Cisco Cisco IPS 4255 Sensor Weißbuch
Technical Overview
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 18
Cisco Security Agent/IPS Interface Configuration
Integrating Cisco Security Agent and IPS requires the configuration of both Cisco Security
Agent MC and IPS sensors. For most scenarios configuration consists of the following three
main activities:
1. Definition of a Cisco Security Agent MC administrative account to be used by IPS sensors
in their SDEE subscriptions.
2. Addition of Cisco Security Agent MC as a trusted host in each IPS sensor.
3. Configuration of an External Product Interface in each IPS sensor.
Defining a Cisco Security Agent MC Administrative Account
Communications between Cisco Security Agent and IPS are authenticated; in fact, Cisco Security
Agent MC will not accept a SDEE subscription for posture and quarantine information unless
the requesting IPS sensor is successfully authenticated. To that end, every IPS sensor must
be preconfigured with the username and password of a valid Cisco Security Agent MC account
granting a minimum of view privileges. The IPS sensor provides the Cisco Security Agent MC
with this information when subscribing, and the Cisco Security Agent MC accepts or denies the
subscription based on the validity of the credentials.
Even though any of the existing administrative accounts in Cisco Security Agent MC with a
minimum of view privileges could be used, it is not recommended. For obvious security reasons
it is always a good practice to create a new account to be used exclusively for Cisco Security
Agent/IPS communication purposes. This account should be given no more than the minimum
required privileges (monitor, view).
In environments with multiple IPS sensors under the same administration a single account can
be shared by all the systems, while in environments where not all IPS sensors are administered
by the same team, multiple accounts can be defined to help separate the administration.
In Cisco Security Agent MC 5.0 administrative accounts are defined in the CiscoWorks
VPN/Security Management Solution (VMS). This is because in Cisco Security Agent MC 5.0 and
prior versions of Cisco Security Agent MC are implemented as a component of CiscoWorks VMS.
Cisco Security Agent MC 5.1 and later versions work standalone and do not require VMS. In these
versions, the administrative accounts used for Cisco Security Agent/IPS communication are
defined directly in Cisco Security Agent MC.
The account to be used for Cisco Security Agent/IPS communication should ideally be one
configured with monitor privileges, which means the user has read access to the entire Cisco
Security Agent MC database, but does not have write privileges. In the case of Cisco Security
Agent MC 5.1 and later versions, the monitor role can be set in Cisco Security Agent MC as part of
the user configuration. With Cisco Security Agent MC 5.0 and prior versions, administrative users
are defined in VMS and not in Cisco Security Agent MC. In this case, the user can be associated
to any of the predefined roles in CiscoWorks with read-only access. For example, Help Desk.
Network Administrator, System Administrator, and Network Operator roles provide write access;
hence, their use is not recommended for the purpose of Cisco Security Agent/IPS communication.
Figure 3 is a snapshot taken from Cisco Security Agent MC 5.0 showing the definition of “ipsusr”,
an account defined for the exclusive use of Cisco Security Agent/IPS communication.
Figure 3. Cisco Security Agent MC Administrative Account