As exploits come out that affect the Linux O/S that the Cisco IDS runs on, do you provide patches? Are we expected to patch the underlying operating system, or do you include that with the signature updates? I know the O/S that our RealSecure IDS systems run on have to be patched manually.
With Cisco IDS the user should not attempt to apply their own patches.
The operating system has intentionally been blocked off from the user during normal operation of the sensor.
Users attempting to install their own security patches could inadvertantly compromise the security of the sensor, and could cause bugs in the IDS software. The underlying OS has been modified specifically for running the Cisco IDS, and applying patches from the web has been known to undo these modifications and cause major issues.
Only install updates that Cisco makes available through Cisco.com (or sent from a Cisco engineer when debugging an issue).
The only access to the underlying operating system is through the special "service" account, and should only be used under guidance by the attack.
The Signature Updates (filenames with -sig-) do not contain OS patches.
However, the Service Packs, Minor Updates, and Major Updates (filenames -sp-, -min-, -maj-) could (and have in the past) contained patches to both the IDS Software as well as the underlying OS.
When a new Linux vilnerability is announced the development team will verify whether or not the Cisco IDS is vulnerable.
Quite often the service being exploited has already been disabled on the sensor or configured to prevent network access in which case an immediate update of the sensor is not necessary as the sensor is not vulnerable to the attack.
In cases where the vulnerability has existed on the sensor, the service has usually already been locked down to only allow specifically user designated addresses to access the sensor (The permit host lines in the "setup" command). In these situations the exposure to the attack is minimals since the attack would have to come from an ip address that the user has to specifically allow access from. In this situation the security patch is delivered in the next service pack.
In rare cases (I don't think any have even happened), the sensor may be vulnerable from attack from any ip address. If this were to happen, the team would either send out an emergency service pack (similar to an emergency signature update that is released the same day as the attack), or a engineering patch while the service pack is in progress, or the steps the user may need to take until the service pack is available. Either way a notification should go out from Cisco to users on the Active Update Notification list (the email list where sig updates are announced), as well as post to this Forum.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :