12-08-2006 09:47 AM - edited 03-10-2019 03:21 AM
I just installed an AIP-SSM module in our ASA 5520 firewall (protecting a school district). I successfully configured it to scan all traffic sent both directions with the following config:
access-list IPS extended permit ip any any
class-map ips-class
match access-list IPS
policy-map ips-policy
class ips-class
ips inline fail-open
no service-policy global_policy global
service-policy ips-policy global
I also configured it to Deny Attacker Inline when RR=75-100. Figured that was a simple configuration to get things started. However, we noticed that some websites were running very slowly after I implemented these settings. What is causing this?
I guess the other option would be to reconfigure to only scan incoming traffic initiated from the outside to help protect the district from incoming attacks. But I thought it would be more responsible of me to configure it to scan both ways to protect external hosts from an attack that a student could initiate from a school computer. Is this really necessary or am I creating headaches for myself?
12-08-2006 06:10 PM
It might not necessarily because of bidirectional scanning.
Try to active inbound traffic inspection first, and see the results (performance, ability to detect violations@matching signatures and user response). If the web response (browsing) improved, than you can now start looking at the outbound inspection. If nothing is changed ,then you can start reviewing the IPS inspection config again.
Anyway, the tips is, do one thing at a time before enabling other features/stuffs.
HTH
AK
12-12-2006 02:58 PM
Thanks for your response. I found DocID 71204 and based on that I modified the IPS config as follows:
access-list IPS permit ip interface outside any
class-map ips-class
match access-list IPS
policy-map ips-policy
class ips-class
ips inline fail-open
service-policy global_policy global (put the default back)
service-policy ips-policy interface outside
But now the IPS doesn't appear to be doing anything, so I must have done something wrong. I modified signatures 2000 and 2004 with an RR=100 so that any incoming pings should be seen as a high-level attack and the incoming IP denied. If I go back to the original config this test works, but not with this config (which according to the Cisco doc should send any incoming traffic initiated from outside to the IPS).
06-27-2007 02:41 AM
Hi, I think it could be better to add the ips-class into the global_policy, to obtain the inspection action and the ips action, like this:
policy-map global_policy
class ips-class
ips inline fail-open
service-policy global_policy global
bye
06-27-2007 07:05 AM
Thanks for the suggestion. I never did get the IPS working - had to put it on hold when I couldn't figure it out and never got back to it. I'm looking forward to trying this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: