10-29-2005 10:23 PM - edited 03-10-2019 01:43 AM
i just want to ask how is the IPS funtionality works on ASAs.
Does it have all the signatures or it is limited?
Coorect me if Iam wrong if i say I needed AIM module for ips to work on asa. If Iam right, then why the AIM module has only 1 ethernet interface. Does it mean i cant do monitoring more than 1 vlan?
thanks a lot.
Solved! Go to Solution.
10-30-2005 07:59 PM
The ASA-SSM-AIP-10 or ASA-SSM-AIP-20 depending on the ASA modules is needed for full feature IPS monitoring. The IPS software on the SSM is the same as that for the appliances and other IPS modules. It uses the same software and signature updates. (With the exception of the main system image that has a few extra things to allow installation on the SSM)
Without the ASA-SSM-AIP, the ASA software itself has a very limited signature set that can be monitored. The signature set is the same as in previous version of the Pix firewall.
As for the single port on the ASA-SSM. This port is not a monitoring port. That port is the command and control port and is given an IP so you can telnet, ssh, or web browse to the sensor so you can manage it. The actual monitoring is done on an internal interface connected to the firewall backplane. The ASA can be configured through it's policy to send packets across to the SSM for IPS analysis. The policy on the ASA can be configured for the IPS to monitor the packets promiscuously or inline.
The ASA can be configured to send all or only a portion of the packets going through the firewall to be monitored by the IPS code running on the SSM.
Since the external port is not a monitoring port the SSM can not be configured to monitor packets that do no go through the ASA. The packets must go through the ASA for the ASA to copy those packets across the internal backplane to the SSM for analysis.
10-30-2005 07:59 PM
The ASA-SSM-AIP-10 or ASA-SSM-AIP-20 depending on the ASA modules is needed for full feature IPS monitoring. The IPS software on the SSM is the same as that for the appliances and other IPS modules. It uses the same software and signature updates. (With the exception of the main system image that has a few extra things to allow installation on the SSM)
Without the ASA-SSM-AIP, the ASA software itself has a very limited signature set that can be monitored. The signature set is the same as in previous version of the Pix firewall.
As for the single port on the ASA-SSM. This port is not a monitoring port. That port is the command and control port and is given an IP so you can telnet, ssh, or web browse to the sensor so you can manage it. The actual monitoring is done on an internal interface connected to the firewall backplane. The ASA can be configured through it's policy to send packets across to the SSM for IPS analysis. The policy on the ASA can be configured for the IPS to monitor the packets promiscuously or inline.
The ASA can be configured to send all or only a portion of the packets going through the firewall to be monitored by the IPS code running on the SSM.
Since the external port is not a monitoring port the SSM can not be configured to monitor packets that do no go through the ASA. The packets must go through the ASA for the ASA to copy those packets across the internal backplane to the SSM for analysis.
11-02-2005 04:38 PM
I have a couple of questions regarding the ASA that deal with the SSM module.
I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?
Also, on the ASA factory default configuration there is a service-policy defined as:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/
Sorry for the length of the post and thanks for your help in advance.
12-18-2005 10:45 AM
I believe I can clarify your second point. I, too, am wondering about the first question (Why would you need to apply the IPS ACL to an interface?).
Regarding the global policy: The policy that is applied globally to all interfaces (in this case, "global_policy") can contain more than one class. The first class will attach the inspection_default class-map to all the inspect rules (and yes, these are equivalent to the PIX fixup commands). The second class will attach the ips rules to your ips class-map.
It helps to look at the config with proper indentation. It looks like this discussion group software removes leading whitespace in postings, so I'll try making it a little clearer with dashes...
policy-map global-policy
-class global-class
--inspect sqlnet
--inspect h323 ras
--inspect xdmcp
--inspect tftp
--inspect icmp error
--inspect rtsp
--inspect sunrpc
--inspect mgcp
--inspect esmtp
--inspect sip
--inspect netbios
--inspect pptp
--inspect ctiqbe
--inspect snmp
--inspect http
--inspect rsh
--inspect icmp
--inspect ftp
--inspect ils
--inspect h323 h225
--inspect dns
--inspect skinny
-class ipsClass
--ips inline fail-close
So you see we are only applying one service-policy to the "global" interface (so to speak), but that poicy contains two separate class statements.
I hope this helps, and I welcome comments!
-Tom Rusnock
Acadia Systems, Inc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide