How to configure ASA IPS which is connected on the Internet

Answered Question

Hello Guys,


I am a beginner in ASA IPS Concept and my company OWN a 5520 ASA .


Currently ASA has been connected to ISP connected router and serving as an Firewall to controll internet traffic which


is integrated to Websense for URL filtering.


Can you please let me know what all should we expected to configure in IPS in this scenario and what is function of IPS.


what is the main function of IPS?



Greatful to your posts.



Regards,

KA.

Correct Answer by Scott Fringer about 7 years 1 month ago

KA;


  The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network.  If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA.  Here is a link to a brief overview of the product:


http://www.cisco.com/go/aipssm


  First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:


http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html


  You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.


  You will want to ensure the signature definitions on the AIP-SSM are up-to-date.  This ensures the most accurate protection from the AIP-SSM perspective.  This will require an active license be installed on the AIP-SSM.


  Next, you will most likely want to monitor the events generated by the AIP-SSM.  For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME).  You can find out more, and download IME here:


http://www.cisco.com/go/ime


  You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure.  When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:


http://www.cisco.com/security


  The details found here, can also be expanded within the IME event display.


  Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied.  This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.


Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Scott Fringer Tue, 06/08/2010 - 03:29
User Badges:
  • Cisco Employee,

KA;


  The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network.  If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA.  Here is a link to a brief overview of the product:


http://www.cisco.com/go/aipssm


  First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:


http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html


  You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.


  You will want to ensure the signature definitions on the AIP-SSM are up-to-date.  This ensures the most accurate protection from the AIP-SSM perspective.  This will require an active license be installed on the AIP-SSM.


  Next, you will most likely want to monitor the events generated by the AIP-SSM.  For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME).  You can find out more, and download IME here:


http://www.cisco.com/go/ime


  You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure.  When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:


http://www.cisco.com/security


  The details found here, can also be expanded within the IME event display.


  Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied.  This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.


Scott

Scott Fringer Tue, 06/08/2010 - 12:52
User Badges:
  • Cisco Employee,

Yes, you will certainly find there are many questions that will arise as you become more familiar with the functionality of the AIP-SSM.


Don't hesitate to come back with further questions you may have and we in the community will work to answer them.


Scott

Actions

This Discussion