Shulou(Shulou.com)06/01 Report--

Note: the whole experiment can be done using the GNS3+ virtual machine!

Demo goals:

N configure Certificates options on the Cisco IPS system

N configure SSH options on the Cisco IPS system

Demo environment: still use the network environment shown in figure 4.24.

Demo tool: Cisco's IPS system.

Demonstrate the steps:

Step 1: first understand the Certificates (Certificate) option on Cisco IPS, under which there are two subprojects, Trusted Hosts (trusted Host) and Server Certificate (Server Certificate). The following is a detailed description of understanding and configuring these two subprojects:

Trusted Hosts:

Figure 4.29 below is the trusted host configuration dialog. Its application significance arises when many IPS devices interact with other devices such as routers, switches and firewalls to explain this problem through a very typical environment, as shown in figure 4.30 below, in which security violations occur in both IPS1 and IPS2 defense systems. At this time, they all think that it is necessary to link the firewall to do security configuration, such as writing ACL or other security reinforcements. However, if IPS1 and IPS2 write security configuration to the firewall at the same time, this is unscientific, because if they operate at the same time, there may be conflicts or the configuration of the next step will overwrite the original configuration. Cisco's solution is to select an IPS as the master IPS in this environment. Configuration can only allow master IPS to write, such as IPS1 as master IPS. If IPS2 also needs to configure to the firewall, then IPS2 will send the configuration application to IPS1, and IPS1 will be responsible for configuring it. But master IPS1 is not acceptable for any application, it only accepts the host it trusts, then who is the host trusted by master IPS, which will be determined by the configuration in figure 4.29. In this configuration, the IP address of the trusted host will be associated with its certificate. Fill in the IP address of the trusted host outside the IP and fill in 443 at the Port. The IPS will automatically obtain the certificate of the trusted host (in fact, the public key of the trusted host).

Server Certificate:

The so-called Server Certificate is the current self-signed certificate of the IPS system, as shown in figure 4.31 below. It is used to prove your identity to the IPS console (usually the management host that configures the device using IDM). It is generally left unchanged by default, but if you change the time, it is recommended that you re-generate a self-signed certificate by clicking on the Generatecertificate shown in figure 4.31 below. Because there is a very important relationship between time and the validity of the certificate, otherwise, when connecting to IPS, it may indicate that the certificate has expired, the certificate is invalid, and so on.

Step 2: if you use IDM to configure the device, Cisco IPS defaults to using SSH. Under the SSH option, there are three subitems, Authorized key (authorized key), Known Host key (Key of known host), and Sensor key (Key of sensor). The specific meaning and configuration are as follows:

Authorized key (authorized key):

It instructs the management host to use the public key to SSH and securely connect to the IPS. At this time, the IPS will act as the server of the SSH. In practice, the host uses the public and private key generation tool locally to generate a public and private key pair, and then copies the public key to the IPS in some way, which is copied to the public Modulus in figure 4.32 below. The private key is saved by the client host itself, so the IPS has the client's public key. When the client SSH, it can submit its public key to IPS,IPS. It will compare the public key submitted by the client with the public key in public Modulus to complete the verification of the client. ID indicates the ID of the public key, its value range is 1-256string; modulusLength indicates the length of the public key, its value is 512-2048 PublicExponent indicates the index of the public key, in fact it is an integer, the valid value range is 3 to 2147483647, using the RSA standard to encrypt the data; public Modulus indicates that the public key content of the client is stored.

Known Host key (Key of a known host):

The key is usually used to complete Blocking when IPS devices are linked with other network devices. For example, IPS may need to log in to the router and firewall to write security policies, and IPS chooses SSH secure connection, then IPS will be the client of SSH, and it (IPS) must obtain the public keys of those Blocking devices (such as routers, firewalls), then these public keys are the so-called Known Host key (Key of known hosts). This can be obtained by automatically retrieving the relevant devices by clicking Retrieve Host Key after configuring the IP of Blockingdevices in the dialog box shown in figure 4.33.

Sensor key (Key of the sensor):

If you do not want to use the public-private key pair generated by the Cisco sensor itself, you can re-generate the public-private key pair by clicking Generate Key, as shown in figure 4.34 below.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.