Solved: ASA and IPS - AIP Modules

rasoftware · ‎11-05-2007

Looking at the new ASA range of firewall and would like one with IPS ability. It seems now you need the AIP SSM modules which are more than doubling the price of the firewall. Does anyone know if the ASA5510 has any IDS/IPS features or if the model required?

The old PIX used to have basic IDS feature if I recall.

Fernando_Meza · ‎11-05-2007

Hi .. yes indeed the ASA also supports those basics IDS features .. but they are basic and statics. if you want to be serious about packet inspections then you really need to opt for a IPS module or a sensor.

I hope it helps .. please rate it if it does !!

From Cisco Doc:

"Step 1 To define an IP audit policy for informational signatures, enter the following command:

hostname(config)# ip audit name name info [action [alarm] [drop] [reset]]

Where alarm generates a system message showing that a packet matched a signature, drop drops the

packet, and reset drops the packet and closes the connection. If you do not define an action, then the

default action is to generate an alarm.

Step 2 To define an IP audit policy for attack signatures, enter the following command:

hostname(config)# ip audit name name attack [action [alarm] [drop] [reset]]

Where alarm generates a system message showing that a packet matched a signature, drop drops the

packet, and reset drops the packet and closes the connection. If you do not define an action, then the

default action is to generate an alarm.

Step 3 To assign the policy to an interface, enter the following command:

ip audit interface interface_name policy_name

Step 4 To disable signatures, or for more information about signatures, see the ip audit signature command in

the Cisco Security Appliance Command Reference."

View solution in original post

Fernando_Meza · ‎11-05-2007

Hi .. yes indeed the ASA also supports those basics IDS features .. but they are basic and statics. if you want to be serious about packet inspections then you really need to opt for a IPS module or a sensor.

I hope it helps .. please rate it if it does !!

From Cisco Doc:

"Step 1 To define an IP audit policy for informational signatures, enter the following command:

hostname(config)# ip audit name name info [action [alarm] [drop] [reset]]

Where alarm generates a system message showing that a packet matched a signature, drop drops the

packet, and reset drops the packet and closes the connection. If you do not define an action, then the

default action is to generate an alarm.

Step 2 To define an IP audit policy for attack signatures, enter the following command:

hostname(config)# ip audit name name attack [action [alarm] [drop] [reset]]

Where alarm generates a system message showing that a packet matched a signature, drop drops the

packet, and reset drops the packet and closes the connection. If you do not define an action, then the

default action is to generate an alarm.

Step 3 To assign the policy to an interface, enter the following command:

ip audit interface interface_name policy_name

Step 4 To disable signatures, or for more information about signatures, see the ip audit signature command in

the Cisco Security Appliance Command Reference."

rasoftware · ‎11-06-2007

Hi - thanks for reponse. Looking on the old PIX PDM I see it under System Properties > Intrusion Detection. I can;t see anything similar on the ASA I have - where is this in SDM manager?

Thanks

rasoftware · ‎11-06-2007

hi - found it under IP audit.

thanks

Rob