cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1678
Views
5
Helpful
7
Replies

IPS Virtual Sensors

new_networker
Level 1
Level 1

hi,

1. Can I use the default virtual sensor vs0 for the incoming traffic on all the interfaces.

2. How can I allocate interfaces to the AIP-SSM module.

3. How can I allocate interafces to the IDSM module.

I am assuming that the interfaces assigned are the ones on which inline inspection is performed.

1 Accepted Solution

Accepted Solutions

The AIP-SSM does not have 'both' of these modes. This is only valid for sensors/IDSM AFAIK.

The AIP is 'internally connected' to the ASA and has only two deployment modes available instead of three, here is a brief description from CCO:

#Is the AIP-SSM module to function or be deployed in promiscuous or inline mode?

* Promiscuous mode means that a copy of the data is sent to the AIP-SSM while the ASA forwards the original data on to the destination. The AIP-SSM in promiscuous mode can be considered to be an intrusion detection system (IDS). In this mode, the trigger packet (the packet that causes the alarm) can still reach the destination. Shunning can take place and stop additional packets from reaching the destination, however the trigger packet is not stopped.

* Inline mode means that the ASA forwards the data to the AIP-SSM for inspection. If the data passes AIP-SSM inspection, the data returns to the ASA in order to continue being processed and sent to the destination. The AIP-SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, inline mode (IPS) can actually stop the trigger packet from reaching the destination.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Regards

Farrukh

View solution in original post

7 Replies 7

paulhignutt
Level 1
Level 1

I'd encourage you to read the manual, as it explains these things in quite good detail.

Your first question:

You simply assign via the GUI which interfaces you want the vs0 to listen on. That is assuming you are speaking of an IPS/IDS appliance. If you are talking about an ASA module see the next question.

Also see:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAnEng.html

For your second question, you can qualify what traffic you wish to send to the AIP-SSM with and ACL and then use the modular policy framework to send that traffic to the module on a per interface basis.

See this link:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1050744

As for your third question, there are a couple of ways to do this depending on the configuration of your switch. See this link for more detail.

http://www.cisco.com/en/US/docs/security/ips/6.0/installation/guide/hwIntro.html#wp489653

I had read much of the referenced materials. However, I feel that the Cisco documentation on IPS leaves many gaps unlike other Cisco materials.

Thanks.

Did my post answer your questions? Do you have more specific questions?

My previous post has been answered.

Another question I have is whether inline mode is the same as inline interface pair mode. In the latter, is it a condition to define to dual interfaces.

There are two types of inline deployments, 'inline vlan pair' or 'inline interface pair'. The first one utilizes only one port on the sensor (which is trunked to the switch and can contain multiple VLANs). The second one is a 'combination' of two physical interfaces allowing the sensing to bride traffic as it passes through these two interfaces.

Regards

Farrukh

Would the following configuration on AIP-SSM be called inline interface pair.

AIP-SSM

-> virtual-sensor vs0

-> physical-interface GigabitEthernet0/1

ASA

-> service-policy interface_policy interface DMZ

Rgds.

The AIP-SSM does not have 'both' of these modes. This is only valid for sensors/IDSM AFAIK.

The AIP is 'internally connected' to the ASA and has only two deployment modes available instead of three, here is a brief description from CCO:

#Is the AIP-SSM module to function or be deployed in promiscuous or inline mode?

* Promiscuous mode means that a copy of the data is sent to the AIP-SSM while the ASA forwards the original data on to the destination. The AIP-SSM in promiscuous mode can be considered to be an intrusion detection system (IDS). In this mode, the trigger packet (the packet that causes the alarm) can still reach the destination. Shunning can take place and stop additional packets from reaching the destination, however the trigger packet is not stopped.

* Inline mode means that the ASA forwards the data to the AIP-SSM for inspection. If the data passes AIP-SSM inspection, the data returns to the ASA in order to continue being processed and sent to the destination. The AIP-SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, inline mode (IPS) can actually stop the trigger packet from reaching the destination.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: