|
|
This chapter describes how to configure your primary Cisco Secure Policy Manager server to encrypt the network traffic passing between the reporting agent and a web browser that requests access to the reports generated by Cisco Secure Policy Manager. It also describes how to configure and use your web browser for secure communications when communicating with the reporting agent.
Cisco Secure Policy Manager supports secure communications between independent web browsers and the reporting agent. Before access to the reports is granted, all communication requests made from a web browser require the user to use a Cisco Secure Policy Manager administrative account with appropriate privileges to authenticate to the reporting agent. This required authentication is also enforced for requests originating from the GUI. However, the encryption mechanisms used between the GUI and the reporting agent are different from those used between a web browser and the reporting agent.
All GUI sessions, whether between the reporting agent or another Cisco Secure Policy Manager component, are encrypted using a symmetric algorithm for bulk encryption. The GUI relies on the Microsoft Crypto API to perform encryption.
However, a session between a web browser and the reporting agent is encrypted using the Secure Sockets Layer (SSL) protocol. The SSL protocol uses 40-bit bulk encryption based on the RSA BSAFE SSL-C library.
You can configure a third-party web browser for secure communications, and you can replace the Cisco certificate with a custom certificate.
In addition to viewing scheduled and on-demand reports from within the GUI client, you can view Cisco Secure Policy Manager reports from any standard web browser. To view the reports over an encrypted SSL connection, you must install a certificate, and you must use https:// rather than the standard http:// to request the reports.
The first time that you attempt to connect to the primary server, you will be prompted to download the certificate provided with Cisco Secure Policy Manager. After you accept the certificate, your communications for that session will be encrypted.
You can replace the digital certificate/RSA private key pair provided by Cisco Systems with one that you get from a third-party certificate provider, such as Entrust Technologies, Security Dynamics, Inc., and VeriSign, Inc. This certificate/key pair is used to encrypt communications between the reporting agent and a web browser client that requests report data from the Cisco Secure Policy Manager server. The private key is used for the session handshake and encrypting the negotiated session key, which is randomly generated for each session and used to encrypt that session only.
Such encrypted communications are optional. This feature is provided to enhance the overall security of the system and its data, thereby preventing eavesdropping on the data contained within the reports that you generate. Encrypting this traffic is good security practice, but you are not required to do so.
You will want to replace this certificate (Examiner.crt) if your company supports another certificate authority (CA) or has its own certificate server (public key infrastructure). A weakness in the RSA private key (Examiner.key) provided by Cisco Systems is that it is the same private key provided to all Cisco customers who purchase Cisco Secure Policy Manager. In addition, the provided Examiner.crt is a self-signed certificate, which means that it is vulnerable to man-in-the-middle attacks.
In other words, attackers can create the same certificate, intercept your requests to the reporting agent, and communicate with the browser as if they are the reporting agent. Because the certificate is not assigned by a reliable CA, your web browser cannot determine if it is communicating with the actual reporting agent. Because of this inability, the web browser will prompt you to accept the certificate.
However, if you replace the Examiner.crt with a real certificate signed by a reliable CA, and you ensure that the CA is identified in the web browser's certificate accept list, you will not be prompted to accept the certificate, even on the first use. In addition, such a configuration prevents a man-in-the-middle attack as long as the CA is not compromised.
To replace the existing certificate/key pair, perform the following task:
 |
Note When you replace the key file with your own private key, you should set the permissions on that file to be read-only by the same administrative account under which you installed the Cisco Secure Policy Manager product. |
Step 2 Rename the new certificate and key files to Examiner.crt and Examiner.key, respectively.
Step 3 Replace the Examiner.crt and Examiner.key files that reside in the Cisco Secure Policy Manager bin folder on your primary server (or standalone server) with the newly renamed files.
Step 4 Update the file signatures on the primary server. If you fail to update the file signatures, the Cisco Controlled Host Component service will not start.
For information on updating file signatures on the primary server, refer to Cisco Secure Policy Manager Administrator's Guide: System Configuration and Maintenance.
Posted: Fri May 26 14:04:03 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.