With Robert Albach
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. A critical part of the SecureX architecture, the module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.
Robert Albach is a product manager in the Security Business Unit at Cisco, responsible for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.
Remember to use the rating system to let Robert know if you have received an adequate response.
Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
I would like to undertand the main differences between a firewall and IDS/IPS system.... Are there any issues that can only be resolved by IDS/IPS?
I am going to expand your question a bit to seperate IDS and IPS slightly from each other. The explanation may be simplistic but I think it is a good starting point.
A firewall is primarily about access control. Firewalls such as Cisco's ASA enforces access rules to certain networked elements based on IP addresses found within the header. One can state that devices within a particular CIDR can or cannot access another network device. This can typically be done using IP addresses and ports. There are additional extensions such as those provided by the ASA such as identity, and then with the the ASA-CX application as well. For the most part, operations are to deny all with exceptions.
An IDS (Intrusion Detection System) is largely a passive listening system which performs deep packet inspection targeting traffic of interest. In the majority of cases the traffic of interest are varying forms of attack traffic. This attack traffic can range across the entire attack life-cycle and represent a large span of different attack vectors and techniques. As a passive system it may or may not be in-line but largely the system is there to observe and report.
An IPS (Intrusion Prevention System) is an in-line system which also performs deep packet inspection with the intent of both observing and acting on the traffic. The difference from the IDS role is the need to be able to impact the traffic it is interested in. As such it is not passive but unlike the firewall it will only potentially stop or alter traffic that meets its policy statement which is normally an attack threat that is identified.
There are several impacts that these definitions may have on your placement of devices and how your organization may wish to treat the results.
If I can summarise simplistically:
A firewall denies all traffic except that whose access it allows.
An IDS impacts no traffic and reports what it discovers.
An IPS allows all traffic except that which is identified as a threat.
I hope this helps.
Have you any idea to configure advance IPS. Basic configuretion is done. model IPS 4240.
Can you recommend the best book / video to get up and running on the IPS as quick as possible? I'm familiar with the ASA, but now I need to learn the IPS module within the ASA and fast!
Sorry for the delay - it sounds like you are seeking some quick general operational details. Is that fair?
Sadly there are no books that I know of that are specific to the Cisco IPS and up to date. Mr. Deal's book while strong from the pure ASA perspective is a bit dated and both the ASA and IPS has had some significant changes introduced as well as new models with some significant operational differences.
I would be remiss if I did not mention my coworker's book "Cisco Firewalls" by Alexandrae Moraes. There is not much in terms of the IPS module uniquely but it does cover the newer ASA 5585 models which includes the dedicated IPS blade.
I think we may need to combine a book with a few other sources depending on your particular model. Let me know which solution you will need to manage and I will try to pull together a number of sources for you.
Now if your actual question was more along the lines of "tell me about general intrusion prevention best practices" then that would be a whole different set of references.
So let me know your platform and I'll try to pull some suggestions together.
Yes, I'm looking for quick operational details on the ASA-SSM-10 module running in an ASA5510 (v8.2), so an out of date book may not be that far off for me at this time. The IDS/IPS is running ver 7.0(2).
I've been tasked to do a review of the rulebase. I've worked on GUI based IDS appliances, and understand the theory of IDS/IPS, but I've never worked on the Cisco ASA IDS/IPS, so I just need basic info on how to get started.
I can session into the module from the firewall, but the config is so foriegn to me that I'm not even sure that it's setup and doing anything.
That is an older and lower end product which means the resources available to run a larger number of signatures will be limited relative to the higher end and newer platforms (ASA 5515x) as an example.
I am going to guess that this device is positioned at the company's internet edge (most people start there). In 7.1.5 we introduced a set of protection templates which are our default recomendations for deployment environments. That would be a good place to start as a reference.
I hope this helps.
Thanks for the reply, but I have to be honest - it doesn't help.
I'm looking for a crash course to show me the basics. You mentioned a set of production templates - how do I apply them? How do I see signatures that are there now? They tell me they are running the IPS, but I can't even tell that this is true. What are the commands that divert or copy packets to the IPS module? How do I create an alert to tigger when a specific IP is hit?
Again, basic information I know - but I just need to get started and don't know where to turn. I know I can read the reams of documentation Cisco put out, but I really just want simple, basic instruction to get me started. I'll pour through the rest when I have more time.
I appreciate any help you can provide.
Looking about it appears that we are lacking in having a simplified getting started guide at the ready.
I would like to recomend some of the video documents put together by the execellent members of TAC as a starting point.
Installation and Basic setup of AIP-SSM:
TAC ips media series:
Let me know what you think of them and if there are subjects that you feel are missing.
I just sent you a private message.. Check that out and let me know if it works for you .... :-) If not, hit me back up and we'll get you going....
i just try to test one of DOS attack tool(LOIC) in LAB environment.
but in cisco IME real time monitoring window i am not geeting any alerts regarding this attack.
i am very sure that i am successful in Flooding in the network (cpu of ASA is going more then 60 % at that time)
But there is no event in cisco IME.
can you help in this ?
I am going to assume that you are referencing the Low Orbit Ion Cannon attack tool. Is that corrrect?
I am going to first make a broad sweeping comment on the role of IPS and DOS/DDOS and then get to your question. An IPS is not an optimal dedicated DOS/DDOS prevention tool. It is a good means of initially identifying that the attack is starting but it would optimally signal this information upstream to some other device such as the FW, router, or specialized DOS tool. The closer to the source (ISP) the better.
Now on to your specifics.
Cisco IPS does not have an LION specific signature. While LION is a powerful tool the nature of its attacks are not really unique enough to justify a unique siganture. LION will initiate an attack in either UDP, TCP, or HTTP. There are flood signatures in the 6900 range that may be appropriate to your attack.
As always with our signatures ensure that the ones of interest are UNRETIRED, ENABLED, and that your actions inlude ALERT. Depending on the signature you may want to elevate the base RISK RATING or use an EVENT ACTION Rule (Overrides) to guarantee a response. Given that you are operating within a lab all the other risk rating contributors are not likely to be there.
I hope this helps and thanks for asking.
Yes you are correct , iam using Low Orbit Ion Cannon tool.
ok i wiil try by tuning 6900 range IPS signature.
Just for Knowledge : could you please recommded the dedicated DOS prevention tool .
Arbor Networks is a dedicated provider of DOS/DDOS defense capable tools. Their products are frequently used by service providers.
This is an area that I 'm not qualified in the "expert" area and am going to ask on of our Technical Marketing members to help out with for an answer and I have a fear that we may have some kind of collision condition at play.
Can you tell me what report you ran where you see the segment overwrite errors? I am interested in knowing what piece of the puzzle is reporting this condition.
I'm running a 6500 with an Sup-2 720, FWSM and IDSM-2. Is it possible to monitor/protect the vlan between the firewall and internal router interface, the DMZ, and the external firewall interface? I'm currently just protecting (running inline) the external interface but every now and then, the IDSM-2 blocks internal users from accessing the internet. When running a report, I see tcp segment overwrite errors.
If this was answered previously, please point me to the discussion...
Sent from Cisco Technical Support iPad App
IT looks like you have an open TAC case on this question so I am going to defer to that process for now and let those folks run with your issue.
Should TAC need to escalate to the local team I am certain they will not hesitate.
Hopefully things will resolve soon.
What, if any, best practices are there for managing IPS AD KB across a "cluster" of IPS SSP's in an ASA HA PAIR ?
I would have thought the logical thing would be for IPS 1 in the active ASA to copy the KB to IPS2 in the standby ASA but Cisco does not provide a mechanism to do this. Do I have to cludge this with an external scp server and expect scripts ?. If so is it a case of copying the current KB from IPS1 (maybe once a day) to an scp server and then at some time later IPS2 copies the KB form the scp server to itself and makes that the current KB. Any advice is greatly appreciated. Wuuld be nice if CSM could manage this....
Hi and my apologies for the late reply.
Starting with some happier news there are plenty of options to copy and manage Anomaly Detection KBs on individual devices so you can certainly script these. Of course there is also some nice tools in IME which expose these commands.
The bad news is as you have already discovered we have not centralized this management through CSM for multi-device management. So yes kludge it is or as we may prefer to call it "creative extensioneering".
Some rambling thoughts here to follow so take them with enough thought before implementing....
Hopefully your systems rarely fail over and the nature of the traffic does not change much meaning your KBs should look very similar over time. I think it would be interesting to run diffs across those to see if there is much change.
Does one sensor happen to generate greater diffs from your "standard"? Just something to consider.
I would be very interesting in knowing how frequently your AD fires. As it was focused on worm propagation it would be good to know how often you run across those.
This is a greenfields deployment so no indication yet of what the AD alerts may be or what the KB diffs would be. Given the ASA's are active/passive I need to ensure that the KB that is backed up is the KB from the active firewall. Would be a very bad day if pulled from the passive device that sees normal traffic as virttually no sessions although that would only be initially. over time it should have a backup of the active KB. The only way I could think of how to do this would be to login to the active ASA and then session to the IPS module. Do you have any other suggestions about how to grab the active KB ?
