Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Charlie Stokes about Intrusion Prevention Systems. Charlie works as an Intrusion Prevention Systems (IPS) technical marketing engineer and has been a network security specialist for over eight years. Charlie came to Cisco as part of the Wheelgroup acquisition in 1998 that brought Intrusion Detection Systems (IDS) technology into Cisco. After the acquisition, he worked in the Technical Assistance Center (TAC) for two years covering the Security and VPN products. Since 2000, Charlie has been covering IDS/IPS products as the lead technical marketing engineer.
Remember to use the rating system to let Charlie know if you have received an adequate response.
Charlie might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 10, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
Is it a good practice to place an IPS on the inside of the firewall or outside?
Here is my understanding, please suggest if it is OK:
1. When it comes to attacks from the outside (ex: internet), an IPS can prevent attacks better than a firewall. So, it is good to place it on the outside of the firewall.
2. In a topology with inside, DMZ and outside, to protect the DMZ from inside as well as the outside, IPS has to be placed such that all traffic going to the DMZ traverses the IPS.
3. If I have to protect my DMZ from inside & outside and protect my inside from outside..then should I go for multiple IPS appliances?
Appreciate your response.
Is it a good practice to place an IPS on the inside of the firewall or outside?
1. CS) Generally speaking, if I was deciding where to position an IPS I would always start inside the firewall vs outside the firewall. The reason is because in a layered approach to defense, it doesn't really make sense to analyze every packet from layer 2 to layer 7 only to have those packets get simply denied by policy at the firewall. Firewalls are designed to enforce a specific policy on traffic flows, so why not let that occur to filter off anything that doesn't need to be inspected anyway. That will also prevent the IPS from firing alarms on attacks that would not normally have even been permitted through the firewall (blaster packets).
2. CS) Correct. To protect the DMZ, you will generally put the IPS between the DMZ switch or vlan and the firewall. That way you ensure that all traffic going to the DMZ will go through the IPS device. This of course assumes a standard network setup.
3) This will specifically depend on the performance required at the position you need to do inspection. For instance, if you have 100 megs of DMZ traffic (from outside and inside) along with 100 megs of internal traffic, you would need an IPS capable of handling at least 200 megs of traffic.
Just to add a few more possibilities
The AIP-SSM with IPS software is a good answer to these types of questions dealing with placements of IPS sensors and firewalls.
The ASA is the new family of Adaptive Security Appliances which include Firewall and VPN functionality in one system.
The AIP-SSM is the Adaptive Inspection and Prevention Security Services Module. It is a hardware module that can be placed within the ASA, and can run the same IPS software as the Cisco IPS Appliances, and has almost all of the exact same functionality as the IPS Appliances, and even uses the same updates as the IPS Appliances.
So instead of deciding whether to place an IPS in front of or behind the firewall, you now have the option of placing the IPS actually within the firewall. With the AIP-SSM you can monitor all or just a portion of the traffic as it flows through the firewall (you use a service policy to decide which traffic gets sent to the AIP-SSM for IPS analysis, and can apply the policy globally to the firewall as a whole or to just one interface of the firewall). And can be configured for inline or promiscuous monitoring of the traffic.
I have recently installed an ASA-5510 with AIP-SSM-10. It all works fine as long as I monitor the traffic in promiscuous mode. However, when I change my service-policy and change the monitoring to inline mode, after a few seconds the ASA reloads! After reloading it is back in promiscuous mode, of course. There's nothing to see in the logging.
Am I doing something wrong? I exactly followed the documentation.
My question is regarding the "normalizer" sigs (1330) and sig 1308. We run our sensors behind the firewall and if you execute a "show statistics virtual sensor" and scroll to the bottom 1330 and 1308 fire all the time. They both by default do not produce an alert and either deny-packet or modify-modify packet. My question is: Should these sigs be disabled or do they need to be tuned?
I have had major issues with citrix ICA traffic and sig 1330 subsigs 12, 15 and 17. The only way I can get ICA to work properly is to remove the "deny-packet" action from these subsigs. Is this normal? Does Cisco have any quidance on 1330?
Finally, sig 1308 ttl evasion, I have turned this sig off on all our sensors. I read a post by Marcabel that a pix modifies sequence #s and the sensor sees this a someone performing an evasion. Is turning 1308 off when the sensor is behind a firewall OK?
We are running 5.0(5) sig 214 and all are inline.
Thank you in advance
hi charlie could u pls tell me what is the architecture difference between an IDS and IPS . PLS explain me on this . i have got a 4215 cisco IPS could u pls tell me any method by which i can downgrade it to 4.1 IDS. thank u
Hi charlie, my question is that if i am running IPS software on my IDSM-2, when will i be able to inspect inline multiple vlans. Last time i checked we could only monitor 2 vlans.
