08-02-2010 06:09 AM - edited 03-10-2019 05:04 AM
If you have an IPS sensor on the public part of your network (Perimeter) is it okay to have the Mgmt port plugged into the internal network? i.e. can the Mgmt interface be used to facilitate an attack if the device was comprimised?
And does this answer apply to routers and ASA's also?
Thanks!
08-02-2010 08:36 AM
The management interface of any managed device should be on your management network. The sniffing (promiscious mode) or in-line interfaces should be relitively immune to attack (compared to a normal host interface, or even the management interface of the IPS sensor).
I worry more about the management interface of the sensors than the in-line interfaces. Cisco has been slow to adapt external authentication, password aging/enforcement etc.
- Bob
08-16-2010 05:22 AM
As an update to Bob's reply, RADIUS support for authentication was added in IPS release 7.0(4)E4.
There is also ehancements to defining password sizes, required number of special characters (digits, upper/lowercase, other) along with historical passwords remembered.
Scott
01-18-2011 12:11 PM
Does anyone know if Cisco has made IPv6 addressability of the management interface a committed feature yet?
I heard it was committed for support in some future version of CSM, but last I heard not the sensor software.
I have lots of IPv6 preperation to do this year, knowing these things would make my planning a little smoother.
- Bob
01-26-2011 03:28 PM
Bob,
There is a Bug ID (feature request) to add IPv6 management interface addresssing ability to the IPS sensors. The bug ID is: CSCsa60286
You should be able to follow this link, save the bug, and get updates if there are any changes (no updates for awhile now).
Regards,
JB
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide