems known to exist in this release of IDS MC; Table 10 describes problems resolved since the last release of IDS MC.

Table 11 describes problems known to exist in this release of Security Monitor; Table 12 describes problems resolved since the last release of Security Monitor.


Note To obtain more information about known problems, access the Cisco Software Bug Toolkit at http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl. (You will be prompted to log in to Cisco.com.)


Table 9 Known Problems in Management Center for IDS Sensors, Release 2.0.1 

Bug ID
Summary
Explanation

CSCeb16875

Integration with IDS MC does not work when HTTPS is on

By default in v.3.1, ACS can accept both HTTP and HTTPS connections for administration. The VMS MCs can only register with ACS using HTTP. In v.3.1 this is not a problem. In v.3.2, however, ACS will only accept HTTPS by default to ensure a higher security status by default. This will cause IDS MC registration to fail if no further action is taken.

When registering a VMS IDS MC with ACS v.3.2, turn on HTTP communications prior to registering the IDS MC. After the IDS MC is registered, turn off HTTP acceptance. The proper fix is to have the VMS MC communicate with ACS using HTTPS during registration.

CSCeb30898

Transport Layer Security (TLS) does not check if signing keys are authorized for signing

Refer to Explanation of CSCeb30898.

CSCin03858

Install: Temporary directory not cleared after install is over

After installing IDS MC/Security Monitor, temporary installation files are left on the machine.

To fix, check the directory that the TEMP environment variable is set to. Remove any temporary files/directories that are not needed.

CSCeb21533

IP address not discovered right when multi NIC present on server

When installing IDS MC or Security Monitor on a computer with multiple network interface cards (NICs), the install program does not let the user select which NIC address to use. The install program uses the "first" NIC found.

To work around this problem:

1. Stop the CiscoWorks Daemon manager.

2. Edit the following file, found in the installation directory: \CSCOpx\MDC\etc\ids\xml\SystemConfig.xml.

Find the HostIP line and change the IP address to the correct one.

3. If IDS MC is installed, copy the edited file to <install dir>\CSCOpx\MDC\Tomcat\vms\ids-config\web-inf\classes\com\cisco\nm\mdc\ids\common\SystemConfig.xml.

If Security Monitor is installed, copy the edited file to <install dir>\CSCOpx\MDC\Tomcat\vms\ids-monitor\webinf\classes\com\cisco\nm\mdc\ids\common\SystemConfig.xml.

4. Restart the CiscoWorks Daemon Manager.

CSCeb21533 (cont.)

 

If IDS MC is installed and you've configured any 3.x sensors, you must update the IP address of the Remote Host (Configuration > Settings > Communications > Remote Hosts) for each sensor, then generate and deploy the updates.

If IDS MC is installed and you've configured any 4.x sensors, you must update the IP address of the Allowed Host (Configuration > Settings > Communications > Allowed Hosts) for each sensor, then generate and deploy the updates.

If Security Monitor is installed, you must update the IP address of the Server Postoffice Settings (Admin > System Configuration > PostOffice Settings > Server IP Address).

CSCin43277

Unable to register idscom with ACS for Solaris

During registration of IDS MC and Security Monitor with ACS, the registration screen will also display the Common Framework for IDS MC & Security Monitor package (idscom). This package should not be registered with ACS. If you select idscom to be registered with ACS, you will see an error message and the idscom package will not register with ACS.

To work around this problem, do not select the idscom package for registration with ACS.

CSCsa05905

Check for sufficient disk space before starting database compact

The database compact utility does not check for sufficient disk space prior to compacting the database. If sufficient disk space is not available, the database compact utility stops when it runs out of space and leaves the database in a corrupt state.

This issue is seen on both Solaris and Windows.

To work around this problem, verify that there is adequate disk space before compacting the database.

Determining how much free disk space is required when compacting the database cannot be done with certainty, but a good approximation can be achieved by planning for twice the space occupied by the database prior to compaction.

CSCsa17075

Netscape browser crashes frequently

Netscape occasionally fails while using the Object Selector and other Java components in IDS MC. For example, failure might occur when you select a device in the Object Selector or click the Object Selector handle.

To avoid this problem, use Internet Explorer. If you cannot use Internet Explorer, restarting Netscape is likely to work around this problem.

CSCsa17101

IDS MC allows duplicate IP addresses

It is possible to enter the same IP address and netmask for certain configuration settings in IDS MC, such as the Never Block Addresses setting. IDS MC does not report this as an error and ignores the duplicate IP address and netmask entry.

The IDS MC handles this condition without error so no work around is needed.

CSCsa22185

Deploy fails for IOSIPS when all signatures selected

If you deploy all signatures for an IOS IPS device that was added using the default settings or imported into IDS MC without built-in signatures loaded in the device, the deployment will fail because IDS MC sends all the signatures to the device and the device doesn't have sufficient memory to handle the signatures.

To work around this issue, select a reduced set of signatures to be deployed and then deploy.

If an IOS IPS device is added with default settings or imported into IDS MC without built-in signatures loaded in the device, IDS MC adds all default signatures (as understood by IDS MC). If the user has added the device with default settings, a reduced set of signatures must be deployed to the sensor for deployment to be successful.

To enable and load built-in signatures in the device,

a) Execute "ip ips sdf built-in" command in the device.

b) Create an IPS rule and apply the rule over an interface.

This will cause the device built-in signatures to be enabled and loaded in the device.

CSCsa25297

Error while accessing the Signature page for IDSM 3.x device

IDS MC will not be able to edit IDSM signatures if the user chooses the link "IDS 3.x" from the content area. This problem applies to IDSM devices, not to IDSM2 devices.

This occurs when the following conditions are met:

1. Add any IDSM device to IDS MC.

2. From the TOC, select Configuration > Settings > Signatures.

3. Click on the link 'IDS 3.x' in the content area (Not the 'IDS 3.x' link in the TOC item).

To work around this issue, use the "IDS 3.x" link from the TOC area to edit the IDSM signatures.

CSCsa33357

Install/Upgrade preserves 1.2.3 database rules in 2.0

Upon upgrade from version 1.2.x to 2.0 of IDS MC/Security Monitor, any user written database pruning scripts may not be deleted. The install/upgrade program does not know if the database rule scripts are pruning related or not and only deletes scripts that start with "Prune" in the name. Database pruning has changed in version 2.0 and does not require pruning scripts.

This issue occurs when upgrading between version 1.2.x and 2.0 on either the Windows or Solaris platform.

To work around this issue, delete any custom pruning scripts that you have defined after upgrading to Security Monitor 2.0.

The following default pruning scripts shipped with versions 1.2.x:

PruneByAge.pl

PruneByDate.pl

PruneBySeverity.pl

PruneDefault.pl

PruneMarkedForDeletion.pl

PruneSpecifyCmdLine.pl

During the 2.0 upgrade, these default scripts are deleted. In 2.0, a maximum number of events are retained. Once this value is reached, as new records are added, the oldest records are deleted. This algorithm reduces the system impact of pruning.

