Help with first time IPS configuration

vbutler · ‎12-08-2006

I just installed an AIP-SSM module in our ASA 5520 firewall (protecting a school district). I successfully configured it to scan all traffic sent both directions with the following config:

access-list IPS extended permit ip any any

class-map ips-class

match access-list IPS

policy-map ips-policy

class ips-class

ips inline fail-open

no service-policy global_policy global

service-policy ips-policy global

I also configured it to Deny Attacker Inline when RR=75-100. Figured that was a simple configuration to get things started. However, we noticed that some websites were running very slowly after I implemented these settings. What is causing this?

I guess the other option would be to reconfigure to only scan incoming traffic initiated from the outside to help protect the district from incoming attacks. But I thought it would be more responsible of me to configure it to scan both ways to protect external hosts from an attack that a student could initiate from a school computer. Is this really necessary or am I creating headaches for myself?

a.kiprawih · ‎12-08-2006

It might not necessarily because of bidirectional scanning.

Try to active inbound traffic inspection first, and see the results (performance, ability to detect violations@matching signatures and user response). If the web response (browsing) improved, than you can now start looking at the outbound inspection. If nothing is changed ,then you can start reviewing the IPS inspection config again.

Anyway, the tips is, do one thing at a time before enabling other features/stuffs.

HTH

AK

vbutler · ‎12-12-2006

Thanks for your response. I found DocID 71204 and based on that I modified the IPS config as follows:

access-list IPS permit ip interface outside any

class-map ips-class

match access-list IPS

policy-map ips-policy

class ips-class

ips inline fail-open

service-policy global_policy global (put the default back)

service-policy ips-policy interface outside

But now the IPS doesn't appear to be doing anything, so I must have done something wrong. I modified signatures 2000 and 2004 with an RR=100 so that any incoming pings should be seen as a high-level attack and the incoming IP denied. If I go back to the original config this test works, but not with this config (which according to the Cisco doc should send any incoming traffic initiated from outside to the IPS).

r.spiandorello · ‎06-27-2007

Hi, I think it could be better to add the ips-class into the global_policy, to obtain the inspection action and the ips action, like this:

policy-map global_policy

class ips-class

ips inline fail-open

service-policy global_policy global

bye

vbutler · ‎06-27-2007

Thanks for the suggestion. I never did get the IPS working - had to put it on hold when I couldn't figure it out and never got back to it. I'm looking forward to trying this.