IPS Management port

networker99 · ‎08-02-2010

If you have an IPS sensor on the public part of your network (Perimeter) is it okay to have the Mgmt port plugged into the internal network? i.e. can the Mgmt interface be used to facilitate an attack if the device was comprimised?

And does this answer apply to routers and ASA's also?

Thanks!

rhermes · ‎08-02-2010

The management interface of any managed device should be on your management network. The sniffing (promiscious mode) or in-line interfaces should be relitively immune to attack (compared to a normal host interface, or even the management interface of the IPS sensor).

I worry more about the management interface of the sensors than the in-line interfaces. Cisco has been slow to adapt external authentication, password aging/enforcement etc.

- Bob

Scott Fringer · ‎08-16-2010

As an update to Bob's reply, RADIUS support for authentication was added in IPS release 7.0(4)E4.

There is also ehancements to defining password sizes, required number of special characters (digits, upper/lowercase, other) along with historical passwords remembered.

Scott

rhermes · ‎01-18-2011

Does anyone know if Cisco has made IPv6 addressability of the management interface a committed feature yet?

I heard it was committed for support in some future version of CSM, but last I heard not the sensor software.

I have lots of IPv6 preperation to do this year, knowing these things would make my planning a little smoother.

- Bob

Jami Bailey · ‎01-26-2011

Bob,

There is a Bug ID (feature request) to add IPv6 management interface addresssing ability to the IPS sensors. The bug ID is: CSCsa60286

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth75245

You should be able to follow this link, save the bug, and get updates if there are any changes (no updates for awhile now).

Regards,

JB