If you have defined custom pruning scripts, you must manually delete the scripts as they are no longer valid in this release. The upgrade program attempts to delete any script that contains the word "Prune" in the name.

CSCsa33394

Link status severity not deployed properly

Link Status severity for IDS 3.x sensors does not deploy to the Sensor

Changes made to LinkStatus Severity are not deployed to the Sensor. This value appears as "Info" while reimporting the Sensor.

There is no work around. You cannot manage Link Status Severity using IDS MC.

CSCsa34160

Batch Add should handle the special characters in the XML file

If the element or attribute values used in the input XML file for Multiple device add contains reserved XML characters, such as '&', '<' and '>', the IDS MC fails to parse the input file correctly and the Multiple device add operation fails.

To work around this issue, ensure the XML input file is well formed. Reserved XML characters can be represented using entity references. For example:.

Symbol = Entity

less than = &lt;

greater than = &gt;

ampersand = &amp;

apostrophe = &apos;

quotation mark= &quot;

CSCsa34330

Group level Custom sigs should not be allowed to delete at device level

If you create a Custom signature at a group/global level and then select a sensor and navigate to the list of custom signatures, the custom signature that was created is visible in the list. If you then select the custom signature and delete it, it appears to be deleted. However, you should not be able to delete a custom signature created at a different level.

To work around this issue, navigate away from the page and then return to it to see that the custom signature is still in the list as it was not deleted.

CSCsa34740

IOS IPS devices could not be managed using SSH keys

IDS MC uses Secure Shell (SSH) for communication with the IOS IPS device to manage the IOS IPS configurations. The current release supports SSH communications only via username/password based authentication. Using SSH keys for the SSH communication between IDS MC and IOS IPS device is not supported in the current release.

To work around this issue, use the SSH username and password for SSH communication between an IOS IPS device and IDS MC.

CSCsa34760

Upgrade from 1.2.3 -> 2.0 fails, when lower version of 3.x sensor is added

IDS MC does not launch after you upgrade from IDS MC 1.2.3 to IDS MC 2.0.

For information on valid upgrade paths, refer to Installation Notes.

To work around this issue, ensure that all the sensors that you are configuring or monitoring are running the most recent versions of 3.0 or 4.0 before you upgrade to IDS MC 2.0 and Security Monitor 2.0.

CSCsa35394

Movement of devices permitted between sbgroups without regard to ACS Network Device Groups

Cannot move sensors between subgroups when using ACS. The device level authorization credentials do not follow the sensor when moving to another group.

Integrated CiscoWorks desktop into CiscoSecure ACS (TACACS+). Registered IDS MC into the VMS AAA server configuration.

To work around this issue, edit the sensor permissions in ACS after moving the sensor to another group.

CSCsa36365

IOSIPS: Traversing to Reassembly page creates pending changes

Traversing to Reassembly page creates pending changes in the following scenarios:

1. Import a device without configuring virtual-reassembly for all the available interfaces. In this case, the Reassembly page will try to populate the screen with default reassembly settings for all the available interfaces.

2. Import a device without configuring virtual-reassembly for some of the interfaces. In this case, the Reassembly page will try to populate the screen with default reassembly settings for those interfaces that are not configured with reassembly options.

3. Add a default device, select Query Interface on the IOS IPS Rules screen and then select the IOS Reassembly page. Now, the Reassembly page will try to populate the screen with default reassembly settings for all the interfaces that are obtained from the devices.

To work around this issue, configure any imported IOS IPS device with the virtual-reassembly for all of its available interfaces. In this configuration, pending changes will not be created when you traverse to IOS IPS Reassembly Options page.

CSCsa37054

ConfigDiff runs again if clicked on icon bar buttons.

When you click an icon button, the system tries to retain the previously accessed navigational screen after completing the icon button's action. For example, if you click the Save button after you launch "Compare Current Configuration with any other configuration," the system tries to retain the previously accessed navigational screen (in this case "Compare Current Configuration with any other configuration" link).

No work around exists for this issue.

CSCsa39512

Error message when sensor busy should be to try again.

While deploying a configuration, the user encounters the following message:

"Error while pushing files to the sensor java.lang.Exception: An exception occurred during deploy, detail=An error occurred while trying to get the configuration file AnalysisEngine from the sensor. err=(RDEP Error, msg = Command not valid or not supported)"

This issue occurs when you deploy two times to the same sensor without allowing enough time to elapse between deployments.

You can avoid this state by waiting several minutes between deployments to the same sensor.

CSCsa39957

Cannot Import an IOS-IPS Router with Existing Certificate

When, after reinstalling VMS, you attempt to import an IOS-IPS router into the IDS MC, an error message stating that the "certificate already exists on this device." displays and the import fails due to an I/O write error.

The device's TLS certificate does not match the certificate used by the IDS MC sever. This state can occur when VMS is uninstalled and then re-installed, and the user attempts to re-import an IOS-IPS router that was previously managed using a certificate. The re-installed IDS MC server cannot import the device until the expired certificate is manually removed. You can removed the expired certificates from the CLI of the router.

Two workarounds exist:

1. Remove the existing certificate on the IOS IPS device and then re-import the device into IDS MC.

2. Add this device to IDS MC as a default device, and then update the device's crypto configuration using the new TLS certificate from Admin > Update IOS IPS Crypto Configuration and then re-import the device.

CSCsa14057

Disabled signatures have inconsistency in severity

If you import the configuration for an IDS 3.x sensor (appliance or module), "Device Name" is shown in the Prop Source field for disabled signatures. This prevents settings for the signatures from being inherited from a parent group unless those settings are set as Mandatory. As a side effect, the Config Diff tool shows differences for the disabled signatures of IDS 3.x sensors.

To work around this problem, manually add IDS 3.x sensors using default settings instead of importing the sensor.

CSCsa24462

Unable to override the ACL signature settings at subgroup/device level

Overriding the ACL, String, TCP connection & UDP Connection signature settings are not reflected after applying the changes.

Even after overriding the settings, the signature page shows only the values configured at the group level.

It seems the Global level is set to mandatory and the mandatory setting cannot be cleared.

This issue is only a problem with 3.x sensors not 4.x sensors.

To work around this issue, create the Custom, ACL, TCP, UDP, String signatures at the device level to avoid the issues from creating these type of signatures for 3.x sensors at the Global level.

CSCsa31395

Pending changes not preserved after upgrade from 1.2.3 to 2.0

Pending changes are not preserved after upgrading from IDS MC 1.2.3 to IDS MC 2.0.

To work around this issue, save all changes and back up system before upgrading.

CSCsa39734

License updated - IDS MC permits import fails to deploy or sigupdate

IDS MC fails to import and deploy devices after updating the system with a valid license file.