One other gripe I do have is that the copy ad knowledge base scp client only supports ssh version 1 ? Why is that ?
I can ssh to the IPS SSP with version 2 so why would Cisco hamstring the client to version 1 ?
I have an operational query. How do i block a root user for accessing certain commands in Unix os . Is there a way through IPS signatures . I want to block Tcp based commands
Pardon me but I will make an assumption here which is that your root user has legitimate access to the Unix box in question. I am uncertain what exactly you mean by Tcp based commands. I will make another leap and guess that you mean that the user is accessing the device in question across the network perhaps?
I will work the rest of my discussion based on the above paragraph assumptions.
First this *may* be possible and the nature of the request is not all that unusual. It is often the case that people wish to use their IPS as an application control vehicle by which they want to manage commands that are remotely executed over the network. There are a number of existing signatures which already exist for similar ideas but not necessarily unique Unix commands. You can certainly write your own to apply here as well.
Second I would hope that the communication between the external user and the device is encrypted as a general best practice. If this is the case then it is probable that your IPS will not be able to see these commands in which case what *may* be possible is made not possible. Here a good security practice prohibits what you desire.
Third, given that your potential newly created Unix command signatures detect legal commands it is important that you deploy these carefully. Think through the scenarios that you want these working carefully. Are there potential situations in which you might block necessary activity from others that will need to manage this system. Remember that unless you have an ASA in place the IPS does not differentiate "who" the user is. Unless you can guarantee a network identifieir such as a VLAN or source IP the application of the signature may hit others you did not wish it to.
I have AIP-SSM 10 installed in my firewall the question is how I can disable weak cipher for the management, so how I can force that only stron encryption mechanism should be sued for https management session?
Thanks for your reply in advance.
Hi and my apology as I overlooked this question for a while!
This was definately a challenge in the 7.0 code base. If you upgrade to 7.1.6 though the problem is resolved and this release does support your platform too. Look at the 7.1.3 release notes for more details
If you need to remain on 7.0 then give TAC a call and they can point you to a less elegant solution.
And credit for this goes to Stijn Vanveerdeghem (Cisco IPS TME) who pointed me to the solution.
I had posted this as a separate discussion, but just wanted to know your opinion on this.
I am trying to upgrade the AIP SSM 20 to IPS-K9-6.2-4-E4.pkg.
The problem is that this error as below comes:-
Error: execUpgradeSoftware : Connect failed
I can confirm the following:-
1) Ping from FTP server to sensor and vice versa is OK
2) FTP server works OK, as i am able to upload/download files from other clients
3) Command given is as upgrade ftp://email@example.com/IPS-K9-6.2-4-E4.pkg
4) I also created another user in FTP server, tested but same results
5) The FTP server listens on port 21 and does not gets any request.
6) Current image is a bit old i.e. 6.0(4)E2
Some information from show version is as:-
Using 1023815680 out of 2093600768 bytes of available memory (48% usage)
system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
application-data is using 39.3M out of 166.8M bytes of available disk space (25% usage)
boot is using 38.4M out of 68.6M bytes of available disk space (59% usage)
Image that i am trying to upload i.e. IPS-K9-6.2-4-E4.pkg. is about 28.6 MB in size, could the issue be related to the disk size (show in bold above)?
Thanks in advance.
The size of the package relative to your resources could definately be the problem but not just the storage space but potentially the memory as well.
For any device with a somewhat limited amount of storage it is a good idea to perform some occasional cleanup. Look for unnecessary prior packages, packet captures, and the like then remove them if possible. That should provide more space for laying down the package.
The second area is memory available. Best to initiate this download when things are as idle as possible. You might want to interrupt eventing activity and ensure that there are no reports being generated or signatures being downloaded (only twice a week so likely ok).
I will note that yes - your 6.0 software is rather old. In fact it is no longer a maintained rev. I would suggest as big a leap forward as possible to the 7.0.8 release if you feel comfortable with that.
Beyond that if your clean up and upgrade does not work then be certain to get some TAC help.
I am not clear on below documention
i have cisco ASA 5520 with IPS module so what you suggest about ips placement in my case..
I want to protect my internal and DMZ network from internet and also i want to protect DMZ server from internet and internal Attack..
currently i am using IPS-CLASS service policy rule with in Global Policy service policy rule
and configuration is like
IPS-CLASS ---source any destination any service ip rule action ips inline,permit traffic,sensor vs0
is this configuration is ok