aghaznavi Tue, 09/11/2007 - 06:31
User Badges:
  • Silver, 250 points or more

Cisco IOS IPS Certificate-Sometimes the Cisco IOS IPS certificate stored is incorrect. To delete a certificate from Cisco IOS IPS, you need to remove the trustpoint from the Cisco IOS IPS router.

If ip http timeout-policy is configured with a low number of maximum requests, such as:

ip http timeout-policy idle 600 life 86400 requests 1

You need to increase the maximum request number.

For example: ip http timeout-policy idle 600 life 86400 requests 8400

rhermes Tue, 09/11/2007 - 10:44
User Badges:
  • Gold, 750 points or more

The question was about the 6.x (and earlier) appliance sensors, not the IOS IPS. The ssh server in the appliance sensors have caused us to fail every security audit. Specifically you can not control the idle session timeout (as macroberts noted above), in fact it never times out! You can not specify the number of failed logins and you must use local authenticaion, no TACACS or RADIUS.

It is more than a little embarassing to have your security devices fail your security audit. Cisco has been aware of these deficiencies for years but has failed to address them. One has to wonder how serious Cisco is about security on the IPS platform.


This Discussion