To work around this issue, stop and start the daemons after updating the license. Open a command window and enter the following commands:

pdcmd -K

pdcmd -S

Proceed to import and deploy devices as was done before license expiration.

CSCdx09624

Uninstall should cleanup

When IDS MC or Security Monitor is uninstalled, a directory, and possibly some files, are not removed.

To work around this issue, after uninstalling IDS MC or Security Monitor, change directory to the directory pointed to by the TEMP environment variable. Then delete the subdirectory deploy and any files in the subdirectory.

CSCdy68738

IDS Processes not releasing Semaphores

The IDS MC processes do not release semaphores and shared memory when the Daemon Manager is stopped. This may cause problems when the IDS MC processes are restarted.

To work around this issue, you can remove the stray semaphores and shared memory by executing the cleanup routine (/opt/CSCOpx/MDC/bin/ids/rsema.sh) after stopping the daemons. Optionally, you can download and install a patch (cmf2.2-sol-CSCin437221.tar.Z) that executes the cleanup routine when the Daemon Manager is stopped

CSCin28793

IDS MC does not recognize IDS3.x when sensor prompt changed.

The IDS MC does not recognize IDS3.x when the sensor prompt is changed.

When IDS3.x does not have the ("greater than" symbol) prompt, IDS MC is not able to recognize the sensor type. It seems IDS MC searches for the "greater than" symbol when opens a telnet connection to the sensor. If the symbol is found, then it assumes it is a IDS3.x. If it does not find the prompt then it tries to execute other commands applicable for IDS4.x and IDSM. Since IDS3.x reports error for this, Import/Deploy will abort.

There is no work around.

CSCin32177

Import fails to bring filter if it contains SystemVariables on it

Import fails to bring filter if it contains System Variables on it.

There is no work around.

CSCin35233

Max Entries should be taken care in IDS MC

The maximum entries of PIX devices allowed at the 4.x sensor is 10. When the user adds more than 10 PIX devices at the IDS MC and deploys, the deployment fails with the error message:

sensor6.OrganizationName - CliMap.set caught: CLI Error: "pix-devices ip-address X.X.X.Y Error: Array contains max entries, could not add new entry

To work around this issue, do not enter more than 10 devices.

CSCeb30898

TLS: does not check if signing keys are authorized for signing

Refer to Explanation of CSCeb30898.

CSCin03858

Install: Temporary directory not cleared after install is over

After installing IDS MC/Security Monitor, temporary installation files are left on the machine.

To fix, check the directory that the TEMP environment variable is set to. Remove any temporary files/directories that are not needed.

CSCin05675

Install : Temp environment variable not read properly.

After installing IDS MC/Security Monitor, temporary installation files are left on the machine.

If the TEMP environment variable is not in the DOS 8.3 file name format, the temp directory is incorrectly created.

To fix, check to see if the TEMP environment variable is in DOS 8.3 file name format. If not, check at each directory level for directories/files that were left over.

If the TEMP environment variable is c:\1\2\3, check c:\1 for left over files. Check c:\1\2 for left over files. Check c:\1\2\3 for left over files.

CSCin21186

NSDB notes have to be preserved after reinstall

The Network Security Database (NSDB) notes files are not preserved after reinstall. The notes files should be preserved in reinstall.

CSCin34497

Problems with the filtering on the sensorname for Reports

When selecting a device for a Config Import Report via the report filter, records for other devices may be included in the report body along with the selected device.

In order to see the problem, the selected device name must be a substring of the name of another device which is managed by the application.

There are no known workarounds.

When generating a report, each record's text is searched for a match on the device name selected via the report filter. When one device name happens to be a substring of another device in the system, a positive match will occur when records for the other device are encountered.

CSCin47088

Tomcat Consumes System Resources After Database Restore

After restoring a backed-up database and restarting the daemons, Tomcat may consume the system resources. This problem is not as bad in later versions of IDS MC.

CSCin24622

Notification not sent when deploying more than 200 sensors

Notification not sent when deploying more than 200 sensors. When deployment to 300 sensors was done, notification was received, but the notification did not contain the deploy details of all the 300 sensors. It contained the details of only 136 sensors. The last line of the notification is incomplete and shows 'success'.

CSCdy10799

When clicking on the IDS MC link it spawns multiple windows

This problem occurs when using Common Services with the appropriate IDS MC with PIX MC, AUS, and Router MC with Internet Explorer version 6.0.

When clicking on the IDS MC link, one is able to spawn multiple browser windows. Multiple windows can easily cause a conflict of trying to synchronize multiple changes in multiple windows.

CSCin14528

Multiple PuTTY Secure Copy clients (PSCP) existence problem

If I have older version of PSCP in the machine in which IDS MC is installed and it is in the PATH, the IDS MC uses that PSCP instead of using the PSCP installed by IDS MC. This causes the IDS MC import/deploy to fail. The IDS MC should use the PSCP and Plink installed by IDS MC.

CSCsa41023

Admin user is not allowed to delete jobs.

When deleting deploy job(s), user may get an error message stating "null"; the deploy job(s) are not deleted.

If the user deletes a sensor before deleting a deploy job that the sensor was a part of, the user will not be able to delete the deploy job.

To work around this problem, the user must delete deploy jobs that the sensor is a part of before deleting the deploy job.

CSCeb06855

Cannot back out a signature update

If a bad signature update is installed it cannot be backed out. This problem has only appeared once, and was caused by two packages of the same name being placed on CCO. The first package was in error, and a replacement with the same name was placed on CCO and this caused confusion and problems.

The procedures have been changed so that a package can't be placed on CCO with the same name so this should remove the confusion.

To fix this problem, update the sensor(s) with the next signature update package available. Since the package was in error, this package is usually available within a day or so to correct the previous bad package. Once this new update is applied the problem should no longer exist. Even though the bad package is still installed within the IDS MC if there are no sensors at that version this doesn't present any problems for the IDS MC.

CSCsa34579

Protocol param value is not set for FLOOD.NET engine signatures (IDS3x)

When tuning a 3.x FLOOD.NET signature engine at either the global/group/sensor level the required Protocol parameter does not have a default value.

This defect only affects 3.x signatures w/ the FLOOD.NET engine.

To work around this problem, select one or more Protocol values from the provided list when tuning a 3.x FLOOD.NET signature engine prior to saving your tunings to avoid getting an error that the required Protocol parameter must have a value specified.

CSCsa41932

Upgraded IDS MC does not load signatures of 3.x devices

Upgrade from IDS MC 1.2.3 to IDS MC 2.0 with IDS 3.x sensors in them.

The sensors have no signatures after update.

This only occurs if you are using old versions of the signature updates.

To work around this problem, make sure you are running the latest signature update for IDS 3.x before upgrading.

CSCdz11633

Change in computer name and/or IP address needs re-install

A change in computer name after installing all MC related applications forces a reboot and after restart, all other applications work fine but for IDS MC and Security Monitor.

CSCin21355

INSTALL: uninstalling application should remove data from database

Data from a previous installation may appear when either IDS MC or Security Monitor are reinstalled on the server.

When IDS MC and Security Monitor are installed on the same server, they share a common database. When only one of the two applications are uninstalled, the data for that application remains in the database. This causes data that may have been entered in a previous installation to appear in the application when it is reinstalled.

To work around this problem, delete all device configuration information from the application before uninstalling the application.

CSCin45548

Import/Deploy using keys will not work for IDSM3.0(5)

IDS MC will not be able to communicate with IDSM using keys with versions less than 3.0(6). Users need to move to IDSM service pack version IDSM3.0(6) if they want the IDS MC to manage IDSM using keys.

CSCin50426

IDS MC cannot manage IDSM3.x using keys.

Public key communication with IDSM3.0(6)S42 will not work if the user changes the password of the IDSM after adding the IDS MC's public key.

CSCsa27120

NSDB not updated when signature version is imported from sensor

IDS MC allows you to import a 4.x sensor even without applying a corresponding signature update to IDS MC. However, Network Security Database (NSDB) files are not updated in this case.

NSDB is updated only when the corresponding signature update is installed on the IDS MC side.

To work around this problem, install the corresponding signature update at IDS MC to fix the problem.

CSCsa39786

Approver not allowed to approve configuration

If the user enables "Enable manual configuration file change approval" option under Admin page and a configuration is generated thereafter, an user with Approver privilege is not able to approve the configuration.

To work around this issue, use an account with the Admin privileged, which is able to approve the configuration.

If an user with Approver privilege tries to approve the configuration, the operation fails with the following error message"

"You do not have deploy privileges for sensor <sensor-name>"

CSCsa42422

If restore fails, IDS MC/Security Monitor can become unusable

If database restore of IDS MC or Security Monitor fails for any reason, they become unusable.

The restore failure may be due to an invalid database file, insufficient permissions to the database file, etc. Sometimes, when restore fails, the database that existed before restore is not copied back to the database directory, rendering the IDS MC\Security Monitor unusable.

To work around this issue, follow these steps:

1. Stop the CiscoWorks Daemon Manager.

2. If idsmdc.db.tmp & idsmdc.log.tmp files are present in database directory, replace the existing idsmdc.db & idsmdc.log files with these tmp files.

3. Restart the CiscoWorks Daemon Manager.

CSCsa43336

IDSMC/SecMon become unusable, if restore fails after password change

IDS MC and Security Monitor become unusable if database restore fails after password change.

This problem occurs when the following conditions are met:

1. Assume backed-up database has a password Passwd1

2. Assume current database has a password Passwd2

3. Attempt a database restore when the backed-up database was corrupt

4. CiscoWorks reports that the restore operation failed and current database files would be found as .tmp files in the database directory.

5. Restoring the .tmp files to their original does not work, as IDS MC would be trying to connect to database using Passwd1 instead of the new password Passwd2

There is no workaround.

CSCsa42793

Blocking Devices getting carried at Global on 1.2.3 to 2.0 Upgrade

After upgrading to IDS MC 2.0, the Blocking Devices for a device in IDS MC show the source as Global or another Group and you cannot edit or delete the blocking device shown with source as Group Name.

This problem occurs when IDS MC 1.2.3 with Blocking Device configured at Group level, is upgraded to 2.0. The blocking device configured at at the Group level is inherited by all devices in that group.

Since configuring Blocking Devices is not supported at group level from IDS MC 2.0, the ones showing any group as parent can not be edited or deleted.

If Blocking Device was configured at Global group during 1.2.3, there is no workaround. Otherwise, to work around this issue, move all devices under such group to a new group. The group that has Blocking Device configuration should be deleted from IDS MC.

CSCsa21972

Install should check whether TFTP is enabled in vms server

Import of an IOSIPS device fails.

During installation of IDSMC, installer will not check whether tftp server is enabled or not in the server.

If the import of an IOSIPS devivce fails, verify that the TFTP server is running or not. If it is not running, start it manually and reimport.

CSCsa43631

Custom Signature - Name not getting deployed

Custom signature name is removed after reimport.

This problem occurs when the following conditions are met:

A custom signature is created with a given signature name.

The sensor is removed from the IDS MC and re-imported.

The custom signature is imported but has the name of the Signature Micro Engine.

No workaround exists.

CSCeg43075

Database upgrade on Solaris does not upgrade evError messages

After upgrading from either IDSMC 1.2.3 or Security Monitor 1.2.3 to version 2.0 of either product, the evError messages in the 1.2.3 audit log are not visible in the 2.0 database. The following parse errors appear in the upgrade log:

Updating evError messages.

could not find open parenthese

Could not find: evError

could not find open parenthese


The evError messages are temporal messages from network IDS devices that reflect current conditions on the device at the time that the message is generated.

This problem occurs when upgrading any installation of IDSMC version 1.2.3 and/or Security Monitor version 1.2.3 (from the VMS 2.2 bundle) to version 2.0 of the same components.

No workaround exists. The result of this problem is that historical logs are lost and the parse error messages are recorded. This problem does not hinder future system operation after the upgrade; the system itself operates correctly.

CSCsa49990

Signature editing for 3.x Sensors are not working properly

Three problems are seen with 3.x sensors in IDS MC 2.0.1.

1) For a 3.x sensor (Appliance), "ADD" button is not there for "String Match", "Tcp Connection" and "Udp Connection" signatures. It is present for "ACL Violation". But it is present for IDSM (3.x) devices.

2) For IDSM (3.x) devices, adding a "String Match" signature doesn't take "& < >" characters for the field "STRING". It dumps errors as below:

"Object update failed. An error occurred while trying to save the signature settings to the database."

3) For 3.x Signatures, On unchecking overide option "ok" button is missing(Group level). On creating a new signature unable to uncheck override (3.x device level).

It is seen on both IE and Netscape browsers

Behavior expected:

1) User should be able to add signatures in different categories not only in "ACL VIOLATION"

2) String Match should take values like "& < >" for String (3.x)

3) Override button should work properly.

No workaround exists.

CSCsa50481

VMS 2.3 : IDS/Secmon Restore from directory with space fails

When restoring from a backup a customer may see an error message saying: "unable to check the version of the restoring database"

This may occur if the user has stored the backup archive into a directory path that contains spaces. For example if the user stores the backup archive on the desktop of a windows machine part of the path will be:

c:\Documents and Settings\Administrator\Desktop\<backup directory here>

Currently there is an issue where directory names with spaces are not handled properly during the restore operation.

This can be worked around in two ways:

1. (Windows Only) Manually enter the short version of the path into the file browsing window so the restore will then use the short path that does not contain spaces. The short directory path can be obtained at the command prompt by entering the following command: dir /x

This command will show you the short version of each of the directorys under the current directory you are in. For example if I run this in the root of the c: drive it tells me that:

Documents and Settings == docume~1

2. (Windows or Solaris) Move the backup archive to a directory path that does not contain spaces such as

c:\backup (Windows) or something similar without spaces.

