Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco IPS 4200 Series Feature

Does the Cisco IPS 4200 can support RADIUS for user authentication?

Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?

8 REPLIES
Bronze

Re: Cisco IPS 4200 Series Feature

Cisco IPS 4200 Series of sensor appliances. The Cisco IPS 4200 Series greatly increases the scalability and throughput of the

security solution. Cisco also provides intrusion detection and prevention modules for the Cisco Catalyst 6500 Series. This illustrates the ability of Cisco security solutions to integrate natively into the infrastructure. The advanced intrusion prevention capabilities supported by Cisco IPS 4200 Series dedicated IPS appliances are also integrated into the Cisco ASA family. So it support doth radius as well as syslog.

Gold

Re: Cisco IPS 4200 Series Feature

The IPS 4200 appliance supports neither syslog nor radius.

Silver

Re: Cisco IPS 4200 Series Feature

Hi Matthew,

I concur that there is nothing in the documentation regarding syslog or Radius.

The fact that IPS devices are often on the perimeter of a network means they shouldn't be made capable of sending Syslog or Radius back to the Trusted network. The only thing we should hear from IPS devices are requests for NTP, the Alerts they send, and the SSH requests to log in made by admins or boxes like MARS.

Anything else I'm missing? Thanks.

Best,

Paul

New Member

Re: Cisco IPS 4200 Series Feature

Hi Paul,

I am a very new user to IPS (4255).

I want to know as IPS do local authentication with the default 4 level of user previliges and as Syslog messages is not allowed to send then How can I know which user logged in and do the changes??

Doesn't it support ACS (tacacs or radius) - then how the AAA support we get from this Security Device.

Regards

Adnan

Gold

Re: Cisco IPS 4200 Series Feature

The sensor supports various "roles" but there is no concept of levels in the traditional sense (like a IOS router), so I'm not sure what you mean by "level 4 of user priv".

When a user logs in, it results in a status event. Status events can be viewed on the sensor using the GUI or the CLI:

# sh events status past 01:00

They can be sent via SNMP trap as well. Take a look at the SNMP configuration settings in the GUI.

As far as AAA support, you can use Cisco Security Manager (CSM) to manage your sensors. CSM can be configured to use AAA.

Silver

Re: Cisco IPS 4200 Series Feature

Are you kidding me? Then how do you explain

the fact that security devices such as

checkpoint and ASA firewalls are allowed

authentication via tacacs/radius and you can

send syslog back to a syslog server. Normally

the information is got sent back via the

Command and Control (C&C) interface which

should be on a secure network in the first

place.

This is a limitation of the of the IDS itself.

I have not tried version 5.x or 6.x yet but

if they are similar to version 4.1, then

they are nothing but a Linux box. You can

"shell" into the box and install PAM on it

so that you can use external authentication

such as radius/tacacs or even LDAP.

Silver

Re: Cisco IPS 4200 Series Feature

No, he's not kidding, and this is (yet another) disappointment of this product line. And no, don't go slapping pam_radius or other such under the hood yourself. With 5.x and 6.x, the underlying Linux OS is heavily stripped down and modified to run on flash only, rewrites many of its configs during boot, and overwrites most of the OS (or all) whenever there is a service pack.

There are many valid reasons to want to login to the box itself, CSM isn't always the answer (and please don't tell me MARS is, sigh). There needs to be radius/tacacs support on these boxes, but it hasn't happened yet.

Gold

Re: Cisco IPS 4200 Series Feature

I'll second the notion that modifying the sensor to support additional auth mechanisms might be a challenge. I think the v4 IDS used redhat or a variant of. They use busybox linux now, which is really stripped down.

CSM will probably make most auditors happy, but technically the sensors aren't using AAA. IMHO, CSA with AAA solves operational problems not security ones.

What's really sad is that MARS doesn't process IDS/IPS status events.

593
Views
1
Helpful
8
Replies