Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
3
Replies

Cisc IDS/Linux exploits

ditscap
Level 1
Level 1

‎03-27-2004 08:30 AM - edited ‎03-09-2019 06:53 AM

As exploits come out that affect the Linux O/S that the Cisco IDS runs on, do you provide patches? Are we expected to patch the underlying operating system, or do you include that with the signature updates? I know the O/S that our RealSecure IDS systems run on have to be patched manually.

Thanks

Labels:
0 Helpful
3 Replies 3

sergej.gurenko
Level 1
Level 1

‎03-27-2004 09:03 AM

IDS based on redhat linux. As I understand signature updates include only new IDS signatures in other hand IDS servicepacks includes Linux OS upgrade also. Linux OS is COMPLETLY hidden from user.

0 Helpful

ditscap
Level 1
Level 1
In response to sergej.gurenko

‎03-27-2004 10:59 AM

It's easy to logon as root to the IDS... but I would be interested if the IDS servicepacks contain O/S patches.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to ditscap

‎03-27-2004 05:56 PM

With Cisco IDS the user should not attempt to apply their own patches.

The operating system has intentionally been blocked off from the user during normal operation of the sensor.

Users attempting to install their own security patches could inadvertantly compromise the security of the sensor, and could cause bugs in the IDS software. The underlying OS has been modified specifically for running the Cisco IDS, and applying patches from the web has been known to undo these modifications and cause major issues.

Only install updates that Cisco makes available through Cisco.com (or sent from a Cisco engineer when debugging an issue).

The only access to the underlying operating system is through the special "service" account, and should only be used under guidance by the attack.

The Signature Updates (filenames with -sig-) do not contain OS patches.

However, the Service Packs, Minor Updates, and Major Updates (filenames -sp-, -min-, -maj-) could (and have in the past) contained patches to both the IDS Software as well as the underlying OS.

When a new Linux vilnerability is announced the development team will verify whether or not the Cisco IDS is vulnerable.

Quite often the service being exploited has already been disabled on the sensor or configured to prevent network access in which case an immediate update of the sensor is not necessary as the sensor is not vulnerable to the attack.

In cases where the vulnerability has existed on the sensor, the service has usually already been locked down to only allow specifically user designated addresses to access the sensor (The permit host lines in the "setup" command). In these situations the exposure to the attack is minimals since the attack would have to come from an ip address that the user has to specifically allow access from. In this situation the security patch is delivered in the next service pack.

In rare cases (I don't think any have even happened), the sensor may be vulnerable from attack from any ip address. If this were to happen, the team would either send out an emergency service pack (similar to an emergency signature update that is released the same day as the attack), or a engineering patch while the service pack is in progress, or the steps the user may need to take until the service pack is available. Either way a notification should go out from Cisco to users on the Active Update Notification list (the email list where sig updates are announced), as well as post to this Forum.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents