Solved: asa ips functionality

cfajardo1_2 · ‎10-29-2005

i just want to ask how is the IPS funtionality works on ASAs.

Does it have all the signatures or it is limited?

Coorect me if Iam wrong if i say I needed AIM module for ips to work on asa. If Iam right, then why the AIM module has only 1 ethernet interface. Does it mean i cant do monitoring more than 1 vlan?

thanks a lot.

marcabal · ‎10-30-2005

The ASA-SSM-AIP-10 or ASA-SSM-AIP-20 depending on the ASA modules is needed for full feature IPS monitoring. The IPS software on the SSM is the same as that for the appliances and other IPS modules. It uses the same software and signature updates. (With the exception of the main system image that has a few extra things to allow installation on the SSM)

Without the ASA-SSM-AIP, the ASA software itself has a very limited signature set that can be monitored. The signature set is the same as in previous version of the Pix firewall.

As for the single port on the ASA-SSM. This port is not a monitoring port. That port is the command and control port and is given an IP so you can telnet, ssh, or web browse to the sensor so you can manage it. The actual monitoring is done on an internal interface connected to the firewall backplane. The ASA can be configured through it's policy to send packets across to the SSM for IPS analysis. The policy on the ASA can be configured for the IPS to monitor the packets promiscuously or inline.

The ASA can be configured to send all or only a portion of the packets going through the firewall to be monitored by the IPS code running on the SSM.

Since the external port is not a monitoring port the SSM can not be configured to monitor packets that do no go through the ASA. The packets must go through the ASA for the ASA to copy those packets across the internal backplane to the SSM for analysis.

View solution in original post

marcabal · ‎10-30-2005

The ASA-SSM-AIP-10 or ASA-SSM-AIP-20 depending on the ASA modules is needed for full feature IPS monitoring. The IPS software on the SSM is the same as that for the appliances and other IPS modules. It uses the same software and signature updates. (With the exception of the main system image that has a few extra things to allow installation on the SSM)

Without the ASA-SSM-AIP, the ASA software itself has a very limited signature set that can be monitored. The signature set is the same as in previous version of the Pix firewall.

As for the single port on the ASA-SSM. This port is not a monitoring port. That port is the command and control port and is given an IP so you can telnet, ssh, or web browse to the sensor so you can manage it. The actual monitoring is done on an internal interface connected to the firewall backplane. The ASA can be configured through it's policy to send packets across to the SSM for IPS analysis. The policy on the ASA can be configured for the IPS to monitor the packets promiscuously or inline.

The ASA can be configured to send all or only a portion of the packets going through the firewall to be monitored by the IPS code running on the SSM.

Since the external port is not a monitoring port the SSM can not be configured to monitor packets that do no go through the ASA. The packets must go through the ASA for the ASA to copy those packets across the internal backplane to the SSM for analysis.

JHaynes4 · ‎11-02-2005

I have a couple of questions regarding the ASA that deal with the SSM module.

I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?

Also, on the ASA factory default configuration there is a service-policy defined as:

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/

Sorry for the length of the post and thanks for your help in advance.

trusnock · ‎12-18-2005

I believe I can clarify your second point. I, too, am wondering about the first question (Why would you need to apply the IPS ACL to an interface?).

Regarding the global policy: The policy that is applied globally to all interfaces (in this case, "global_policy") can contain more than one class. The first class will attach the inspection_default class-map to all the inspect rules (and yes, these are equivalent to the PIX fixup commands). The second class will attach the ips rules to your ips class-map.

It helps to look at the config with proper indentation. It looks like this discussion group software removes leading whitespace in postings, so I'll try making it a little clearer with dashes...

policy-map global-policy

-class global-class

--inspect sqlnet

--inspect h323 ras

--inspect xdmcp

--inspect tftp

--inspect icmp error

--inspect rtsp

--inspect sunrpc

--inspect mgcp

--inspect esmtp

--inspect sip

--inspect netbios

--inspect pptp

--inspect ctiqbe

--inspect snmp

--inspect http

--inspect rsh

--inspect icmp

--inspect ftp

--inspect ils

--inspect h323 h225

--inspect dns

--inspect skinny

-class ipsClass

--ips inline fail-close

So you see we are only applying one service-policy to the "global" interface (so to speak), but that poicy contains two separate class statements.

I hope this helps, and I welcome comments!

-Tom Rusnock

Acadia Systems, Inc.