Cisco Cisco IPS 4345 Sensor
7
Release Notes for Cisco Intrusion Prevention System 7.2(1)E4
OL-27710-01
Security Features and Enhancements
To determine your version, do one of the following:
•
At the CLI, enter the show inventory command and look for V01 or V02 in the output.
•
On the back of the chassis, look at the VID PID label for V01 or V02.
The V01 chassis has the following limitations (these limitations do not apply to the V02 chassis):
•
The sensor requires 50 seconds from the time that AC power is applied before the power state can
be updated and stored. This means that any changes to the power state within the first 50 seconds of
applying AC power will not be observed if AC power is removed within that time.
be updated and stored. This means that any changes to the power state within the first 50 seconds of
applying AC power will not be observed if AC power is removed within that time.
•
The sensor requires 10 seconds from the time it is placed into standby mode before the power state
can be updated and stored. This means any changes to the power state within the first 10 seconds of
entering standby mode (including the standby mode itself) will not be observed if AC power is
removed within that time.
can be updated and stored. This means any changes to the power state within the first 10 seconds of
entering standby mode (including the standby mode itself) will not be observed if AC power is
removed within that time.
For More Information
For information on the AC power supplies in the IPS 4300 series sensors, refer to
.
Security Features and Enhancements
The following new features and enhancements have been made for security compliance:
•
Support for SSHv2.
•
Enhanced/detailed audit logging
–
Audit logs are generated for all security related administrative actions.
–
Each log contains the date and time of the event, type of event, subject identity, and the outcome
(success or failure) of the event.
(success or failure) of the event.
•
Web session inactivity timeout—The IPS terminates a remote interactive session after an
administrator-configurable time interval of session inactivity.
administrator-configurable time interval of session inactivity.
•
Enhanced password management—Administrator passwords stored in Linux are hashed with
SHA512.
SHA512.
•
Display of access banners in IDM—Before establishing an administrative user session, the IPS and
IDM display an administrator-specified advisory notice and consent warning message regarding the
use of the IPS.
IDM display an administrator-specified advisory notice and consent warning message regarding the
use of the IPS.
•
Support for SHA512 based hashing—The IPS provides a CLI command for validating the SHA512
hash of IPS image downloaded from the CCO. A file containing the SHA512 checksums of the
software files is also posted on Cisco.com at the software download site.
hash of IPS image downloaded from the CCO. A file containing the SHA512 checksums of the
software files is also posted on Cisco.com at the software download site.
•
Support for FIPS compliant cryptographic algorithms.
•
Power-on self tests for FIPS compliant cryptographic algorithms—A battery of power-up self-tests
is executed when IPS is powered up. The following types of power-up self-tests are performed:
is executed when IPS is powered up. The following types of power-up self-tests are performed:
–
Cryptographic algorithm test
–
Software/firmware integrity test
–
Power-up self-test error handling
–
Conditional self-tests
–
Error is reported in case of failure