×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASK THE EXPERT - TROUBLESHOOTING INTRUSION PREVENTION SYSTEMS

Unanswered Question
Mar 7th, 2008
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on troubleshooting Intrusion Prevention Systems with Srinivas Mallu. Srinivas Mallu is a senior customer support engineer in High Touch Technical Support (HTTS) within the Technical Assistance Center (TAC). He has a double CCIE in Routing & Switching and Security (CCIE# 8914). Srinivas has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, Security on IOS, IPSec, ACS and IDS.


Remember to use the rating system to let Srinivas know if you have received an adequate response.


Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 21, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.

hi Srinivas

I will be shortly rolling out an IPS solution for our company and will be deploying the 4200 series IPS devices at our branch and hub facilities.

Can you explain the features of this unit regarding updating signatures?

Does it have an auto-update polling function of does it need to be manually done when IPS signature updates are released?

What are the licensing requirements to download signatures - is smartnet coverage sufficient or is further licensing required?


thank you


Steve

smallu Mon, 03/10/2008 - 15:39
User Badges:
  • Bronze, 100 points or more

Hi Steve,


How are you doing? Sorry for the late reply..I see that you posted your question on Sunday.


IPS uses an Auto-Update polling function that polls an FTP server, to check on the latest updates.


So, you have two options to get the signature updates.


a) You can manually configure an FTP server, and download the recent updates from cisco.com to the FTP server, where the IPS polls the FTP server and downloads the signature updates.


b) Or you can buy a CSM (Cisco Security Manager) solution that has a built in FTP server, that automatically updates the IPS with the latest signature updates.


As far as the licensing requirements, SmartNet is not enough. You need an SU(Signature Update) Contract, to get support for signature updates.


Hope this helps!


Thanks,

Srinivas.

ashish-gupta Wed, 03/12/2008 - 09:13
User Badges:

Hi Sri,

Does the 5520 modify pkts as they are passed thru the AIP-10. I am seeing tcp options -20 bytes (with a couple of NOPs) being added to replayed pkts.

smallu Thu, 03/13/2008 - 12:32
User Badges:
  • Bronze, 100 points or more

Hi Ashish,


The simple answer to your question is, ASA will not modify a packet just because it is going to the AIP module. It passes it "as-is" to the backplane where the AIP picks it up, unaltered.


However, the packet could be altered for other reasons though, such as the packet getting NAT'ed etc.


Hope this helps!


Srinivas.

rico_hao40 Wed, 03/12/2008 - 11:41
User Badges:

Hi,

If the ASA does not has AIP SSM, does it have IPS feature? If have, how to enable. Can you give a link or example. I remember the old PIX can enable IPS feature which has a part of full signature. Thanks.

smallu Thu, 03/13/2008 - 13:16
User Badges:
  • Bronze, 100 points or more

Hi Rico,


Cisco ASA provides other limited IPS features that are available without the need of the AIP-SSM module:


* IP audit

* Shunning


1) The IP audit feature enables the ASA to generate alarms based on a limited number of signatures. To enable the IP audit feature, use the ip audit command. The following is the command syntax:


ip audit name name info [action [alarm] [drop] [reset]]

ip audit name name attack [action [alarm] [drop] [reset]]


name can be any arbitrary identifier for the ip audit policy.


There are two different categories of IP audit alarms/events:


* info- For informational signatures

* attack- For attack signatures

The alarm action generates an event that alerts the administrator that a packet matched a specific signature. The drop action enables the ASA to drop any offending packets. The reset action forces the ASA to drop the packet and close the connection.


Note: The default action is to generate an alarm.


The configured IP audit policy can be assigned to an interface with the following command:


ip audit interface interface_name policy_name


IP Audit Configuration Example:

-------------------------------


ip audit name secureme info action alarm

ip audit name secureme attack action alarm reset

ip audit interface outside secureme

ip audit interface dmz secureme


To disable a specific signature;

Chicago(config)# ip audit signature 1005 disable


2) Shunning - The AIP SSM can automatically shun (block) a connection when it detects malicious activity. You can also manually shun a connection if you do not have an AIP-SSM installed in your system. However, this process requires manual intervention and can be very inefficient.


Example: Shunning Specific Traffic


Chicago(config)# shun 10.83.145.166 192.168.1.12 2035 445

Shun 10.83.145.166 added in context: single_vf

Shun 10.83.145.166 successful


Hope this helps!


Srinivas.

dhanikonda Thu, 03/13/2008 - 01:11
User Badges:

Hi,Srinivas,


Iam facing a strange problem in Cisco ASA5510


The asa5510 firewall allows SSH through vpn into our network in US.

