Purchased an IPS 4255 to replace a TippingPoint unit we have use for a number of year. I configured the 4255 so I can talk to the mangement interface to get used to the Web Interface. I have loaded the latest software code and SIGs.
Should I run the unit in promiscuous for awhile before going inline? Our TippingPoint updated its SIGs automatic and I reviewed the release to see if I should change the default action. Since I'm new to the 4255 and the Cisco SIGs. How does one get a feel for what all is enabled for denied by default? Would running in promiscuous allow me to see what SIGs when be denied and allow me to adjust until I go inline?
The latest code for the 4255 allow for auto update from Cisco. There isn't a means to force a manual update? We had that with the TippingPoint. The TippingPoint only did auto updates on SIGs. The 4255 appears to do both code and SIGs. I see no way to just select auto SIG updates?
"Should I run the unit in promiscuous for awhile before going inline? "
Unless you have a high tolerance for dropped traffic...yes.
"Would running in promiscuous allow me to see what SIGs when be denied and allow me to adjust until I go inline?"
yes, but you won't be in "promiscious mode per say". You will create your inline pair as normal and then create an event action filter that removes any actions that interfere with the normal flow of traffic:
Deny Attacker Inline
Deny Attacker Service Pair Inline
Deny Attacker Victim Pair Inline
Deny Connection Inline
Deny Packet Inline
Request Block Connection
Request Block Host
Request Rate Limit
Request Snmp Trap
Reset Tcp Connection
You might also want to open your SIG policy using "select by: active signatures" and sort by engine (click the engine column header). Find any normalizer sigs that have an deny/modify action and add the "product alert" and "produce verbose alert" actions. You probably shouldn't add actions to sigs that don't have any action. There are a couple normalizer sigs like this, the point of which I don't know.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...