Filter
Top Products
4-50
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring TLS
Configuring TLS
This section describes TLS on the sensor, and contains the following topics:
• Understanding TLS, page 4-50
• Adding TLS Trusted Hosts, page 4-51
• Enabling Strict TLS Certificate Checks, page 4-52
• Adding and Updating TLS Trusted Root Certificates, page 4-53
• Displaying TLS Trusted Root Certificates, page 4-55
• Displaying and Generating the Server Certificate, page 4-56
Understanding TLS
The Cisco IPS contains a web server that is running the IDM. Management stations connect to this web
server. Blocking forwarding sensors also connect to the web server of the master blocking sensor. To
provide security, this web server uses an encryption protocol known as TLS, which is closely related to
SSL protocol. When you enter a URL into the web browser that starts with
https://ip_address, the
web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the
host.
Caution The web browser initially rejects the certificate presented by the IDM because it does not trust the
certificate authority (CA).
Note The IDM is enabled by default to use TLS and SSL.We highly recommend that you use TLS and SSL.
The process of negotiating an encrypted session in TLS is called “handshaking,” because it involves a
number of coordinated exchanges between client and server. The server sends its certificate to the client.
The client performs the following three-part test on this certificate:
1. Is the issuer identified in the certificate trusted?
Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the
certificate is among the list of CAs trusted by your browser, the first test is passed.
2. Is the date within the range of dates during which the certificate is considered valid?
Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range
of dates, the second test is passed.
3. Does the common name of the subject identified in the certificate match the URL hostname?
The URL hostname is compared with the subject common name. If they match, the third test is
passed.
When you direct your web browser to connect with the IDM, the certificate that is returned fails because
the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of
CAs trusted by your browser.
When you receive an error message from your browser, you have three options:
• Disconnect from the site immediately.
• Accept the certificate for the remainder of the web browsing session.