11-07-2007 02:56 AM - edited 03-10-2019 03:51 AM
Does the Cisco IPS 4200 can support RADIUS for user authentication?
Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?
11-14-2007 07:10 AM
Cisco IPS 4200 Series of sensor appliances. The Cisco IPS 4200 Series greatly increases the scalability and throughput of the
security solution. Cisco also provides intrusion detection and prevention modules for the Cisco Catalyst 6500 Series. This illustrates the ability of Cisco security solutions to integrate natively into the infrastructure. The advanced intrusion prevention capabilities supported by Cisco IPS 4200 Series dedicated IPS appliances are also integrated into the Cisco ASA family. So it support doth radius as well as syslog.
11-14-2007 09:03 AM
The IPS 4200 appliance supports neither syslog nor radius.
11-14-2007 10:10 AM
Hi Matthew,
I concur that there is nothing in the documentation regarding syslog or Radius.
The fact that IPS devices are often on the perimeter of a network means they shouldn't be made capable of sending Syslog or Radius back to the Trusted network. The only thing we should hear from IPS devices are requests for NTP, the Alerts they send, and the SSH requests to log in made by admins or boxes like MARS.
Anything else I'm missing? Thanks.
Best,
Paul
01-07-2008 06:10 AM
Hi Paul,
I am a very new user to IPS (4255).
I want to know as IPS do local authentication with the default 4 level of user previliges and as Syslog messages is not allowed to send then How can I know which user logged in and do the changes??
Doesn't it support ACS (tacacs or radius) - then how the AAA support we get from this Security Device.
Regards
Adnan
01-07-2008 06:48 AM
The sensor supports various "roles" but there is no concept of levels in the traditional sense (like a IOS router), so I'm not sure what you mean by "level 4 of user priv".
When a user logs in, it results in a status event. Status events can be viewed on the sensor using the GUI or the CLI:
# sh events status past 01:00
They can be sent via SNMP trap as well. Take a look at the SNMP configuration settings in the GUI.
As far as AAA support, you can use Cisco Security Manager (CSM) to manage your sensors. CSM can be configured to use AAA.
01-07-2008 07:07 AM
Are you kidding me? Then how do you explain
the fact that security devices such as
checkpoint and ASA firewalls are allowed
authentication via tacacs/radius and you can
send syslog back to a syslog server. Normally
the information is got sent back via the
Command and Control (C&C) interface which
should be on a secure network in the first
place.
This is a limitation of the of the IDS itself.
I have not tried version 5.x or 6.x yet but
if they are similar to version 4.1, then
they are nothing but a Linux box. You can
"shell" into the box and install PAM on it
so that you can use external authentication
such as radius/tacacs or even LDAP.
01-07-2008 08:19 AM
No, he's not kidding, and this is (yet another) disappointment of this product line. And no, don't go slapping pam_radius or other such under the hood yourself. With 5.x and 6.x, the underlying Linux OS is heavily stripped down and modified to run on flash only, rewrites many of its configs during boot, and overwrites most of the OS (or all) whenever there is a service pack.
There are many valid reasons to want to login to the box itself, CSM isn't always the answer (and please don't tell me MARS is, sigh). There needs to be radius/tacacs support on these boxes, but it hasn't happened yet.
01-07-2008 08:37 AM
I'll second the notion that modifying the sensor to support additional auth mechanisms might be a challenge. I think the v4 IDS used redhat or a variant of. They use busybox linux now, which is really stripped down.
CSM will probably make most auditors happy, but technically the sensors aren't using AAA. IMHO, CSA with AAA solves operational problems not security ones.
What's really sad is that MARS doesn't process IDS/IPS status events.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide