This discussion is locked

Ask the Expert:Cisco Intrusion Prevention System (IPS)

Unanswered Question
Jan 2nd, 2013

Robert AlbachWith Robert Albach

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions  from Cisco expert Robert Albach about the Cisco Intrusion Prevention System (IPS). The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. A critical part of the SecureX architecture, the module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.

Robert Albach is a product manager in the Security Business Unit at Cisco, responsible  for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.

Remember to use the rating system to let Robert know if you have received an adequate response. 

Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Security sub-community discussion forum shortly after the event. This event lasts through through January 18, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
john.ventura73 Thu, 01/10/2013 - 12:25

Hello Robert,

I wonder how can I block a UNIX root user using IPS signatures? Is there a way to do that?

Thank you

- John

ralbach Thu, 01/10/2013 - 14:21

Hi John,

An IPS can certainly stop exploits that cross the network to the Unix device. There are numerous attacks attributable to Unix variants such as Linux, Solaris, and generic Unix which the Cisco IPS can detect and prevent. Depending on how loose the system configurations are on the target Unix system, the applications that might run on those Unix systems could be vulnerable as well. Gaining access to the applications is a common first step to moving deeper towards the coveted "root" status.

If a user already has account access to the box then the effectiveness of the IPS will be limited. The IPS's benefit is primarily to stop remote attacks.

If I may make a recomendation - start with focus on the applications running on the box. Those are typically the largest attack surface to address - they also host what the attacker wants - data. After you harden those or at the least provide signature protection for them, then turn your attention to the lower level systems such as the OS. Naturally you should cover both layers but if you must prioritize then start with the applications.

Thanks for the question!

-Robert

chucktranhpb Sat, 01/12/2013 - 08:57

Hello Robert,

I have a NME-IPS-K9 module in inline mode installed in a 2811 router that experiences significant spikes in CPU utilization when I begin to forward traffic to the IPS module. In an attempt to rule out any misconfiguration of the IPS module, I set Bypass Mode to On before directing traffic to the IPS but the router CPU still jumps.

Is this normal behaviour? Does the 2811 router process switch or CEF switch the traffic sent to the IPS module?

Thank you,

Chuck

ralbach Tue, 01/15/2013 - 14:16

Hi Chuck,

First my apologies for the late reply.

So your suspicion is correct in that CEF is not helping out for pushing things through to IPS. The CPU gets involved forwarding traffic to the IPS which depending on the quantity could have a notable CPU usage.Hopefully it is not impacting your management activity for that system. You may look to tune the traffic being forwarded to ensure only that which truly needs to be inspected is hitting the IPS module.

Thanks,

-Robert

hasanmrana Mon, 01/14/2013 - 00:45

Hi Robert,

Is it possible to archieve log from ASA-IPS module? We can see the realtime events but not the historical log. Appreciate if you please let me know the programge or procedure to see the historical log from ASA-IPS module.

Regards,

Hasan Rana

ralbach Tue, 01/15/2013 - 14:05

Hi Hasan,

My apologies as I am uncertain as to whether you are asking about security events or system events.

I am going to work from the assumption that it is security events. Using IME as the tool of reference there are a set of time range settings for the security events in Event Monitoring which allow you to search for date ranges for either Real Time, Last N Minutes or Hours, or use a Start / End Time range.

There are also configurations for Event Store access that you can set to constrain the views for whatever reason.

Let me know if my answer is on-track or not.

Thanks,

-Robert

Actions

Login or Register to take actions

This Discussion

Posted January 2, 2013 at 2:46 PM
Stats:
Replies:6 Avg. Rating:
Views:2062 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5