We have a core switch and would like to monitor all internal vlans as well as the traffic going out to the internet, what is the best way to doing this?
I assume you are running 5.0.x code on your IDSM.
5.0 is limited to what is called interface pairing, and with IDSM, that means you can assign each interface to sit on one specific vlan. On the IDSM, you would pair the two interfaces together and assign them to be monitored. The IDSM is now inspecting traffic traversing between the two vlans.
5.0 code has no support for what is referred to an VLAN pairing. This is a feature new to 5.1 code released last Fall. With this code on your IDSM (and that the Catalyst switch is running CAT OS), you will be able to use just one interface and make it a trunk port. You will then be able to create, in the IDSM config, pairs of vlans that define which vlans the IDSM inspects traffic between. In this way, the IDSM can sit between as many as 250 vlan pairs per physical interface (up to the performance bandwidth of the sensor).
I am looking for example diagrams/schematics on where to place the ips appliance in the network such as for example extranet, dmz, outside, etc. Also I wonder how to connect the management interface of the appliance to the corporate LAN.
There are far too many possible network diagrams to be as specific (or general) as saying this is how to deploy on the DMZ, outside, etc. The more important piece of the puzzle is at a specific location, how can this box be put inline. That is done by either using interface pairs and treating the box as a wire between two other network devices, or vlan pairs (5.1 only) and attaching the device to a switched environment using a trunked port and having the device sit between two vlans on the switch. What kind of question were you having about the management interface? It's a copper ethernet interface and can be plugged in almost anywhere. If you are asking about what network to connect to, the first answer is always using the management network as described in the SAFE whitepaper.
The primary difference between an IPS and an IDS is that the IPS sits in the packet flow and when an attack is detected can actually deny or drop the packet. An IDS works with copies of packets and thus can't take those actions.
As to specifically downgrading a 4215, this is down by downloading the 4215 4.1.x system image from CCO:
and then walking through the steps necessary to load it:
I have to admit, personally, I haven't heard of either of these signatures causing a problem.
First let's talk about 1330 -- are you sure that these signatures being fired are not valid? are the packets sourced from several IP addresses, and are they destined to several different IP addresses and?or does this traffic look spoofed? Do these sigs affect any other applications besides Citrix? . I would recommend some strong forensics investigations done in this area, because normal IP traffic should not cause 1330 the fire.
That being said if you are relatively sure that these signatures are benign and If the problem is isolated to Citrix I would say your best option is to use the Event Action Filter and specify that packets destined to my Citrix servers, matching signature 1330, and the associated sub strings should not be dropped. In general, I would not just recommend turning off 1330 because it may allow IPS evasion attacks against your network
While it's true that a firewall will modifies sequence numbers, I haven't heard that a firewall willl trigger TTL evasion type traffic. Again, you may want to use the same techniques described above to bypass the signature while potentially dangerous traffic is being investigated.
Many times when normalizer signatures fire it's because of traffic symmetry problems. Is there any chance that you have multiple data paths and your network? And that the IPS is only seeing part of a dataflow and not the entire flow?
Another suggestion that may be of value is to consider CS-MARS to do automated event log correlation for you. This makes it much more easy to determine if the signature is a false positive or a potential serious problem.
We have a security issue with the IPS. Due to security concerns, we are not allowed to leave hard disks in this restricted area. The IPS 4255 is diskless; however, I believe it still has a compact flash drive.
1. Can you confirm the 4255 IPS uses a compact flash (flash memory) for storage?
2. How is the compact flash used. Is the compact flash a temporary storage for the event store - does it work like a running buffer?
3. Does the IPS 4255 analyze the packet fully and NOT just the packet header? If yes, does the IPS store the full packet information in the compact flash, or does it just store the host name and ip address?
Is the security issue with moving the device from one location to another (example: classified network to non classified network)? Or with the storage of data in general? If the former, then you would have to work out some kind of replacement strategy with your account team and TAC. If the latter then you will have some issues as all IPS devices on the market have the capability to store entire packet data in some type of persistent storage.
1) Correct. 4255 and 4240 have a compact flash only (same as ASA product line) with no hard drive.
2) The compact flash is used to store everything persistent to the sensor (base OS, sensor code, compacted event store, config) when the sensor is shut down. No temporary data is stored in flash as flash has limited writes (although numerous but still limited). All temporary data is stored in memory (ram disks etc).
3) Certainly. All IDS and IPS devices have to do inspection of the packets beyond the header data. Full packet data can be stored in compact flash in various cases (produce verbose alert stored the trigger packet in the event, log attacker/victim/etc stores binary copies of all packets seen on the wire that meet the filter). All of these can be stored in compact flash.