The signatures that are firing on the IPS are 6005 and 3010 and they are indicating that they are blocking traffic but still Qualys is able to scan an generate a report indicating server vulnerabilities
I know I can block it from the ASA but that is not the purpose, the customer needs to block qualys scans via the IPS signatures, please advise
What deny action have you assigned to the signatures? If you did not assign the 'Deny Attacker Inline' action, only the traffic specific to the tuned signatures will be denied - any traffic not matched by those signatures will not be denied. Are the vulnerabilities being found the same as detected by signatures 3010/0 (TCP High Port Sweep) and 6005/0 (Unencrypted SSL Traffic)?
It is also possible that Qualys is using more than one host for scanning, and the other hosts are not being detected and denied and in turn can determine existing vulnerabilities.
Again, to afford a more guaranteed protection from a known source, implementing a complete block on the ASA would be the preferred method.
The customer was claiming that his old 4235 IPS he used was actually stopping the qualys scan. Indeed he replaced his AIP-SSM running the latest software with the 4235 IPS running version 5 and we found out that signature 1312( TCP MSS below minimum) was firing whereas on the AIP-SSM it's not although it is enabled and not retired.
This had an impact on the qualys scan for whihc the 4235 was more effective, any ideas why this is happening
It is possible that the TCP normalization process on the ASA is correcting the MSS issue. This normalization occurs prior to the packet being forwarded to the AIP-SSM for inspection; therefore the traffic does not match signature 1312/0 and it will not fire.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...