IPS Virtual Sensors

Answered Question
Aug 28th, 2008

hi,

1. Can I use the default virtual sensor vs0 for the incoming traffic on all the interfaces.

2. How can I allocate interfaces to the AIP-SSM module.

3. How can I allocate interafces to the IDSM module.

I am assuming that the interfaces assigned are the ones on which inline inspection is performed.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 3 months ago

The AIP-SSM does not have 'both' of these modes. This is only valid for sensors/IDSM AFAIK.

The AIP is 'internally connected' to the ASA and has only two deployment modes available instead of three, here is a brief description from CCO:

#Is the AIP-SSM module to function or be deployed in promiscuous or inline mode?

* Promiscuous mode means that a copy of the data is sent to the AIP-SSM while the ASA forwards the original data on to the destination. The AIP-SSM in promiscuous mode can be considered to be an intrusion detection system (IDS). In this mode, the trigger packet (the packet that causes the alarm) can still reach the destination. Shunning can take place and stop additional packets from reaching the destination, however the trigger packet is not stopped.

* Inline mode means that the ASA forwards the data to the AIP-SSM for inspection. If the data passes AIP-SSM inspection, the data returns to the ASA in order to continue being processed and sent to the destination. The AIP-SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, inline mode (IPS) can actually stop the trigger packet from reaching the destination.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
paulhignutt Fri, 08/29/2008 - 08:43

I'd encourage you to read the manual, as it explains these things in quite good detail.

Your first question:

You simply assign via the GUI which interfaces you want the vs0 to listen on. That is assuming you are speaking of an IPS/IDS appliance. If you are talking about an ASA module see the next question.

Also see:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAnEng.html

For your second question, you can qualify what traffic you wish to send to the AIP-SSM with and ACL and then use the modular policy framework to send that traffic to the module on a per interface basis.

See this link:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1050744

As for your third question, there are a couple of ways to do this depending on the configuration of your switch. See this link for more detail.

http://www.cisco.com/en/US/docs/security/ips/6.0/installation/guide/hwIntro.html#wp489653

new_networker Fri, 08/29/2008 - 09:06

I had read much of the referenced materials. However, I feel that the Cisco documentation on IPS leaves many gaps unlike other Cisco materials.

Thanks.

paulhignutt Fri, 08/29/2008 - 09:44

Did my post answer your questions? Do you have more specific questions?

new_networker Fri, 08/29/2008 - 11:56

My previous post has been answered.

Another question I have is whether inline mode is the same as inline interface pair mode. In the latter, is it a condition to define to dual interfaces.

Farrukh Haroon Fri, 08/29/2008 - 12:01

There are two types of inline deployments, 'inline vlan pair' or 'inline interface pair'. The first one utilizes only one port on the sensor (which is trunked to the switch and can contain multiple VLANs). The second one is a 'combination' of two physical interfaces allowing the sensing to bride traffic as it passes through these two interfaces.

Regards

Farrukh

new_networker Fri, 08/29/2008 - 12:09

Would the following configuration on AIP-SSM be called inline interface pair.

AIP-SSM

-> virtual-sensor vs0

-> physical-interface GigabitEthernet0/1

ASA

-> service-policy interface_policy interface DMZ

Rgds.

Correct Answer
Farrukh Haroon Fri, 08/29/2008 - 12:34

The AIP-SSM does not have 'both' of these modes. This is only valid for sensors/IDSM AFAIK.

The AIP is 'internally connected' to the ASA and has only two deployment modes available instead of three, here is a brief description from CCO:

#Is the AIP-SSM module to function or be deployed in promiscuous or inline mode?

* Promiscuous mode means that a copy of the data is sent to the AIP-SSM while the ASA forwards the original data on to the destination. The AIP-SSM in promiscuous mode can be considered to be an intrusion detection system (IDS). In this mode, the trigger packet (the packet that causes the alarm) can still reach the destination. Shunning can take place and stop additional packets from reaching the destination, however the trigger packet is not stopped.

* Inline mode means that the ASA forwards the data to the AIP-SSM for inspection. If the data passes AIP-SSM inspection, the data returns to the ASA in order to continue being processed and sent to the destination. The AIP-SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, inline mode (IPS) can actually stop the trigger packet from reaching the destination.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Regards

Farrukh

Actions

This Discussion