Basic IPS Features included in ASA without AIP-SSM

malakaudawatta · ‎01-01-2008

Are there any Basic IPS Features (functionality) included in ASA without AIP-SSM?

fropert · ‎01-01-2008

Hello,

Yes!

First, the IP audit feature. This one contains approximately 50 basic signatures on IP, ICMP, TCP flags, DNS, UNIX RPCs and fragmentation.

These sigs are classified into 2 families: Informational and Attacks.

You can define a policy on Informational sigs and another policy on Attacks sigs for each interface (policy-to-interface mappings).

The policy configuration considers 2 things:

- Does an alarm should be generated ?

- If the triggered packets will drop, reset or pass

Second, ASA now have a feature called "Threat Detection".

This feature detect DoS and scanning (nmap scans by example) attacks and give you statistics about threats.

Scanning IP source can be shuned.

Hope it will help you!

Francois

rmaxson2 · ‎01-10-2008

I can't get the policy-to-interface mappings to take. the pull down box always says none. Any ideas? also where is the "Threat Detection" configured at?

ASA 7.21

Jens Becker · ‎01-12-2008

The Threat Detection feature comes with version 8.x. You can find it in ASDM under "Configuration" -> "Firewall" -> "Threat Detection"

or on the cli (example):

threat-detection basic-threat

threat-detection scanning-threat shun except object-group admin

threat-detection statistics

For configuring ip-audit first you must configure new IP-Audit policies.