IPS Module on ASA

Answered Question
Feb 6th, 2007

Hi,

I would like to check when having an IPS module on ASA, what will be done first; the firewailling or the IPS function?

Thanks,

Haitham

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 7 months ago

This is quoted from the configuration guide for the ASA version 7.2:

The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides further security inspection. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.

It indicates that the firewall operates first and then sends to the IPS.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sachinraja Tue, 02/06/2007 - 03:38

Hello Haitham

Logically the IPS should work first and then the firewall, depending on the configurations on the ASA (service policy commands)... before the attacks really hit the ASA and cause issues, the IPS should block it.... this is how an external IPS box also works !!!

in SSM, you will basically apply the IPS commands on the inside/DMZ interfaces... so whenever the traffic passes thro those interface, it will be pushed to the SSM module, depending on the service policy commands, then goes to the interface for firewalling... I hope there is a logical reason for this way of operation !!!

Hope this helps.. all the best..

Raj

Correct Answer
Richard Burts Tue, 02/06/2007 - 03:55

This is quoted from the configuration guide for the ASA version 7.2:

The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides further security inspection. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.

It indicates that the firewall operates first and then sends to the IPS.

HTH

Rick

haithamnofal Tue, 02/06/2007 - 05:16

Thnaks Raj for your logic although it is not right:) and thanks Rick for your answer.

Actually, this makes sense that the firewall works first for it to take care of decrypting inbound VPN traffic before being inspected by the IPS, as the IPS cannot inspect encrypted traffic. In addition to that, having the firewall first will filter out undesired traffic and as consequence will minimize unneeded logs in the IPS.

Regards,

Haitham

sachinraja Tue, 02/06/2007 - 15:22

Hello,

I wanted to debate on this a little...

IPS normally gives one additional layer of protection to firewalls... if you take the previous scenarios , with external IPS, it made more sense, because it normally sits between the firewall and the internet router.. Any traffic , even before entering your network (firewall), is blocked, if not the right one... This can actually save a lot of CPU for the firewall, which does work well, and is the most critical component in your network... For eg, say an intruder puts a ICMP bomb or DDOS on the external interface of the firewall & if the IPS is behind firewall, all the intrusions hit the firewall, can increase the CPU and disrupt it before the IPS comes into picture... but if the IPS works first, then there will be absolute protection to the firewall hardware !!!!

and.. haitham.. i really dont think the VPN traffic should be done intrusion prevention.. VPN is already encrypted and is from a valid source (your own network).. so you should trust your source and allow it without IPS.. thats what i feel !!!!

If the firewall works first and denies any source of attack, which it cant fully do , how will you know that there is a faulty PC on your network, which IPS cannot identify ... IPS should basically protect the firewall and the network, and it should not be viceversa, since in an ASA box, firewall is the main functionality and IPS is just an addon !!!

Any thoughts ??

Raj

Fernando_Meza Tue, 02/06/2007 - 15:56

Hi .. I just would like to say a word .. about implementing IPS between the firewall and the ISP router .. even thought it might protect the firewall from some type of attacks as mentioned by Raj at the same time it might be a waste of IPS processing and event logs while signatures are fired for traffic that could be denied by the firewall anyway .. this will be a pain regarding the ammount of false positives that might be logged ..

In regards to the "trusting encrypted traffic without IPS " I respectfully disagree as it is generally accepted that most attacks come from within your network .. just my 20 cents !!!

Actions

This Discussion