But, HTTP access of some of our LAN servers though vpn tunnel is troubled.

For PCs installed with Linux HTTP access times out.

Where as it works fine for windows operating system.



Earlier we were using cisco pix 506

And we have not faced this problem with it. HTTP, ssh access were fine

for both Windows and Linux installed PCs


Reverting from the new asa firewall to the old pix things work

fine as they were working earlier.


FYI: we installed Ubuntu 7.10 and Kubuntu 7.0 flavours of linux.

Please help me in this i will very greatfull to u.


Regards

srini

smallu Fri, 03/14/2008 - 12:20
User Badges:
  • Bronze, 100 points or more

Srini,


This could be an MSS issue, although I don't have the logs or sniffers to conclusively say so. But off the top of my head, I have seen this issue, when the server or HTTP client sends an MSS exceeding what has been agreed upon when the 3-way handshake is complete.


With the Older PIX's we just ignore the excess MSS, and we still let the packets pass. With the new ASA/PIX versions, by default we drop the packets.


Please refer to the following Cisco.com document, for more information and workaround to this issue;

http://cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml


You'll need a Cisco.com account to login.

Additionally, you can turn off HTTP inspection on the ASA to see if that helps resolve the problem.


Hope this helps!


Srinivas.

rohan.pise Fri, 03/14/2008 - 04:21
User Badges:

i have a IPV6 problem with my 1841 router, The problem is such that i canot enable ipv6 unicast-routing on it, it has the lates IOS 12.4

josephium Fri, 03/14/2008 - 05:46
User Badges:

Hi,

i have set up the clock on my AIP-SSM 20, if i do a show clock it will display the correct time, but still in the event viewer the sensor UTC time is different, how can i have the correct time in the event viewer ? i have realized also that if i want to try something and change the time , the sensor has to reset!?


smallu Fri, 03/14/2008 - 16:11
User Badges:
  • Bronze, 100 points or more

Hi There,


The Event Viewer should sync with the Sensor time or the ASA time. Is the time on the ASA and Sensor different? The Event viewer shows time in UTC.


Yes. Whenever you change time on the sensor, the sensor needs to be reset.


When you say the time on the Event Viewer is different, how much is it off by? Just making sure the TimeZone is properly configured. There is really no way to adjust the time on the event viewer itself, as it derives it from the sensor or the ASA and posts it in UTC (+2 hrs).


Hope this helps!


Srinivas.

smallu Fri, 03/14/2008 - 12:37
User Badges:
  • Bronze, 100 points or more

Hi Rohan,


How are you doing? This forum is for IPS(Intrusion Protection system), not IPV6.


To answer your question, all the latest IOS images should support IPV6. However, it depends on what feature set you have with your IOS image.


Please make sure you have enterprise image, which should read something like, "c1800-%js%-mz.124-4.T". The image should have a 'js' in it. I believe, even the advanced ip services or advanced enterprise services feature will do to support the command.


Hope this helps!


Srinivas.

smallu Fri, 03/14/2008 - 12:41
User Badges:
  • Bronze, 100 points or more


Hi Rohan,


How are you doing? This forum is for IPS(Intrusion Protection system), not IPV6.


To answer your question, all the latest IOS images should support IPV6. However, it depends on what feature set you have with your IOS image.


Please make sure you have enterprise image, which should read something like, "c1800-%js%-mz.124-4.T". The image should have a 'js' in it. I believe, even the advanced ip services or advanced enterprise services feature will do to support the command.


Hope this helps!


Srinivas.

smallu Fri, 03/14/2008 - 12:44
User Badges:
  • Bronze, 100 points or more

Hi Rohan,


How are you doing? This forum is for IPS(Intrusion Protection system), not IPV6.


To answer your question, all the latest IOS images should support IPV6. However, it depends on what feature set you have with your IOS image.


Please make sure you have enterprise image, which should read something like, "c1800-%js%-mz.124-4.T". The image should have a 'js' in it. I believe, even the advanced ip services or advanced enterprise services feature will do to support the command.


Hope this helps!


Srinivas.


smallu Fri, 03/14/2008 - 12:46
User Badges:
  • Bronze, 100 points or more

Hi Rohan,


How are you doing? This forum is for IPS(Intrusion Protection system), not IPV6.


To answer your question, all the latest IOS images should support IPV6. However, it depends on what feature set you have with your IOS image.


Please make sure you have enterprise image, which should read something like, "c1800-%js%-mz.124-4.T". The image should have a 'js' in it. I believe, even the advanced ip services or advanced enterprise services feature will do to support the command.


Hope this helps!


