Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
4
Replies

Offline Signature Updates

pcoates84
Level 1
Level 1

‎07-06-2009 11:48 AM

Hi,

I was wondering how to perform signature updates without a direct internet connection. I understand you can point the dynamic update address to a local web server, so do we have to leverage or build an existing web server to do this, or are this a web service with say CSM that we could leverage for this?

Thanks,

Peter

Labels:
0 Helpful
4 Replies 4

pradeepde
Level 5
Level 5

‎07-13-2009 10:31 AM

If an agent can not reach its CSA MC for some reason, it will still benefit from local signature correlation but it will not benefit from globally correlated signatures until it can reach the CSA MC and polls in. The local functionality of an agent will protect the host from buffer overflow, exception handling, and denial of service attacks that use MSRPC and LPC protocols.

http://www.cisco.com/en/US/docs/security/csa/csa60/user_guide/Signatures.html#wp1013079

0 Helpful

pcoates84
Level 1
Level 1
In response to pradeepde

‎07-13-2009 10:35 AM

I'm just talking about updating the MARS signatures without having an internet connection to the MARS appliance, never mentioned CSA.

0 Helpful

dustinsuko
Level 1
Level 1
In response to pcoates84

‎08-20-2009 08:03 AM

I too have restricted MARS from the internet. I've been updating our MARS IPS signatures by downloading them to my PC where I am running a virtual HTTP file server from HFS.

http://www.rejetto.com/hfs/

It's free and very easy to use. once i have HFS running (doesnt need to be installed)I just drag the IPS signature zip file to the HFS file structure (don't forget to creat user credentials on the http file server). Then I give MARS it's needed info. Don't forget to turn off your windows firewall (if your running windows).

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to dustinsuko

‎08-22-2009 12:51 AM

As Dustin mention, you can setup any open/free web server and have your MARS box point to it.

Or you can keep a virtual machine (HTTP server) and power it when you need to upgrade.

However I would highly recommend the automatic upgrade, you can be very specific with your outbound policy as mentioned here:

http://www.cisco.com/en/US/products/ps6241/products_tech_note09186a00808f1279.shtml#P19

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents