cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9784
Views
14
Helpful
28
Replies

Ask the Expert: Intrusion Prevention Systems (IPS)

ciscomoderator
Community Manager
Community Manager

Read the bioWith Madhu Kodali

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to discuss configuration and troubleshooting IDS/IPS sensors with Cisco expert Madhu Kodali.

Madhu is a senior QA engineer on the Intrusion Prevention Systems development team in Austin, Texas, which supports the quality assurance of Cisco's intrusion detection and prevention solutions. He has been with Cisco for 10 years. His expertise lies in intrusion detection and prevention and the associated range of Cisco management products including Cisco IPS Manager Express and Cisco Adaptive Security Device Manager. Kodali holds a master's degree in computer science from the University of Texas at Dallas and currently holds CCSP and CISSP certification.

Remember to use the rating system to let Madhu know if you have received an adequate response. 

Madhu might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 1, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

28 Replies 28

alkabeer80
Level 1
Level 1

Hi Madhu,

I have IPS 4270, my questions is:

1) Can i Add IPS to cisco ACS, so that i can login to IPS through ACS credentials.

2) Can i Delete default user (cisco)

3)My IPS is in promiscous mode, i want to add blocking device which is using SSH v2, does it supported by IPS.

4) Recently i have seen huge number of signature update (approx. 1 per week), so i want to automate the signature update can IPS run behind proxy ?

Hi

We have one cisco 2950 switch with 12.1(11) IOS. We are getting switch hungup issue last few days. so what we should do.

Regards,

Jay kachhia

Hi Jay,

          This discussion thread is limited to Intrusion Prevention Systems (IPS) related questions. Looks like the Network Infrastructure (LAN Switching and Routing) would be the right community for you to post your question. As a friendly tip please include relevant details when posting your question to that forum.

thanks

Madhu

Hi Alkabeer,

The responses are inline :

1) Can i Add IPS to cisco ACS, so that i can login to IPS through ACS credentials.

- Yes you can do that starting IPS version 7.0(4)E4 and 7.1(4)E4. For more information you can refer the URL http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_setup.html

2) Can i Delete default user (cisco)

- No the default account of cisco cannot be deleted. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image. More details are on http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_logging_in.html#wp1249663

3)My IPS is in promiscous mode, i want to add blocking device which is using SSH v2, does it supported by IPS.

- Sensor does not support ssh v2 however we do support the use of 3des option for a more secure connection under network-access service as shown below

qssp-8083(config-net-fir)# communication ?

ssh-3des     Establish SSH session using 3DES encryption.

telnet       Establish Telnet session.

4) Recently i have seen huge number of signature update (approx. 1 per week), so i want to automate the signature update can IPS run behind proxy ?

- Sensor cannot be configured with a proxy server, but if you are using CSM to manage the server then you can configure a proxy on the CSM for both CCO downloads and local FTP server. If you are not using the CSM then maybe you can tweak the destination server to use some kind of port forwarding. On a side note if you are using the auto-update feature of the sensor then you wont need to automate this process.

Hope this helps and thanks for your patience

Madhu

siddhartham
Level 4
Level 4

Hi Madhu,

I have a question about the ASA-SSM-20 module. We configure our IPS modules to recieve automatic sig updates from Cisco.

It  started dropping packets(legitimate traffic)  when it received the last  sig update because of a rule which was tagged with high severity by  cisco. We had to disable the rule to resolve the issue.

It looks like if a rule is tagged with high severity  it will drop the packets by default unless we manually decrease the  severiy. is that true?

If the above statement is true what is the best  practice to manage the sig updates? is it possible to make the high  severity rule just to send alerts without decreasing its severity.

Siddhartha

Hi Siddhartam,

       First I would like to clarify on the terminology that we are using here. When you say "rule" I assume you are referring to "signature" in the IPS. By "drop" we would mean any deny-packet or deny-connection of the traffic packets. 

Dropping a packet can result from a combination of factors like event-action of deny on the signature or an override of deny-packet-inline/deny-connection-inline actions or a deny due to global correlation reputation updates, etc.  When the event-action of a signature is deny-packet or deny-connection the packets will be dropped on the trigger of that signature, unless you have a filter to stop the drops. Drop can also occur due to event-action overrides that add deny actions when the risk-rating of the alert exceeds a particular threshold.  When the risk rating of the alert exceeds a value of 90, a deny-packet-inline will be added because of the default deny-packet-inline rule configured on the sensor as shown below :

qsaleen-85# conf t

qsaleen-85(config)# service event-action-rules rules0

qsaleen-85(config-eve)# show settings

   overrides (min: 0, max: 15, current: 1)

   -----------------------------------------------

     

      action-to-add: deny-packet-inline

      -----------------------------------------------

         override-item-status: Enabled

         risk-rating-range: 90-100

Having said the above the risk rating is calculated based on some aspects like Signature severity, Signature fidelity, Target value rating, etc.  More details on this  can be found here http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_event_action_rules.html#wp2125446  . In essence severity do play an important role in the final risk evaluation and can cause the drop of packets, but that is not the only contributing factor.

To address your concern I would not suggest disabling the rule unless you are completely convinced that the alert is a false positive. In your case looks like signature is getting triggered when it should not have. To being with you should approach Cisco TAC to raise a bug for this problem. Then you can follow up with reducing the severity of the signature. A couple of trial tunings will help you set the severity to bring down the risk rating threshold at which the deny-packet-inline override will not be added.

For any future sig updates a better practice to prevent legitimate traffic from being dropped here are the options you have


- To have the signature alerting but reducing the severity.

- Reduce the risk rating range for the deny-packe-inline override to a lesser range

- Alternatively you can add a filter under event-action-rules service to filter the "drop action" for that particular signature

You can disable the signature after it is confirmed that you really have a false positive case.

Hope this helps.

Madhu

Thanks for the explanation, that helps.

Siddhartha

john.wright
Level 3
Level 3

Hi Madhu

I am new to ASA config and support and I noticed some time ago that our 5520 has a

ASA-SSM-20 in slot 1

Name: "slot 1", DESCR: "ASA 5500 Series Security Services Module-20"

PID: ASA-SSM-20        , VID: V01 , SN: JAF10431785

but not in use.

I suppose it would be good to actually make use of this IPS but I have no idea how to place it inline or what usefulness it really has for us. And appearently none of my predicessors had any use or interest in it.

If we did use it would it significantly slow processing and could it be activated without a reload?

Where do we even begin?

Hi John,

       The AIP SSM does not have an external interface to receive the traffic other than the management interface to connect externally. This module runs the IPS software which provides advanced protection capabilities agains worms and viruses and other threats. In line mode the traffic can be denied proactively. You can start with first placing the module in promiscuous mode and then switch to inline once you are comfortable with its operations. It should not have significant impact on the performance. The module can be activated without reloading the ASA. Below are some more details that will help you get started.

On ASA any traffic that enters the appliance is subjected to a firewall policy that is configured. This traffic is then sent to AIP SSM over the backplane. Based on the security policy that is configured on SSM appropriate actions are taken. Valid traffic is sent back to the ASA over the back plane and SSM may block some traffic according to the policies. Different actions are taken by the ASA based on the feedback from SSM. Traffic then exits the appliance.

Setting up the SSM first time is described in the url http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_initializing.html#wp1233606 and is reproduced here for convenience :

Step 1 blank.gifSession in to the AIP SSM using an account with administrator privileges

asa# session 1

Step 2 blank.gifEnter the setup command. The System Configuration Dialog is displayed.

Step 3 blank.gifSpecify the hostname. The hostname is a case-sensitive character string up to 64 characters. Numbers, "_" and "-" are valid, but spaces are not acceptable. The default is sensor.

Step 4 blank.gifSpecify the IP interface. The IP interface is in the form of IP Address/Netmask,Gateway: X.X.X.X/nn,Y.Y.Y.Y, where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods.

Step 5 blank.gifEnter yes to modify the network access list

a. blank.gifIf you want to delete an entry, enter the number of the entry and press Enter, or press Enter to get to the Permit line

b. blank.gifEnter the IP address and netmask of the network you want to add to the access list.

For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network (10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.1.1.0 subnet (10.1.1.0-10.1.1.255). If you want to permit access to a single IP address than the entire network, use a 32-bit netmask. For example, 10.1.1.1/32 permits just the 10.1.1.1 address.

c. blank.gifRepeat Step b until you have added all networks that you want to add to the access list, and then press Enter at a blank permit line to go to the next step.

Step 7 blank.gifYou must configure a DNS server or an HTTP proxy server for global correlation to operate

a. blank.gifEnter yes to add a DNS server, and then enter the DNS server IP address.

b. blank.gifEnter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port number.

Finally on the sensor include the backplane physical interface and the virtual sensor vs0 in the "service analysis-engine"

ASA setup is described in this url http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html

There are different combinations of SSM and ASA modes possible which are detailed in the above url.

thanks

Madhu

aryarahul
Level 1
Level 1

Hi Madhu ,

I have an architecture containing an ASA 5540 and ASA 5520 IPS.

Firewall ASA has a DMZ an inside zone , outside MPLS zone and an outside internet zone .With respect to this where should i put my IPS in this architechture

Hi Rahul

There are different aspects of your question. Your options are Standalone IPS vs Integrated IPS modules (within ASA). If you are planning to have a standalone IPS appliance then here are some guidelines and implications :

The most common place for IPS is at the internet border and dmz. Placing IPS outside the firewall will give an early indication of the scanning but has the risk of more false positives. The source destination addresses could be NATed causing more research to determine which organization is being attacked. The other con of this is you cannot see the traffic that goes from inside to dmz.

Placing inside the firewall minimizes the false positives and also IPS events will include real non NATed IPs. You can differentiate the traffic to/from DMZ and Internal segments. The traffic coming out of the firewall will be already normalized and inspected to some extent. The con for this is that you will need two IPS appliances. In either case the sizing of the IPS for the required bandwidth is an important consideration.

The otter option is to go for the integrated IPS module that can be placed inside the ASA 5540 and 5520. Once you instal the module, the ASA can be configured with different policies for the inspection needs. The con of having integrated module can be bandwidth limitation on the ASA.

Here is the link to give you an idea about the bandwidth capabilities for SSM-20 and SSM-40 modules

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps4077_Products_Data_Sheet.html

Please let me know if you need specific details

Thanks

Madhu

Thanks for the reply Madhu,

I have a Cisco ASA 5520 with AIP SSM -10. and a separate ASA 5540

Currently the outside interface of my asa 5540 is connected to internet router , shud i connect the outside of  asa 5540 to asa 5520 and then the internet Router to asa 5520?

What else can be the best position for it ?

Moreover you said that 2 IPS are required if they were to be put in the Inside Zone , in that case where will these 2 be positioned ?

Hi Rahul,

                You will need to protect both the internal zone and DMZ zone. With that in view I was suggesting two IPS appliances - one after the firewall in the DMZ zone and other appliance after the firewall in the INSIDE zone (192.168.x.x).

Since you have two ASA (one with integrated IPS) you maybe better off using just one ASA. It depends on the load that is expected across the ASA. If you expect higher load then you can use ASA 5540. In this case you can procure one SSM-40 to insert in the ASA5540. If the traffic loads can meet ASA-5520 then please use this with the integrated module SSM-10. Either case configure appropriate policies on the SSM module for protecting the zones. This way you save one ASA to be used at some other place in the network.

Here is the link for data sheet for load handling capabilities of different ASA models

http://www.cisco.com/en/US/products/ps6120/prod_models_home.html#~tab-b


Hope this helps

Madhu

Thanks a lot Madhu you have been a great help...

I wondered what if i only use ASA 5540 without the IPS , how exactly IPS differes from the normal ASA firewalls , does the internal softwares of ASA without IPS are not sufficient for protection ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: