×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Help with first time IPS configuration

Unanswered Question

I just installed an AIP-SSM module in our ASA 5520 firewall (protecting a school district). I successfully configured it to scan all traffic sent both directions with the following config:


access-list IPS extended permit ip any any

class-map ips-class

match access-list IPS

policy-map ips-policy

class ips-class

ips inline fail-open

no service-policy global_policy global

service-policy ips-policy global


I also configured it to Deny Attacker Inline when RR=75-100. Figured that was a simple configuration to get things started. However, we noticed that some websites were running very slowly after I implemented these settings. What is causing this?


I guess the other option would be to reconfigure to only scan incoming traffic initiated from the outside to help protect the district from incoming attacks. But I thought it would be more responsible of me to configure it to scan both ways to protect external hosts from an attack that a student could initiate from a school computer. Is this really necessary or am I creating headaches for myself?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.kiprawih Fri, 12/08/2006 - 18:10
User Badges:
  • Gold, 750 points or more

It might not necessarily because of bidirectional scanning.


Try to active inbound traffic inspection first, and see the results (performance, ability to detect [email protected] signatures and user response). If the web response (browsing) improved, than you can now start looking at the outbound inspection. If nothing is changed ,then you can start reviewing the IPS inspection config again.


Anyway, the tips is, do one thing at a time before enabling other features/stuffs.


HTH

AK

Thanks for your response. I found DocID 71204 and based on that I modified the IPS config as follows:


access-list IPS permit ip interface outside any

class-map ips-class

match access-list IPS

policy-map ips-policy

class ips-class

ips inline fail-open

service-policy global_policy global (put the default back)

service-policy ips-policy interface outside


But now the IPS doesn't appear to be doing anything, so I must have done something wrong. I modified signatures 2000 and 2004 with an RR=100 so that any incoming pings should be seen as a high-level attack and the incoming IP denied. If I go back to the original config this test works, but not with this config (which according to the Cisco doc should send any incoming traffic initiated from outside to the IPS).

r.spiandorello Wed, 06/27/2007 - 02:41
User Badges:

Hi, I think it could be better to add the ips-class into the global_policy, to obtain the inspection action and the ips action, like this:


policy-map global_policy

class ips-class

ips inline fail-open


service-policy global_policy global

bye

Actions

This Discussion