Srinivas.



pratik.moitra Mon, 03/17/2008 - 06:09
User Badges:

Hi -


We have a cisco ASA 5520 along with the AIP-SSM module, we are facing problems while accessing IPS over the network. Its not even pinging to its configured default gateway.


Please find the an attachment which shows the details of the hw_module status, Sensor configuration.


I will be really helpfull if you can suggest a step to recover our IPS.


Regards - Pratik

MB: +919900593040



Attachment: 
smallu Tue, 03/18/2008 - 17:14
User Badges:
  • Bronze, 100 points or more

Hi Pratik,


The config on the IPS module is good. The Management IP Address on the AIP Module should be on the same subnet as the Management Interface of the ASA.


Example(from my lab):

----------------------

interface Management0/0

nameif mgmt

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

AIP Config

! ------------------------------

! Version 5.0(2)

! ------------------------------

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1


--------------------


Also, please make sure the management port the AIP-SSM module is on, and the management port on the ASA are on the same VLAN. Please check the Physical connectivity, to make layer 2 connectivity is good. Last but not the least, enable icmp on the ASA.


Hope this helps!


Srinivas.

pratik.moitra Wed, 03/19/2008 - 22:32
User Badges:

Thanks a ton!!


I got the issue resolved by changing the patch cord from cat5 to cat6 (factory crimped). I think there might have been some issue this the cable.


Regards - Pratik

Kevin Xiong Mon, 03/17/2008 - 18:12
User Badges:

Hi, Srinivas


I have a question with regards to the Dual IPS4200 with Asymmetric routing issue.

The scenario is that we have dual WAN links 2xT3 at each site, w/ dynamic routing equally distribute pkts over the WAN cloud, w/ each site has 2x 4200 inline IPS behind the T3 WAN rtr LAN segment. And those 2x 4200 are in parallel, one behind each T3. If the fragmented attacking pkts traverse different IPS4200 when entering/leaving each site, how can we best protect this with the dual in-line IPS?


Thanks.


-Kevin


smallu Tue, 03/18/2008 - 17:24
User Badges:
  • Bronze, 100 points or more

Kevin,


The best way to get this working is to make sure the IPS sensors see all packets in a connection.


This design involves copying packets from one path to the sensor on the other path. This solves the problem because each sensor sees every packet, half of the actual real packets are seen because the device is inline and the other half are copies of the originals but the IPS doesn't care or know.


Since the only data that the sensors “share” is the same packet view, some pieces of sensor config state will not be replicated on each sensor. Previous denied attacker lists, previous shunned host lists, and all other things not directly related to seeing the same packet flow may or may not be the same on each sensor.


Hope this helps!


Srinivas.

martinstj Tue, 03/18/2008 - 01:38
User Badges:

i am CCNA certified, i set up a LAN using only a D-LINK switch. a computer in the network refuse to see neither the workstation in its workstation nor others in the other workgroups. But the ping command is successful to all computers on the network. This problem has deprived other computer on the network to share resources with this computer. i ve done all i could but all effort was put to avail. assist me with the necessary clues to solve the problems. please give me clue on how to solve ths problem before i lose my JOB

smallu Tue, 03/18/2008 - 18:08
User Badges:
  • Bronze, 100 points or more

Hi There,


It looks like you have IP connectivity. The only thing I can think of here, is access rights to files, or domain authentication issues.


I am not an expert on Windows Networking, but from what I have seen from some of the customer issues, this sounds like a access rights issue.


Do you have a Windows Firewall enabled? Or a CSA enabled on the PC? This also could block access to resources.


Hope this helps!


Srinivas.

MaksimGura Tue, 03/18/2008 - 12:23
User Badges:

Hello Srinivas,


My questions are as follows:

1. I've planed to implement IPS system based on 2821 router + AIM-IPS module. Here are two questions:

a. AIM-IPS module was announced in November 2007 but it is still not selling, what happened? When it will be possible to buy it?

b. Whether any difficulties will appear if I implement 2821 router + AIM-IPS module + 1GB RAM + configured BGP with full view on it? Could you please suggest me something on this?

2. Could you please provide me some useful links for IPS system detailed design/creation resources or links to resources of typical IPS system schemas?


Thanks a lot,

Maksim

smallu Thu, 03/20/2008 - 01:54
User Badges:
  • Bronze, 100 points or more

1 a) I don't have an answer to this question. The product manager for this product may have an accurate answer.


1 b) IPS AIM has its own CPU and DRAM for all IPS functions, so does not effect RAM on the router.


Not sure what you mean by BGP with "full view" but essentially BGP is a router function and would not be impacted by the presence of the IPS AIM. If you mean a full Internet BGP table then this requires a lot of memory. Your SE should be able to help you size it correctly.


