Filter
Top Products
A-21
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
MainApp
IDM or the ASDM, by logging in to the sensor using the default administrative account (cisco). In the
CLI, the administrator is prompted to change the password. IPS managers initiate a
setEnableAuthenticationTokenStatus control transaction to change the password of an account.
Through the CLI or an IPS manager, the administrator configures which authentication method is used,
such as username and password or an SSH authorized key. The application servicing the administrator
initiates a setAuthenticationConfig control transaction to establish the authentication configuration.
The authentication configuration includes a login attempt limit value that is used to specify how account
locking is handled. Account locking is invoked when the number of consecutive failed login attempts for
a given account exceeds the login attempt limit value. After an account is locked, all further attempts to
log in to that account are rejected. The account is unlocked by resetting the authentication token of the
account using the setEnableAuthenticationTokenStatus control transaction. The account locking feature
is disabled when the login attempt limit value is set to zero.
The administrator can add additional user accounts either through the CLI or an IPS manager.
Configuring Authentication on the Sensor
When a user tries to access the sensor through a service such as web server or the CLI, the identity of
the user must be authenticated and the privileges of the user must be established. The service that is
providing access to the user initiates an execAuthenticateUser control transaction request to the
AuthenticationApp to authenticate the identity of the user. The control transaction request typically
includes the username and a password, or the identity of the user can be authenticated using an SSH
authorized key.
The AuthenticationApp responds to the execAuthenticateUser control transaction request by attempting
to authenticate the identity of the user. The AuthenticationApp returns a control transaction response that
contains the authentication status and privileges of the user. If the identity of the user cannot be
authenticated, the AuthenticationApp returns an unauthenticated status and anonymous user privileges
in the control transaction response. The control transaction response also indicates if the account
password has expired. User interface applications that authenticate users by initiating an
execAuthenticateUser control transaction prompt the user to change the password.
The AuthenticationApp uses the underlying operating system to confirm the identity of a user. All the
IPS applications send control transactions to the AuthenticationApp, which then uses the operating
system to form its responses.
Remote shell services, Telnet and SSH, are not IPS applications. They call the operating system directly.
If the user is authenticated, it launches the IPS CLI. In this case, the CLI sends a special form of the
execAuthenticateUser control transaction to determine the privilege level of the logged-in user. The CLI
then tailors the commands it makes available based on this privilege level.
Managing TLS and SSH Trust Relationships
Encrypted communications over IP networks provide data privacy by making it impossible for a passive
attacker to discover from the packets exchanged alone the secret key needed to decrypt the data in the
packets.
However, an equally dangerous attack vector is for an imposter to pretend to be the server end of the
connection. All encryption protocols provide a means for clients to defend themselves from these
attacks. IPS supports two encryption protocols, SSH and TLS, and the AuthenticationApp helps manage
trust when the sensor plays either the client or server role in encrypted communications.