06-07-2010 10:48 PM - edited 03-10-2019 05:01 AM
Hello Guys,
I am a beginner in ASA IPS Concept and my company OWN a 5520 ASA .
Currently ASA has been connected to ISP connected router and serving as an Firewall to controll internet traffic which
is integrated to Websense for URL filtering.
Can you please let me know what all should we expected to configure in IPS in this scenario and what is function of IPS.
what is the main function of IPS?
Greatful to your posts.
Regards,
KA.
Solved! Go to Solution.
06-08-2010 03:29 AM
KA;
The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network. If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA. Here is a link to a brief overview of the product:
http://www.cisco.com/go/aipssm
First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html
You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.
You will want to ensure the signature definitions on the AIP-SSM are up-to-date. This ensures the most accurate protection from the AIP-SSM perspective. This will require an active license be installed on the AIP-SSM.
Next, you will most likely want to monitor the events generated by the AIP-SSM. For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME). You can find out more, and download IME here:
You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure. When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:
The details found here, can also be expanded within the IME event display.
Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied. This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.
Scott
06-08-2010 03:29 AM
KA;
The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network. If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA. Here is a link to a brief overview of the product:
http://www.cisco.com/go/aipssm
First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html
You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.
You will want to ensure the signature definitions on the AIP-SSM are up-to-date. This ensures the most accurate protection from the AIP-SSM perspective. This will require an active license be installed on the AIP-SSM.
Next, you will most likely want to monitor the events generated by the AIP-SSM. For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME). You can find out more, and download IME here:
You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure. When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:
The details found here, can also be expanded within the IME event display.
Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied. This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.
Scott
06-08-2010 12:48 PM
Hello Scott,
Thanks Ton for your detailed note and i am sure this note will help me to go deeper inside ASA IPS concept.
Regards,
kA.
06-08-2010 12:52 PM
Yes, you will certainly find there are many questions that will arise as you become more familiar with the functionality of the AIP-SSM.
Don't hesitate to come back with further questions you may have and we in the community will work to answer them.
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: