IPS 4240 virtual sensor asymmetric mode

Unanswered Question
Mar 17th, 2010
User Badges:

Hello,


One of our customers have a 4240 IPS on which there is one inline pair and 2 promiscuous interfaces.

The inline pair is used between an internet router and a switch on which is connected a pair of ASAs.

The problem happens when we connect the inline pair, sudeenly and after a random period of time ranging from 2 to 4 hours, and although the upload trafic on the internet router is limited by the ISP to 500 Kbps, we see bursts of 6 Mbps and disconnection for the internet link


I have tried to set the virtual sensor inline-TCP-evasion-protection-mode to asymmetric instead of the default set to strict, I think this has solved the problem untill now( first day of monitoring) but I need to know how it resolved it??????

What does the asymmetric mode exactly do? ( Please provide additional information than the original documentation whihc is not very informative)

And how could it solve the problem in my case?

btw I'm using multiple virtual sensors for each of the inline pair and the rest of the two promiscuous interfaces


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Wed, 03/17/2010 - 21:39
User Badges:
  • Cisco Employee,

When you set the "inline-TCP-evasion-protection-mode" to asymmetric, it does not enforce a receipt of the TCP ACK before analysing/inspecting and transmitting the TCP traffic.


When the mode is set to strict, the engine buffers the connection and waits for the ACK packet before starting to analyse/inspect and transmit the TCP traffic.


Hope that helps.

k.abillama Thu, 03/18/2010 - 00:07
User Badges:

Hi,


Thx a lot for the info! Is there a drawback to keep it in asymmetric mode in my scenario( internet facing IPS) What do I lose exactly?


Thx

Jennifer Halim Thu, 03/18/2010 - 01:21
User Badges:
  • Cisco Employee,

Unfortunately there is always trade-off between security vs performance.

By turning the inline-TCP-evasion-protection-mode to asymmetric, it is essentially turning off the TCP normalizer engine which leaves the network vulnerable to evasion techniques (specific to TCP protocol), ie: the 1300 range signatures.

k.abillama Thu, 03/18/2010 - 04:57
User Badges:

Ok! thx

Do you know how in my case we had this burst of upload trafic and disconnection when the mode was set to strict, the customer need some explanantions

Jennifer Halim Thu, 03/18/2010 - 05:01
User Badges:
  • Cisco Employee,

There are possibilities that those TCP traffic does not comply to normal TCP standard, and it is being picked up by the normalizer engine, and they are either being dropped, OR/ due to the nature of "strict" mode, it waited for the ACK before it performs the inspection hence the burst of traffic.

Actions

This Discussion