Filter
Top Products
4-45
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring SSH
• Adding Authorized RSA1 and RSA2 Keys, page 4-47
• Generating a RSA Server Host Key, page 4-48
Understanding SSH
SSH provides strong authentication and secure communications over channels that are not secure. SSH
encrypts your connection to the sensor and provides a key so you can validate that you are connecting
to the correct sensor. SSH also provides authenticated and encrypted access to other devices that the
sensor connects to for blocking. The IPS supports a management connection through both SSHv1 and
SSHv2 (SSHv2 is supported in IPS 7.1(8)E4 and later, and IPS 7.2(1)E4 and later). In 7.1(8)E4 and later,
support for both SSHv1 and SSHv2 is enabled by default.
SSH authenticates the hosts or networks using one or both of the following:
• Password
• User RSA public key
Note SSH never sends passwords in clear text.
SSH protects against the following:
• IP spoofing—A remote host sends out packets pretending to come from another trusted host.
Note SSH even protects against a spoofer on the local network who can pretend he is your router
to the outside.
• IP source routing—A host pretends an IP packet comes from another trusted host.
• DNS spoofing—An attacker forges name server records.
• Interception of clear text passwords and other data by intermediate hosts.
• Manipulation of data by those in control of intermediate hosts.
• Attacks based on listening to X authentication data and spoofed connection to the X11 server.
Adding Hosts to the SSH Known Hosts List
You must add hosts to the SSH known hosts list so that the sensor can recognize the hosts that it can
communicate with through SSH. These hosts are SSH servers that the sensor needs to connect to for
upgrades and file copying, and other hosts, such as Cisco routers, firewalls, and switches that the sensor
will connect to for blocking.
For SSHv1, use the ssh host-key ip-address rsa1-key[key-modulus-length public-exponent
public-modulus] command to add an entry to the known hosts list. If you do not know the values for the
modulus, exponent, and length, the system displays the bubble babble for the requested IP address. You
can then choose to add the key to the list. To modify a key for an IP address, the entry must be removed
and recreated. Use the no form of the command to remove the entry.