IPS Management port

Unanswered Question
Aug 2nd, 2010

If you have an IPS sensor on the public part of your network (Perimeter) is it okay to have the Mgmt port plugged into the internal network?  i.e. can the Mgmt interface be used to facilitate an attack if the device was comprimised?

And does this answer apply to routers and ASA's also?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Mon, 08/02/2010 - 08:36

The management interface of any managed device should be on your management network. The sniffing (promiscious mode) or in-line interfaces should be relitively immune to attack (compared to a normal host interface, or even the management interface of the IPS sensor).

I worry more about the management interface of the sensors than the in-line interfaces. Cisco has been slow to adapt external authentication, password aging/enforcement etc.

- Bob

Scott Fringer Mon, 08/16/2010 - 05:22

As an update to Bob's reply, RADIUS support for authentication was added in IPS release 7.0(4)E4.

There is also ehancements to defining password sizes, required number of special characters (digits, upper/lowercase, other) along with historical passwords remembered.

Scott

rhermes Tue, 01/18/2011 - 12:11

Does anyone know if Cisco has made IPv6 addressability of the management interface a committed feature yet?

I heard it was committed for support in some future version of CSM, but last I heard not the sensor software.

I have lots of IPv6 preperation to do this year, knowing these things would make my planning a little smoother.

- Bob

Actions

This Discussion