Web Server; Sensorapp; Responsibilities And Components; Packet Flow - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

SensorApp

You can use the show ssh server-key and show tls fingerprint to display the sensor's key fingerprints.
By recording the output of these commands when directly connected to the sensor console, you can
reliably use this information to confirm the sensor's identity over the network later when establishing
trust relationships.
For example, when you initially connect to a sensor through the Microsoft Internet Explorer web
browser, a security warning dialog box indicates that the certificate is not trusted. Using Internet
Explorer's user interface, you can inspect the certificate thumbprint, a value that should exactly match
the SHA1 fingerprint displayed by the show tls fingerprint command. After verifying this, add this
certificate to the browser's list of trusted CAs to establish permanent trust.
Each TLS client has different procedures for establishing this trust. The sensor itself includes a TLS
client that is used to send control transactions to other sensors and download upgrades and configuration
files from other TLS web servers. Use the tls trusted-host command to establish trust of the TLS servers
with which the sensor communicates.
Similarly, the sensor includes an SSH client that is used to communicate with managed network devices,
download upgrades, and copy configurations and support files to remote hosts. Use the ssh host-key
command to establish trust relationships with the SSH servers the sensor will contact.
You can manage the list of TLS trusted certificates and SSH known hosts through the commands service
trusted-certificates and service ssh-known-hosts.
X.509 certificates include additional information that can increase the security of the trust relationship;
however, these can lead to confusion. For example, an X.509 certificate includes a validity period during
which the certificate can be trusted. Typically this period is a number of years starting at the moment the
certificate is created. To ensure that an X.509 certificate is valid at the moment it is being used requires
that the client system maintain an accurate clock.
X.509 certificates are also tied to a particular network address. Sensors fill this field with the IP address
of the sensor's command and control interface. Consequently, if you change the command and control
IP address of the sensor, the server's X.509 certificate is regenerated. You must reconfigure all clients
on the network that trusted the old certificate to locate the sensor at its new IP address and trust the new
certificate.
By using the SSH known hosts and TLS trusted certificates services in AuthenticationApp, you can
operate sensors at a high level of security.

Web Server

Web Server provides RDEP2 support, which enables the sensor to report security events, receive IDIOM
transactions, and serve IP logs.
Web Server supports HTTP 1.0 and 1.1. Communications with Web Server often include sensitive
information, such as passwords, that would severely compromise the security of the system if an attacker
were able to eavesdrop. For this reason, sensors ship with TLS enabled. The TLS protocol is an
encryption protocol that is compatible with SSL.
SensorApp
This section describes SensorApp, and contains the following topics:
•
•
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
A-22
Responsibilities and Components, page A-23
Packet Flow, page A-24
Appendix A System Architecture
78-16527-01