Cisco Cisco IPS 4255 Sensor
25
Release Notes for Cisco Intrusion Prevention System 6.1(3)E3
OL-20114-01
Restrictions and Limitations
•
You cannot use dictionary words for user passwords in IPS 6.1(3)E3. You receive the following error
message if the password qualifies as a dictionary word:
message if the password qualifies as a dictionary word:
Error: setEnableAuthenticationTokenStatus : Failure setting the
account's password: it is based on a dictionary word
•
If you are using automatic update with a mixture of the AIM IPS, NME IPS, and other IPS
appliances or modules, make sure you put both the 6.1(3)E3 upgrade file (IPS-K9-6.1-3-E3.pkg),
the AIM-IPS upgrade file (IPS-AIM-K9-6.1-3-E3.pkg), and the NME IPS upgrade file
(IPS-NME-K9-6.1-3-E3.pkg) on the automatic update server so that the AIM IPS and NME IPS can
correctly detect which file needs to be automatically downloaded and installed. If you only put the
6.1(2) E3 upgrade file (IPS-K9-6.1-3-E3.pkg) on the server, the AIM IPS and NME IPS will
download and try to install the wrong file.
appliances or modules, make sure you put both the 6.1(3)E3 upgrade file (IPS-K9-6.1-3-E3.pkg),
the AIM-IPS upgrade file (IPS-AIM-K9-6.1-3-E3.pkg), and the NME IPS upgrade file
(IPS-NME-K9-6.1-3-E3.pkg) on the automatic update server so that the AIM IPS and NME IPS can
correctly detect which file needs to be automatically downloaded and installed. If you only put the
6.1(2) E3 upgrade file (IPS-K9-6.1-3-E3.pkg) on the server, the AIM IPS and NME IPS will
download and try to install the wrong file.
•
When you upgrade the AIM IPS and NME IPS, you must disable heartbeat reset on the router before
installing the upgrade. You can reenable heartbeat reset after you complete the upgrade. If you do
not disable heartbeat reset, the upgrade can fail and leave the AIM IPS and NME IPS in an unknown
state, which can require a system reimage to recover.
installing the upgrade. You can reenable heartbeat reset after you complete the upgrade. If you do
not disable heartbeat reset, the upgrade can fail and leave the AIM IPS and NME IPS in an unknown
state, which can require a system reimage to recover.
•
The AIM IPS and NME IPS do not support virtualization.
•
When you reload the router, the AIM IPS and NME IPS also reload. To ensure that there is no loss
of data on the AIM IPS and NME IPS, make sure you shut down the module using the shutdown
command before you use the reload command to reboot the router.
of data on the AIM IPS and NME IPS, make sure you shut down the module using the shutdown
command before you use the reload command to reboot the router.
•
Do not deploy IOS IPS, the AIM IPS, and NME IPS at the same time.
•
When the AIM IPS and NME IPS are used with an IOS firewall, make sure SYN flood prevention
is done by the IOS firewall.
is done by the IOS firewall.
The AIM IPS and NME IPS and the IOS firewall complement abilities of each other to create
security zones in the network and inspect traffic in those zones. Because the AIM IPS and NME IPS
and the IOS firewall operate independently, sometimes they are unaware of the activities of the other.
In this situation, the IOS firewall is the best defense against a SYN flood attack.
security zones in the network and inspect traffic in those zones. Because the AIM IPS and NME IPS
and the IOS firewall operate independently, sometimes they are unaware of the activities of the other.
In this situation, the IOS firewall is the best defense against a SYN flood attack.
•
Cisco access routers only support one IDS/IPS per router.
•
On IPS sensors with multiple processors (for example, the IPS 4260 and IPS 4270-20), packets may
be captured out of order in the IP logs and by the packet command. Because the packets are not
processed using a single processor, the packets can become out of sync when received from multiple
processors.
be captured out of order in the IP logs and by the packet command. Because the packets are not
processed using a single processor, the packets can become out of sync when received from multiple
processors.
•
An IPS appliance can support both promiscuous and inline monitoring at the same time; however
you must configure each physical interface in either promiscuous or inline mode. The sensor must
contain at least two physical sensing interfaces to perform both promiscuous and inline monitoring.
The exceptions to this are AIP SSM-10, AIP SSM-20, and AIP SSM-40. The AIP SSM can support
both promiscuous and inline monitoring on its single physical back plane interface inside the
adaptive security appliance. The configuration on the main adaptive security appliance can be used
to designate which packets/connections should be monitored by the AIP SSM as either promiscuous
or inline.
you must configure each physical interface in either promiscuous or inline mode. The sensor must
contain at least two physical sensing interfaces to perform both promiscuous and inline monitoring.
The exceptions to this are AIP SSM-10, AIP SSM-20, and AIP SSM-40. The AIP SSM can support
both promiscuous and inline monitoring on its single physical back plane interface inside the
adaptive security appliance. The configuration on the main adaptive security appliance can be used
to designate which packets/connections should be monitored by the AIP SSM as either promiscuous
or inline.
•
When deploying an IPS sensor monitoring two sides of a network device that does TCP sequence
number randomization, we recommend using a virtual senor for each side of the device.
number randomization, we recommend using a virtual senor for each side of the device.
•
After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest
software features.
software features.