   

When restoring from a backup a customer may see an error message saying: "unable to check the version of the restoring database"

This problem occurs when the user stores backup archive in a directory path that contains spaces. For example:

c:\Documents and Settings\Administrator\Desktop\<backup directory here>

The problem is that the restore operation does not work when the directory names have spaces .

Two workarounds exist:

(Windows Only) Manually enter the short version of the path in the file browsing window so that restore uses the short path without spaces.

Obtain the short directory path by entering the following command at the command prompt:

dir /x

This command displays the short version of the directorys under the current directory.

For example if I run this in the root of the c: drive it tells me that:

Documents and Settings == docume~1

2. (Windows or Solaris)Move the backup archive to a directory path that does not contain spaces such as c:\backup (Windows) or something similar without spaces.

CSCsa30768

MC2.0:Cancelling import operation shows inconsistent behavior.

The cancellation of an import dismisses the status window, but the system appears sluggish for some period of time after the Cancel button has been clicked.

The Cancel button does not stop the import process. The window closes, and it appears that the import has stopped, but the import is still running in the background.

There is no workaround for this problem. You can determine when the import is complete by using the Task Manager and watching the CPU usage of the Tomcat process: when the CPU utilization goes to 0 and stays at that level for 15 seconds or more, then the import is complete.

The import function doesn't properly detect the cancel operation after the initial sensor configuration read. During the post-import processing, the check for a cancellation is not done, causing the process to run to completion even if a cancellation is requested. This import can make the system appear to run sluggishly, since the later portion of the import processing is CPU-intensive.

CSCsa53069

Signature update may not work in IDS MC 2.0 in all cases

Signature updates don't work with IDS MC 2.0 or 2.0.1 when customer changes which certificate Common Services uses.

This problem occurs ONLY with IDS MC 2.0 or IDS MC 2.0.1 AND when the user has gone to VPN/Security Management Solution > Administration > Configuration > Certificate and selected "CiscoWorks Certificate" instead of "Common Services Certificate"

To work around this problem, the user needs to either select "Common Services Certificate" or follow these steps:

(for Unix installations or Windows installations WITHOUT CSA installed)


Step 1 cd to <installDir>/CSCOpx/MDC/Apache/conf/ssl directory

Step 2 copy <installDir>/CSCOpx/lib/web/conf/*.* to this directory

Step 3 copy server.crt to server.cert.

Step 4 Restart Daemon manager.


Explanation of CSCeb30898

An attacker can create a Transport Layer Security (TLS) host certificate and sign it with a certificate that is not authorized for signing if the attacker is in possession of the certificate and its associated private key.

Conditions:

The victim is running IDS sensor software 4.1(1). To resolve a connectivity problem, CSCeb30820, exposed this vulnerability. It was decided that the vulnerability's severity is low enough that the connectivity issue was of greater importance.

Workaround:

None.

Further problem description:

The IDS software TLS client processes X.509 certificates without checking if the certificate is authorized for signing. This was not an issue until CSCeb30820 changed the maxCertificateChainDepth to 2. (In IDS software versions 4.0[1] and 4.0[2], it had been 1.)

Suppose a sensor "S" trusts a TLS server "A". An attacker is able to compromise "A" and gain access to its certificate and private key. The attacker creates a new certificate "V" that is signed by "A". Now the attacker sets up an attack server, and configures it to return the certificate chain ("V", "A").

Finally, the attacker tricks "S" into visiting "V". "S" connects to "V" without complaint, because "V" is signed by "A", and "S" trusts "A".

The IDS sensor ships with no predefined trusted root CAs, so there is no single certificate "A" that an attacker can exploit. This attack will therefore require that the attacker be able to compromise "A" and trick "S".

Table 10 Resolved Problems in Management Center for IDS Sensors, Release 2.0.1 

Bug ID
Summary
Additional Information

CSCsa45324

VMS2.3:IDS MC backup fails with Database validate error

This problem has been resolved.

CSCsa45649

Install fails when upgrading from IDSMC 1.2.3 with patches applied

This problem has been resolved.

CSCsa48431

Restore from a 1.2.3 backup into 2.0 doesn't work on Solaris

This problem has been resolved.

CSCsa46287

Include/Exclude Property of Filters are reversed.

This problem has been resolved.

CSCsa46290

Regular expressions with &<> characters cause errors

This problem has been resolved.

CSCsa49723

Getting error on upgrade due to '=' in custom sigs

This problem has been resolved.

CSCsa49717

Restore on an Upgraded Solaris Machine Fails on custom install

This problem has been resolved.

CSCsa49031

The value Zero is not a valid value - At deployment

This problem has been resolved.


Table 11 Known Problems in Monitoring Center for Security, Release 2.0.1 

Bug ID
Summary
Explanation

CSCin62556

Rollback the database/Not allow the user to abort

If you abort the compact utility by pressing Ctrl+Break, the database might become corrupted.

This problem is seen in both Solaris and Windows.

To work around this problem, look for a backed up copy of the database (named idsmdc.db.orig) in the location <install-dir>\MDC\Sybase\Db\IDS and retrieve it using these steps:

Stop the daemon manager.

1. Rename the idsmdc.db and idsmdc.log from <install-dir>\MDC\Sybase\Db\IDS to idsmdc.db.old and idsmdc.log.old.

2. Copy the idsmdc.db.orig to <install-dir>\MDC\Sybase\Db\IDS\idsmdc.db.

3. Copy the idsmdc.log.orig to <install-dir>\MDC\Sybase\Db\IDS\
idsmdc.log.

4. Start the daemon manager.

CSCsa05905

Check for sufficient disk space before starting database compact

The database compact utility does not check for sufficient disk space prior to compacting the database. If sufficient disk space is not available, the database compact utility stops when it runs out of space and leaves the database in a corrupt state.

This issue is seen on both Solaris and Windows.

To work around this problem, verify that there is adequate disk space before compacting the database.

Determining how much free disk space is required when compacting the database cannot be done with certainty, but a good approximation can be achieved by planning for twice the space occupied by the database prior to compaction.

CSCsa29827

Event Viewer problems due to Java Plug-in Cache

Accessing two different versions of the Event Viewer may cause one of the Event Viewers not to load residual applet information in the Java cache. The window of the Event Viewer that fails will contain a red 'X' in the upper left hand corner.

The problem is that the Java cache still contains older Event Viewer applet information.

To resolve the problem, clear out the Java cache and try to launch the Event Viewer again.

CSCsa31384

Redundant reports seen in Security Monitor UI after Upgrade from 1.2.3 to 2.0

After upgrading IDS MC/Security Monitor from version 1.2.x to 2.0, some MC specific reports that were run before the upgrade may now show up in the completed page of both IDS MC and Security Monitor. The user should be able to manually delete any reports he or she no longer wants.

