Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to configure ASA IPS which is connected on the Internet

Hello Guys,

I am a beginner in ASA IPS Concept and my company OWN a 5520 ASA .

Currently ASA has been connected to ISP connected router and serving as an Firewall to controll internet traffic which

is integrated to Websense for URL filtering.

Can you please let me know what all should we expected to configure in IPS in this scenario and what is function of IPS.

what is the main function of IPS?

Greatful to your posts.

Regards,

KA.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How to configure ASA IPS which is connected on the Internet

KA;

  The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network.  If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA.  Here is a link to a brief overview of the product:

http://www.cisco.com/go/aipssm

  First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html

  You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.

  You will want to ensure the signature definitions on the AIP-SSM are up-to-date.  This ensures the most accurate protection from the AIP-SSM perspective.  This will require an active license be installed on the AIP-SSM.

  Next, you will most likely want to monitor the events generated by the AIP-SSM.  For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME).  You can find out more, and download IME here:

http://www.cisco.com/go/ime

  You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure.  When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:

http://www.cisco.com/security

  The details found here, can also be expanded within the IME event display.

  Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied.  This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.

Scott

3 REPLIES
Cisco Employee

Re: How to configure ASA IPS which is connected on the Internet

KA;

  The main function of the AIP-SSM in your ASA-5520 is to perform packet inspection and signature matching to detect potential exploit traffic within your network.  If such traffic is detected, the AIP-SSM can deny that traffic from traversing your ASA.  Here is a link to a brief overview of the product:

http://www.cisco.com/go/aipssm

  First you need to configure the ASA to divert traffic to the AIP-SSM for inspection, this is outlined here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_ssm.html

  You will then want to ensure the backplane interface (GigabitEthernet0/1) is added to a virtual-sensor on the AIP-SSM to allow inspection to occur.

  You will want to ensure the signature definitions on the AIP-SSM are up-to-date.  This ensures the most accurate protection from the AIP-SSM perspective.  This will require an active license be installed on the AIP-SSM.

  Next, you will most likely want to monitor the events generated by the AIP-SSM.  For that, Cisco offers a free, entry-level solution called IPS Manager Express (IME).  You can find out more, and download IME here:

http://www.cisco.com/go/ime

  You will want to monitor IME to learn of potential security risks within the network traffic traversing your infrastructure.  When you encounter signature events for which you wish to gain more insight, you can visist Cisco's IntelliShield site for further investigation:

http://www.cisco.com/security

  The details found here, can also be expanded within the IME event display.

  Use of an IPS will be a continual monitor and learn phase to ensure you are aware of expected traffic and unexpected traffic, and that appropriate response can be applied.  This is something that is different in each and every environment, so there is not a simple white paper on how to perform these actions.

Scott

Community Member

Re: How to configure ASA IPS which is connected on the Internet

Hello Scott,

Thanks Ton for your detailed note and i am sure this note will help me to go deeper inside ASA IPS concept.

Regards,

kA.

Cisco Employee

Re: How to configure ASA IPS which is connected on the Internet

Yes, you will certainly find there are many questions that will arise as you become more familiar with the functionality of the AIP-SSM.

Don't hesitate to come back with further questions you may have and we in the community will work to answer them.

Scott

2835
Views
0
Helpful
3
Replies
CreatePlease to create content