Cisco IPS 4200 Series Feature

Unanswered Question
Nov 7th, 2007
User Badges:

Does the Cisco IPS 4200 can support RADIUS for user authentication?

Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
jsivulka Wed, 11/14/2007 - 07:10
User Badges:
  • Bronze, 100 points or more

Cisco IPS 4200 Series of sensor appliances. The Cisco IPS 4200 Series greatly increases the scalability and throughput of the

security solution. Cisco also provides intrusion detection and prevention modules for the Cisco Catalyst 6500 Series. This illustrates the ability of Cisco security solutions to integrate natively into the infrastructure. The advanced intrusion prevention capabilities supported by Cisco IPS 4200 Series dedicated IPS appliances are also integrated into the Cisco ASA family. So it support doth radius as well as syslog.

mhellman Wed, 11/14/2007 - 09:03
User Badges:
  • Blue, 1500 points or more

The IPS 4200 appliance supports neither syslog nor radius.

pmccubbin Wed, 11/14/2007 - 10:10
User Badges:
  • Silver, 250 points or more

Hi Matthew,


I concur that there is nothing in the documentation regarding syslog or Radius.


The fact that IPS devices are often on the perimeter of a network means they shouldn't be made capable of sending Syslog or Radius back to the Trusted network. The only thing we should hear from IPS devices are requests for NTP, the Alerts they send, and the SSH requests to log in made by admins or boxes like MARS.


Anything else I'm missing? Thanks.


Best,


Paul

AdnanShahid Mon, 01/07/2008 - 06:10
User Badges:

Hi Paul,


I am a very new user to IPS (4255).


I want to know as IPS do local authentication with the default 4 level of user previliges and as Syslog messages is not allowed to send then How can I know which user logged in and do the changes??


Doesn't it support ACS (tacacs or radius) - then how the AAA support we get from this Security Device.



Regards


Adnan


mhellman Mon, 01/07/2008 - 06:48
User Badges:
  • Blue, 1500 points or more

The sensor supports various "roles" but there is no concept of levels in the traditional sense (like a IOS router), so I'm not sure what you mean by "level 4 of user priv".


When a user logs in, it results in a status event. Status events can be viewed on the sensor using the GUI or the CLI:


# sh events status past 01:00


They can be sent via SNMP trap as well. Take a look at the SNMP configuration settings in the GUI.


As far as AAA support, you can use Cisco Security Manager (CSM) to manage your sensors. CSM can be configured to use AAA.

cisco24x7 Mon, 01/07/2008 - 07:07
User Badges:
  • Silver, 250 points or more

Are you kidding me? Then how do you explain

the fact that security devices such as

checkpoint and ASA firewalls are allowed

authentication via tacacs/radius and you can

send syslog back to a syslog server. Normally

the information is got sent back via the

Command and Control (C&C) interface which

should be on a secure network in the first

place.


This is a limitation of the of the IDS itself.

I have not tried version 5.x or 6.x yet but

if they are similar to version 4.1, then

they are nothing but a Linux box. You can

"shell" into the box and install PAM on it

so that you can use external authentication

such as radius/tacacs or even LDAP.

attmidsteam Mon, 01/07/2008 - 08:19
User Badges:
  • Silver, 250 points or more

No, he's not kidding, and this is (yet another) disappointment of this product line. And no, don't go slapping pam_radius or other such under the hood yourself. With 5.x and 6.x, the underlying Linux OS is heavily stripped down and modified to run on flash only, rewrites many of its configs during boot, and overwrites most of the OS (or all) whenever there is a service pack.


There are many valid reasons to want to login to the box itself, CSM isn't always the answer (and please don't tell me MARS is, sigh). There needs to be radius/tacacs support on these boxes, but it hasn't happened yet.

mhellman Mon, 01/07/2008 - 08:37
User Badges:
  • Blue, 1500 points or more

I'll second the notion that modifying the sensor to support additional auth mechanisms might be a challenge. I think the v4 IDS used redhat or a variant of. They use busybox linux now, which is really stripped down.


CSM will probably make most auditors happy, but technically the sensors aren't using AAA. IMHO, CSA with AAA solves operational problems not security ones.


What's really sad is that MARS doesn't process IDS/IPS status events.

Actions

This Discussion