To work around this problem, delete any completed report in Security Monitor that you no longer want.

CSCsa34441

Pruning-idsalarms with -z option has problems

If IdsAlarms is run with both the -f"filename" and -z options, an empty file of the name filename is created.

Running IdsAlarms with -f"filename" and -z options.

To work around this problem, delete the empty file.

CSCsa37419

Can not view IP log for forwarded events

The user selects one or more events in Event Viewer, and then runs the "View IP Log" menu function, a message is displayed that says "Viewing IP logs of forwarded events is not supported at this time."

This happens only when the user is attempting to run the "View IP Log" menu function from events that were forwarded from another Security Monitor (as opposed to directly from the sensor).

To work around this problem, go to the Security Monitor that is directly connected to the sensor, and run the "View IP Log" menu function there. The "View IP Log" feature is only supported on the Security Monitor that communicates directly with the sensor.

CSCsa38538

Core Dump generated by IDS pruning daemon.

A core dump file is found even though the system appears to be running fine. The core dump file is located in the directory /opt/CSCOpx/objects/dmgt.

The core dump file is created when the Daemon Manager shuts down. This occurs because the Daemon Manager does not wait for the Daemon to complete shutdown and continues shutting down items on which the Daemon depends.

You can ignore this core file.

CSCsa38560

Analyzer doesn't support CSAMC alarms

Event Rules cannot trigger on CSAMC events

A CSAMC device cannot be selected as an originating device in the trigger conditions of an Event Rule

There is no work around. Only NIDS events are analyzed for triggering event rule notifications.

CSCsa39150

Reports:Date/Time filter is not working properly

In Security Monitor, Network IDS Events appear to occur in the future or appear to have arrived in the past relative to when the network events actually occurred.

If time is not synchronized among sensors and the Security Monitor server, security events may appear to arrive in either the future or in the past.

To work around this problem, deploy the NTP time service or synchronize the network time by other means.

CSCsa39301

Eviewer:ALL column set consumes too much memory

The EvsServer.exe process consumes a lot of system memory.

This problem can occur when a user views a large number of events while the 'All' Column Set option is selected.

To work around this problem, do not select the 'All' Column Set option when viewing a large number of events. What is considered large decreases as the amount of RAM in the computer is increased.

CSCsa39603

GUI accepts Database Rules with no trigger conditions.

Database Rules may be created without trigger conditions. No error message is displayed if the user creates a database rule without any trigger conditions

There is no work around for this condition. Database rules that have no trigger conditions will never trigger. Any rule created without a trigger condition

CSCsa40296

Error while running graphical reports if Date/Time filter is disabled

A graph-based report fails to generate. This type of report can fail to generate when a report description is created using a report template that generates a graph and the Time/Date attribute filter is left disabled. The report description is then used to generate a report.

To work around this problem, you must specify a time range value when defining a graph-based report. Do not leave the Time/Date attribute filter disabled when creating a Report Definition for a graph-based report template.

CSCsa08415

Unable to edit the Add Note

In Security Monitor 2.0, you cannot edit a note associated with events. You can only create, view, and delete notes.

There is no work around.

CSCed47098

NSDB names not updated with Signature packages

Security Monitor consumes both the Network Security Database (NSDB) and the signature packages as data and does not resolve conflicts.

There is no work around.

CSCin16654

Event rule clause was not validated properly.

The only characters that users should add to the filter box are parentheses if clause grouping is unclear. Adding additional text or modifying the filter may cause unexpected behavior.

There is no work around.

CSCin41741

Socket error after restarting EvsServer

Stopping the EvsServer by using pdterm and restarting it immediately causes the EventViewer to not function correctly and generates a "Socket communication error".

When the EvsServer is terminated using pdterm, EvsServer tears down the connection and makes the Tomcat Applet client to go to TIME_WAIT state. The Solaris OS will not release the port number until tcp_time_wait_interval, 240000ms (4 min) expires.

To work around this problem, wait for 5 minutes before restarting the daemon after stopping the EvsServer.

CSCsa34404

Pruning should validate Absolute Location for archiving

If you enter a relative path on the "Prune Archive Location" page, which you access by selecting

Admin -> System Configuration -> Prune Archive Location, then the directory is created in the same directory for which the Servlet Engine was started.

Windows: $NMSROOT/MDC/tomcat

Solaris:$NMSROOT/objects/dmgt

When a relative path is entered into the Prune Archive Location screen.

To work around this problem, enter a full non-relative path to specify where the directory is created. The pruning utility will use the specified directory if it exists or create it if it can be created. You must be sure to enter only valid directory locations.

CSCsa34956

Security Monitor imports non-authorized devices from IDS MC (not defined in CS ACS)

Security Monitor does not implement role based access per device. There is no grouping/partitioning support using ACS Network Device Groups in Security Monitor and all sensors/devices will be imported from IDS MC into Security Monitor.

To work around this problem, delete the device configurations you do not want to monitor in Security Monitor after you import device configurations from IDS MC. You must manually handle grouping/partitioning your devices on each Security Monitor server.

Or, you can manually add each sensor/device configuration into Security Monitor instead of importing the configurations from IDS MC.

CSCsa36400

IP Log Archive Location should require full path

On the Admin > System Configuration > IP Log Archive Location page, you can enter relative path for the IP log archive location. If you use a relative path, it is unclear where the directory ends up being created.

To work around this problem, enter a fully specified path name in the IP Log Archive Location.

CSCsa37251

Pulling events from Security Monitor to Security Monitor should be in a single direction

Security Monitor does not force events to flow in only one direction between Security Monitor servers.

To work around this problem, take care when setting using the Security Monitor event server to prevent events from flowing in a circular fashion. That is, there should be no return path for events that have been sent from one server, back to that server.

CSCsa37490

Connection status was 'Connected TLS' even after stopping the Receiver

Connection status for RDEP/SDEE device or Cisco Security Agent Management Center (CSAMC) server does not update.

The IDS_Receiver daemon is stopped or no longer running. The connection status shown is the last known state, not the current state.

There is no work around. The connection status messages for devices that use pull protocols (RDEP/SDEE or CSAMC) are only updated when the receiver is running. If the IDS_Receiver process is not running, the status displayed may be incorrect.

CSCsa37605

Revoking permissions doesn't work

User attempting to log into Security Monitor sees the following error message: "You are not authorized for the screen..."

Role associated with user account does not have View permission.

To use the Security Monitor effectively, users must log in using an account with at least view capability.

CSCsa38733

After signature update, got error on viewing details

The user sees a database error message when that user selects the Pending Jobs page for Signature Updates, then selects a job, and then clicks Show Details.

This error occurs when a job is running while the page is initially displaying, but the job finishes before the user selects that job and clicks Show Details.

To work around this problem, refresh the Pending Jobs page before selecting Show Details to ensure that completed jobs do not appear in the table.

