Appendix A Intrusion Detection System Architecture
System Components
A-14
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
78-15597-02
Managing TLS and SSH Trust Relationships
Encrypted communications over IP networks provide data privacy by making it
impossible for a passive attacker to discover from the packets exchanged alone the
secret key needed to decrypt the data in the packets.
However, an equally dangerous attack vector is for an imposter to pretend to be
the server end of the connection. All encryption protocols provide a means for
clients to defend themselves from these attacks. IDS supports two encryption
protocols, SSH and TLS, and AuthenticationApp helps manage trust when the
sensor plays either the client or server role in encrypted communications.
The IDS WebServer and SSH server are server endpoints of encrypted
communications. They protect their identities with a private key and offer a public
key to clients that connect to them. For TLS this public key is included inside an
X.509 certificate, which includes other information. Remote systems that connect
to the sensor should
verify that the public key received during connection
establishment is the one it expects.
Clients must maintain a list of trusted public keys to protect themselves from
man-in-the-middle attacks. The exact procedure by which this trust is established
varies depending on the protocol and client software. In general, the client
displays a fingerprint of 16 or 20 bytes. The human operator who is configuring
the client to establish trust should use an out-of-band method to learn the server`s
key fingerprints before attempting to establish trust. If the fingerprints match, the
trust relationship is established and henceforth the client can automatically
connect with that server and be confident that the remote server is not an imposter.
You can use the show ssh server-key and show tls fingerprint to display the
sensor’s key fingerprints. By recording the output of these commands when
directly connected to the sensor console, you can reliably use this information to
confirm the sensor’s identity over the network later when establishing trust
relationships.
For example, when initially connecting to an sensor through the Microsoft
Internet Explorer (MSIE) web browser, a security warning dialog box is displayed
that indicates that the certificate is not trusted. Using MSIE’s user interface, you
can inspect the certificate thumbprint, a value that should exactly match the SHA1
fingerprint displayed by the show tls fingerprint command. After verifying this,
add this certificate to the browser’s list of trusted Certificate Authorities (CAs) to
establish permanent trust.
Summary of Contents for IDS-4230-FE - Intrusion Detection Sys Fast Ethernet Sensor
Page 4: ......
Page 450: ...Appendix B Troubleshooting ...