Demonstration: Configure Secure shell attributes

Note: The entire experiment can be completed using the GNS3 + Virtual Machine!

Demonstration objectives:

N configure the Certificates option on the Cisco IPS system

N configure SSH options on the Cisco IPS system

Demo environment:The network environment shown in Figure 4.24 is still used.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0635004414-0.png "title =" 1.png"/>

Demo tool:Cisco IPS system.

Demo steps:

Step 1:First, understand the Certificates Certificate option on Cisco IPS. There are two sub-projects under this option: Trusted Hosts Trusted host) and Server Certificate ). The following describes how to understand and configure these two subitems:

Trusted Hosts:

As shown in the following figure, the "trusted host configuration" dialog box is displayed. The application of this dialog box is generated when many IPS devices interact with other devices, such as routers, switches, and firewalls for defense, this problem is explained in a very typical environment, as shown in Figure 4.30. In this environment, the intrusion defense systems IPS1 and IPS2 both have security violations, at this time, they all think that security configurations need to be configured together with the firewall, such as ACL writing or other security reinforcement. However, if both IPS1 and IPS2 write security configurations to the firewall, this is not scientific, because operations at the same time may conflict or overwrite the previous configuration. Cisco's solution is, in this environment, select an IPS as the master) IPS. The configuration can only write the master IPS, for example, IPS1 as the master IPS. If IPS2 also needs to be configured to the firewall, IPS2 then submits the configuration application to IPS1, and IPS1 is responsible for completing the configuration. However, the master IPS1 does not accept any application. It only accepts the host trusted by IPS1, who is the host trusted by the master IPS? . In this configuration, the IP address of the trusted host is associated with its certificate. Enter the IP address of the trusted host outside the IP address, and enter 443 at the Port, the IPS will automatically obtain the certificate of the trusted host, which is actually the public key of the trusted host ).

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0635005050-1.png "title =" 11.png"/>

Server Certificate:

The so-called Server Certificate is the current self-signed Certificate of the IPS system, as shown in Figure 4.31. It is used to prove its identity to the IPS console, which usually uses IDM to configure the management host of the device, generally, it remains unchanged by default. However, if you change the time, we recommend that you re-generate a self-signed certificate by clicking Generatecertificate, as shown in Figure 4.31, because there is a very important correlation between the time and the validity of the certificate, otherwise when the IPS connection may prompt that the certificate has expired, the certificate has expired, and so on.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/06350044P-2.png "title =" 12.png"/>

Step 2:If you use IDM to configure the device, Cisco IPS uses SSH by default. There are three sub-projects under the SSH option: Authorized key (Authorized key) and Known Host key (Known Host Key), Sensor key Sensor Key), which has the following meanings and configurations:

Authorized key (Authorization key ):

It indicates that the management host can use the public key to Securely connect to IPS. At this time, IPS will be used as the SSH server. The actual practice is: the host uses a public/private key generation tool to generate a public/private key pair locally. Then, the public Key is copied to IPS in some way, which is also copied to public Modulus in 4.32. The private key is saved by the client host, at this time, IPS have the public key of the client. When the client SSH is used, IPS can submit its public key to IPS, IPS compares the public Key submitted by the client with the public key in public Modulus to verify the client. ID indicates the ID of the public key. Its value range is a string of 1-512. modulusLength indicates the length of the public key. Its value ranges from 2048 to. PublicExponent indicates the public key index. In fact, it is an integer, valid values range from 3 to 2147483647. Data is encrypted using the RSA Standard. public Modulus indicates that the public key of the client is stored.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0635004L3-3.png "title =" 13.png"/>

Known Host keyKnown host Key ):

This key is generally used when an IPS device is associated with other network devices to complete Blocking. For example, IPS may need to log on to the vro or firewall to write security policies, in addition, IPS selects an SSH Secure Connection. At this time, IPS will be the SSH client, which IPS) must obtain the public keys of Blocking devices such as routers and firewalls, these public keys are Known as Known Host keys ). You can configure the IP address of Blockingdevices in the dialog box 4.33, and click Retrieve Host Key to automatically search for the relevant device.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0635006394-4.png "title =" 14.png"/>

Sensor key (Sensor Key ):

Public/private Key pairs generated by Cisco sensors. If you do not want to use the current public/private Key pair, you can click Generate Key to Generate a new public/private Key pair, as shown in Figure 4.34.

650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/0635004515-5.png "title =" 15.png"/>

This article is from the "unknown Christ" blog. For more information, contact the author!