CSCsa07021

Database backup/restore across machines is not supported

A backup copy of the database from one particular server cannot be restored to a different server.

There is no work around. Separate backups must be done for each VPN/Security Management Solution servers.

CSCea44060

Security Monitor cannot properly validate certificate for NATed sensors

Internally, code in the receiver does not supply all of the needed parameters to the TLS connection API to fully validate a certificate from a sensor in a NATed environment. This results in TLS warnings being generated for these connections.

CSCea93893

Time zone starts showing BST from 30 Mar03 instead of GMT

All previous reports display (release 1.1 and 1.2) display Greenwich Mean Time (GMT). Since then, all reports display British Summer Time (BST).

CSCeb13553

Apache errors if Security Monitor CSAMC device created w/o CSAMC

This defect is caused when a CSAMC device is added to the monitored device table before it has been installed. The work around is to install the CSAMC software before placing the device in the table. If the device has already been added, delete it and then install the CSAMC software and re-add it to the table.

CSCin45873

Event Viewer not able to parse source address for FragDBLimitExd in FWSM

Event Viewer cannot extract the source address from the following syslog message from the Firewall Service Module:

209003: Fragment database limit of 0 exceeded: src = 10.77.201.92, dest = 172.20.107.92, proto = icmp, id = 11788

Source address is shown as n/a in the Security Monitor Event Viewer if you open the following event type:

PIX Fragment DB Limit Exceeded.

This problem occurs for every instance of the FragDbLimitExd syslog message

There is no workaround.

CSCin46479

IDSImportArchivedData waits forever when trying to import alerts

The utility IdsImportArchivedData waits forever when trying to import alert data.

This problem occurs when some combination of daemons and utilities running leaves a database lock on the table storing the alert data. This lock prevents the data from being imported.

To work around this problem, refer to Workaround for CSCin46479.

CSCin47050

Event Rule doesn't trigger for NATed CSAMC if Originating Device selected

If a NATted address must be used to contact a CSAMC device, the user should not reference that device as the "Originating Device" in a clause of the event rule filter. Instead the user should use "Originating Device Address" and specify the local address (not the NATted address) of the CSAMC device.

The originating device in this context refers to the CS Agent residing on the same box as the CSAMC. Messages sent to Security Monitor through the CSAMC that did not come from the CS Agent on that box will not trigger the rule.

CSCin62556

Rollback the database/Not allow the user to abort

The user can check if there is any backed up copy of the database (named idsmdc.db.orig) in the location <install-dir>\MDC\Sybase\Db\IDS and retrieve it following the steps below.

1. Stop the daemon manager.

2. Rename the idsmdc.db and idsmdc.log from <install-dir>\MDC\Sybase\Db\IDS to say, idsmdc.db.old and idsmdc.log.old

3. Copy the idsmdc.db.orig to <install-dir>\MDC\Sybase\Db\IDS\idsmdc.db

4. Copy the idsmdc.log.orig to <install-dir>\MDC\Sybase\Db\IDS\idsmdc.log

5. Start the daemon manager.

CSCsa40760

Upstream Security Monitor can not pull 500 events/sec.

In version 2.0, upstream (concentrating) Security Monitor(s) may appear to extract events more slowly than the user typically experiences for a given installation.

Though the upstream Security Monitor rate appears slow, the actual problem is that the downstream Security Monitor is too busy to simultaneously collect events at the given rate and serve them upstream.

Problem occurs in topologies using tiered Security Monitor installations where the leaf node security monitors are handling a high event flow.

If the (busy) leaf node Security Monitor is not using the throttle feature then the situation may be aggravated.

CSCsa40488

SM2.0:(SOL) EV takes some time to load the events (minimum 2 minutes)

The Event Viewer takes a very long time to load or update the events. When the event database contains a large numbers of events, as measured in millions of events, there is noticeable degradation in the loading and update of events in the event viewer.

To work around this problem, you must decrease the maximum number of events in the database. You can reduce the number of events in your database by launching Security Monitor, selecting Admin->Data Management->Database->Pruning Configuration, and reducing the maximum numbers associated with each event type. Deleting events from the system will not necessarily relieve the symptoms because the system will only prune the number of events back to the maximum number.

CSCsa14182

Database rules are not ignoring Trailing Spaces

When leading or trailing spaces are entered in input fields, the user may receive validation errors on those input fields.

To avoid validation errors caused by leading/trailing spaces, try entering input values without leading or trailing spaces.

CSCsa39950

Most of the daemons are not running after system reboot

When Solaris system with VMS is rebooted, the VMS application is not started correctly.

In the daemons log file (/var/adm/CSCOpx/log/daemons.log), various applications log errors indicating database connection error. In addition, you are unable to access the VMS GUI.

This issue occurs when a Solaris system with a VMS install is rebooted or does not shutdown cleanly for some reason.

To work around this problem, manually stop and restart the VMS application using the following commands.

/etc/init.d/dmgtd stop

/etc/init.d/dmgd start

This will clean up the problem caused by a reboot or bad shutdown and cause the daemons to come back up properly.

CSCsa41933

Unable to export/email the graphical report while generating the reports

Cannot export and email the graphical report.

You cannot Export/Email the Graphical reports('IDS Attacker Summary' or 'IDS Victim Summary') if he/she tries to export/email the report by selecting 'Run with options' while creating the report definition.The report definition is then used to generate a report.

To work around this issue, email the already generated Graphical reports by using the 'Email' button in 'Reports-->Completed' page. You can export the graphical reports by pressing the 'Export to' icon while viewing the report.

CSCsa40359

SDEE interaction with Security Monitor on event buffer rollover

The Security Monitor may stop reporting alerts from a Cisco IOS IPS device. This symptom is observed when the event buffer rolls over, that is, the event buffer goes beyond the configured number of maximum SDEE events.

To work around this issue, view the events via syslog or view the SDEE event buffer via the router console or a web browser.

CSCsa12013

Event Rules ${Query} keyword is incompatible with IdsAlarms in scripts

The IdsAlarms utility will generate an error when these incompatibilites are used. The user output will either be empty or otherwise undefined.

The ${Query} keyword is passed when Event Rules trigger into scripts so that the script can access the set of events that triggered the rule, and further parse the data in these events so that it can be passed to the user, usually in an email message.

The Event Rules subsystem (Analyzer) builds the appropriate query based on the (logical) view that it uses to access the database. However, the IdsAlarms utility used in the scripts to extract the event set uses the physical table structure to generate its output.

Because the two subsystems are using different views of the data, they are incompatible in certain instances.

This condition arises when the Event Rule uses a data field which is tied to a column that is accessed differently by the Analyzer and IdsAlarms.

No workaound exists.

CSCed19051

RDEP collector does not store last recieved data timestamp in DB

Any IDS sensor events recorded on the sensors while IDS Security Monitor receiver process is not running are not retrieved from the sensor. If the receiver was running but was stopped (or failed,) then there will be a gap in the alarm data generated by the sensor.

Upon restart of the receiver, there is no option to query the sensors and retrieve alarms from the past.

This problem manifests itself in the Security Monitor audit log report, where messages indicating the successful start of the receiver process will indicate that event reception has been initiated. Any events generated on the sensor(s) prior to that time are not retrieved.

If the receiver process is stopped and restarted, then no events will be collected during the time that the receiver was not running.

No workaround exists.

CSCsa43618

SM SDEE Server failed to serve events to all clients when server is busy

When a Remote Security Monitor is under attack for a sustained period of time, it is possible for some events to be dropped before they are served upstream to another Security Monitor.

The situation occurs when the Remote Security Monitor device has received events at a relatively high sustained rate for a long period of time and it is very busy, possibly serving to more than one upstream Security Monitor.

To work around this problem, avoid the situation where a single Security Monitor is serving to more than one upstream SecMon. Also when serving events upstream, devices should be tuned to reduce the sustained flow of events to the serving Security Monitor.

CSCsa43623

SecMon Xvfb Server not running after CMF SP3 install

Using graphical reports in Security Monitor displays an error similar to the following:

Error: 500

Location: /ids-monitor/reportsCompleted.do

Internal Servlet Error:

java.lang.InternalError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.

at sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)

.... at com.cisco.nm.mdc.ids.reports.ui.ReportAction.handleViewReportForm(ReportAction.java:1408)

This problem occurs because the XVFB server not functioning properly after installing Common Services Service Pack 3 on top of an existing IDS Management Center/Security Monitor installation.

To work around this issue, manually unregister and re-register the daemon as follows:

1. /etc/init.d/dmgtd stop

2. /opt/CSCOpx/bin/perl /opt/CSCOpx//MDC/bin/ids/setupXvfb.pl -unregister 3270

3. /opt/CSCOpx/bin/perl /opt/CSCOpx//MDC/bin/ids/setupXvfb.pl -register 3270

4. /etc/init.d/dmgtd start

CSCef45313

IDS_DbAdminAnalyzer.log file grows out of control

The IDS_DbAdminAnalyzer.log file is not bounded in size. Therefore, it can grow excessively large and consume a large amount of disk space.

This problem manifests itself as a very large file or a disk full error during any disk access.

IDS MC and/or Security Monitor running for an extended amount of time can exhibit this condition. This problem becomes more important to the depending on hard drive size.

To work around this issue, follow these steps:

1. Stop all Cisco VMS processes.

2. Delete the IDS_DbAdminAnalyzer.log file

3. Restart all Cisco VMS processes.

Alternatively, you can place this workaround could in a cron or other job scheduler.

CSCeg43075

Database upgrade on Solaris does not upgrade evError messages

After upgrading from either IDSMC 1.2.3 or Security Monitor 1.2.3 to version 2.0 of either product, the evError messages in the 1.2.3 audit log are not visible in the 2.0 database. The following parse errors appear in the upgrade log:

Updating evError messages.

could not find open parenthese

Could not find: evError

could not find open parenthese


The evError messages are temporal messages from network IDS devices that reflect current conditions on the device at the time that the message is generated.

This problem occurs when upgrading any installation of IDSMC version 1.2.3 and/or Security Monitor version 1.2.3 (from the VMS 2.2 bundle) to version 2.0 of the same components.

No workaround exists. The result of this problem is that historical logs are lost and the parse error messages are recorded. This problem does not hinder future system operation after the upgrade; the system itself operates correctly.

CSCsa49330

After upgrade to v2.0, report email notification links to blank page

The URL provided in the email notification for a report is not working after upgrading to version 2.0.

This problem appears when there were scheduled reports with email notifications existing prior to the upgrade and the URLs in the email notifications of these reports are not working.

To work around this problem, from the Reports > Definitions screen, select the "Run with options" link for the report definition with the bad URL in its email notification. A popup dialog appears, allowing the body of the email notification to be edited. In the email body, replace the "p=s576.do" portion of the URL with "p=reportsCompleted.do". The URL in the email notification will now work on the next notification.

Repeat the workaround for each report definition that has the notification problem.


Workaround for CSCin46479

This workaround applies to CSCin46479, "IDSImportArchivedData waits forever when trying to import alerts."

When this problem occurs, all systems that could possibly access the alert data must be shut down.

The following daemon subsystems must be shut down:

IDS_Receiver

IDS_ReportScheduler

IDS_Analyzer

IDS_EvsServer

Daemon subsystems can be shut down through the GUI or through the command line.

To stop the daemon subsystems through the GUI, follow these steps:


Step 1 Log in to CiscoWorks.

Step 2 Select the Server Configuration drawer.

Step 3 Select Administration > Process Management > Stop Process.

Step 4 Select each process and click Finish.


To stop the daemon subsystems through the Command Line, enter the following at the command prompt:

pdterm IDS_Receiver

pdterm IDS_ReportScheduler

pdterm IDS_Analyzer

pdterm IDS_EvsServer


The following utilities must not be run at the same time as IdsImportArchivedData:

IdsAlarms

IdsPruning

IdsImportIdiom

IdsImportNrLog

After completing the data import, you can restart the daemons from either the GUI or the command line:

To restart the daemon subsystems from the GUI, follow these steps:


Step 1 Log in to CiscoWorks.

Step 2 Select the Server Configuration drawer.

Step 3 Select Administration > Process Management > Start Process.

Step 4 Select each process and click Finish.


To restart the daemon subsystems from the Command Line, enter each of the following at the command prompt:

pdexec IDS_Receiver

pdexec IDS_ReportScheduler

pdexec IDS_Analyzer

pdexec IDS_EvsServer



Note If this workaround does not work for you, stop and restart your CiscoWorks system and then try the workaround again.


Table 12 Resolved Problems in Monitoring Center for Security, Release 2.0.1 

Bug ID
Summary
Additional Information

CSCeg51162

Upgrade from 1.2.3 to 2.0 fails to convert database correctly

This problem has been resolved. See Using the ConvertAndImport.pl Script after Upgrading from Security Monitor 1.2.3 to Security Monitor 2.0.1.

CSCsa48892

Receiver crashed after connection was closed by sensor

This problem has been resolved.

CSCsa48736

SOL Upgrade: Archive data files ownership not set to casuser

This problem has been resolved.

CSCsa32293

SM2.0:EV Applet becomes inaccessible while resolving Hostnames (SECMON)

This problem has been resolved.

CSCec30247

Application Status options is not available (SECMON)

This problem has been resolved.


t

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

You can order Cisco documentation in these ways:

Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/index.shtml

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do


Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.


Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:

http://cisco.com/univercd/cc/td/doc/pcat/

Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

World-class networking training is available from Cisco. You can view current offerings at this URL:

http://www.cisco.com/en/US/learning/index.html


hometocprevnextglossaryfeedbacksearchhelp

Posted: Mon Feb 28 14:00:30 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.