2) Sure All the relevant IPS docs are here:

www.cisco.com/go/ips

This page has links to config guides, installation and user guides and lots more.

MaksimGura Wed, 03/19/2008 - 05:49
User Badges:

Hi Srinivas,


1. I've planed to implement IPS system based on 2821 router + AIM-IPS module. Whether any troubles will appear if I implement 2821 router + AIM-IPS module + 1GB RAM + configured full view BGP on it?

2. Could you please provide me some useful links for IPS system detailed design/creation resources or links to resources of typical IPS system schemas?


Thank you. Maksim.

e-mail: [email protected]


smallu Thu, 03/20/2008 - 01:56
User Badges:
  • Bronze, 100 points or more

Hi There,


This seems like a duplicate question.


1 IPS AIM has its own CPU and DRAM for all IPS functions, so does not effect RAM on the router.


Not sure what you mean by BGP with "full view" but essentially BGP is a router function and would not be impacted by the presence of the IPS AIM. If you mean a full Internet BGP table then this requires a lot of memory. Your SE should be able to help you size it correctly.


2) Sure All the relevant IPS docs are here:

www.cisco.com/go/ips

This page has links to config guides, installation and user guides and lots more.


Hope this helps!


Srinivas.

Hi Srinivas,


This is my first time with IPS.

I need to install a 2821 router with an IOS IPS (no AIM). This router, beyond the two chassis ethernet ports, has two more HWIC-1FE on it.

I've seen that IOS IPS only works in inline mode, not promiscuous. Is that right? If so, I'm not sure how many interface pairs I can create. Is there a limit to that?


Also, I'm a bit confused about signature files. Some papers say to not use attack-drop.sdf or built-in files and use 128.sdf or 256.sdf (depending on amount memory of the router). Others say to use IOS-Sxxx-CLI.pkg file. I'm really confused! Could you, please, clarify this to me?


And finally, the papers say that you should not enable all the signatures at IOS IPS because router will run out of memory. If I don't know the network where I'm going to install the router, how do I know which signatures should be enabled? Is there a "rule of thumb" for that?


Thank you.

Marcelo

smallu Thu, 03/20/2008 - 17:34
User Badges:
  • Bronze, 100 points or more

Hi Marcelo,


You need two interfaces(1 interface pair). Just like how you plug in a PIX. One interface plugs to the outside device and one to the inside device. Yes. IPS works in inline mode only.


For IOS previous to IOS-IPS v5, (basic IOS-IPS) you use the *.sdf files. These are attack-drop.sdf 128mb.sdf and 256mb.sdf, depending on the amount of ram your router has. IOS-IPS v5 was added in 12.4 T train.

In the latest version use IOS-Sxxx-CLI.pkg files. They must be loaded according to the IOS-IPS v5 instructions. Do not skip a step, or it will fail.


The thumb rule is to enable only the signatures per your need. Do not enable all the signatures. The IPS should have enough memory to support your network needs. You can enable all the signatures you want to, provided you have enough memory on your device, as per the specifications, described in the readme file.


Hope this helps!


Srinivas.



justuniversity Wed, 03/19/2008 - 18:12
User Badges:

hello

I have the following problem: many sites are blocking my IP address because they recieve DoS attacks from it! I have an IPS at my gateway to internet, and I would like to ask about away that i can use in order to prevent attacks in both direction comes from internet or generated from my LAN.

another question is that how could I determine the source of the attacks using the IPS knowing that IPS is installed between my PIX and my ISP, so that it will not be able to see the source IP address of inside machines.

Thank you in advance

smallu Thu, 03/20/2008 - 17:39
User Badges:
  • Bronze, 100 points or more

Hi There,


You can prevent attacks traversing through the IPS device, but not the attacks originating in your private LAN and effecting your internal devices. In this case, you can prevent attacks coming into your internal network.


The IPS logs should tell you clearly the source IP information and the origin of the attack, the ports its using etc. I think I am not clear by what you mean, "so that it will not be able to see the source IP of inside machines". The IPS tracks all the source IP address, matches the bits to signature files, to determine if its a known attack, and performs the configured action against the packets.


Hope this helps!


Srinivas.

Kevin Xiong Fri, 03/21/2008 - 08:37
User Badges:

on IPS 4270 w/ 16 GigE ports. Can we use some of them for inline VLAN pair, some for physical interface pair, some for promiscuous detection mode only?

And each of these different mode will be assigned to different virtual sensors, total<4. Does IPS allow to provide different CPU/MEM % for each virtual sensor?


Thanks.

Actions

This Discussion