Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

static nat statement allowed IPS to miss a potential attack?

Hi,

I have a question about static nat statement and the IPS module. Customer says that there was a brute force attack against a server on port 3389 RDP.

The IPS did not report any attack in progress, nor does it show in history there was an attack.

I think because this statement was in the router: ip nat inside source static tcp x.x.x.x 3389 (external address x.x.x.x) 3389 extendable

that the IPS did not see any problem, and therefore the traffic was not classified as rogue.

Can anyone confirm this is why IPS did not alert on the traffic, or add your thoughts?

Every 2 minutes someone was trying to login to the server from the outside. Server logs alerted customer there was a problem.

Customer removed the statement from the router, and attack ceased.

we have

internet->3925 router->asa512 w/IPS module->inside lan

thank you

Everyone's tags (3)
2 REPLIES
VIP Purple

static nat statement allowed IPS to miss a potential attack?

The reason that the attack ceased when you remove the NAT is probably due to that no external access is possible any more without that NAT-statement.

The reason that you missed the attack on the IPS has two reasons:

1) To my knowledge there is no signature for failed logins to an RDP-service. So the IPS can't act on it.

2) If there had been a signature, the thresholds had to be quite tight for an attack that only happens every two minutes. That leads to higher false-positive rate or missed attacks if the thresholds are set higher.

Here it seems that your security is working as you have a second soource of input (your log-files).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

static nat statement allowed IPS to miss a potential attack?

Thanks for your answer. that makes sense to me.

770
Views
0
Helpful
2
Replies