cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3134
Views
0
Helpful
3
Replies

How to configure ASA IPS which is connected on the Internet

virgoboy009
Level 1
Level 1

Hello Guys,

I am a beginner in ASA IPS Concept and my company OWN a 5520 ASA .

Currently ASA has been connected to ISP connected router and serving as an Firewall to controll internet traffic which

is integrated to Websense for URL filtering.

Can you please let me know what all should we expected to configure in IPS in this scenario and what is function of IPS.

what is the main function of IPS?

Greatful to your posts.

Regards,

KA.

1 Accepted Solution

Accepted Solutions

Scott Fringer
Cisco Employee
Cisco Employee

KA;

  The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network.  If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA.  Here is a link to a brief overview of the product:

http://www.cisco.com/go/aipssm

  First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html

  You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.

  You will want to ensure the signature definitions on the AIP-SSM are up-to-date.  This ensures the most accurate protection from the AIP-SSM perspective.  This will require an active license be installed on the AIP-SSM.

  Next, you will most likely want to monitor the events generated by the AIP-SSM.  For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME).  You can find out more, and download IME here:

http://www.cisco.com/go/ime

  You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure.  When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:

http://www.cisco.com/security

  The details found here, can also be expanded within the IME event display.

  Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied.  This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.

Scott

View solution in original post

3 Replies 3

Scott Fringer
Cisco Employee
Cisco Employee

KA;

  The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network.  If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA.  Here is a link to a brief overview of the product:

http://www.cisco.com/go/aipssm

  First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html

  You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.

  You will want to ensure the signature definitions on the AIP-SSM are up-to-date.  This ensures the most accurate protection from the AIP-SSM perspective.  This will require an active license be installed on the AIP-SSM.

  Next, you will most likely want to monitor the events generated by the AIP-SSM.  For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME).  You can find out more, and download IME here:

http://www.cisco.com/go/ime

  You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure.  When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:

http://www.cisco.com/security

  The details found here, can also be expanded within the IME event display.

  Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied.  This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.

Scott

Hello Scott,

Thanks Ton for your detailed note and i am sure this note will help me to go deeper inside ASA IPS concept.

Regards,

kA.

Yes, you will certainly find there are many questions that will arise as you become more familiar with the functionality of the AIP-SSM.

Don't hesitate to come back with further questions you may have and we in the community will work to answer them.

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: