AIP-SSM inline mode Question
Dear all
i have an ASA 5520 with ips module . i installed it since 3 weeks. For the ips module , it is installed in inline mode.
Till now i didnot see any events appeared on the sensor.i configured it to scan http traffic from any source to the inside LAN subnet (10.1.0.0/16)
can i know that if the sensor is working properly or not?? and how ???
The following is the configuration on the ASA:
access-list outside_mpc extended permit tcp any 10.1.0.0 255.255.0.0 eq www
class-map outside-class
match access-list outside_mpc
policy-map outside-policy1
class outside-class
ips inline fail-open sensor vs0
service-policy outside-policy1 interface outside.
please find the attached file for ips config.
Thanks
Your config looks very similar to my working ASA confis. The only exception is your virtual sensor entries in the ASA and the IPS. If you don't need them they can be left out.
Assuming your config is correct, you can try opening up your access list to more traffic and see if you get events. You can turn on signature 2004 for ICMP echo replies if you want to stimulate some events for yourself.
Similar Messages
-
Customizing signatures question on AIP-SSM
Hi all
actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
anyone face this issue ??
please advice.
regardsHi Mohammed.
Right now I'm preparing the IPS Exam, and I have read some where that:
"deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
You can tune the Signature to solve this issue, but this will not solve the main problem.
But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
I hope this helpful.
Best regards
Reda
[email protected] -
Single AIP-SSM in Cisco ASA Failover Active / Standby Mode
Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App -
AIP-SSM 40 Inline vs Promiscuous
Have been running new sensor for about a week now. I implemented in promiscuous mode as the documentation seemed to indicate that inline will tend to bottleneck internet traffic.
My questions are :
Are you running in inline mode and what can I expect in terms of slowdown?
Is anyone running in strictly permiscuous mode because the bottleneck was too much?
Note : We currently have 100 meg pipe coming in from ISP on outside.Please refer to the datasheet for the IPS modules
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps4077_Products_Data_Sheet.html
Regards,
Sachin -
I purchased an ASA 5510 with SSM module for IPS to get in PCI compliance. I'm setting up the SSM and I don't know if I should use inline or promiscuous mode to monitor traffic. I'm afraid I'll slow thing down if I do inline but I'm not sure if promiscuous mode is enough to satisfy PCI standards. Does anyone know which can or must be used?
I believe you have to use inline mode, but I'm not 100% on this. I have the PCI compliance file that I can forward to you if you want to send me an email.
What is your bandwidth connection? The 5510 w/ the SSM can handle 150 Mbps. In terms of added latency, check it out for yourself, but I bet it's only an "ms" or two.
Here is a sample config for you as well:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
I have a copy of Cisco's PCI compliance DOC from Paul Serbin (Cisco Security SE for the southwest region) somewhere in my email, but for whatever reason, I can't find it. If you want, shoot me an email, and after I dig it up, I will forward it to you. It has the exact requirements of Cisco hardware to meet PCI compliance.
-brad
www.ccbootcamp.com
(please rate the post if this helps!) -
Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin -
Using ASA5510 AIP-SSM in IDS mode
Hi,
I' ve a Cisco ASA5510 with AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
without the traffic passing through the Firewall.
I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit all the traffic to the Sensor but it doesn't work, no packet recived on sensor.
somebody can help me?
thanksUnfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
- Bob -
AIP-SSM Configuration Maintenance in Active Stdby modes
So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?
So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip. -
Hi,
we have this module on an ASA 5540, while the inspection load is reaching a max of 35% , the cpu is reaching 100% sometimes.
1- how do i check the current bandwidth in Mbs being inspected ?
2- how do i check if there is drops when cpu is reaching 100%
3-if cpu hangs at 100% will fail-open work or will the module start dropping legitimate packets
4- should i upgrade my card to AIP-SSM 40 allthough inspection load is still 35% ?
Thank youTo check if your sensor is dropping packets, get on the CLI and run
show interface - This will show you an averaged packet loss across all interfaces since last reset and on a per-interface basis.
show event stat past 01:00 inc missed - This will show you any peaks in your missed pckets over the last hour. -
Configuring SNMP Trap receiver on AIP-SSM sensor
I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?Hi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike -
hi,
we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
Please share the experience.
Thanks in advance.
SubodhHi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike -
Do I need two AIP-SSM modules if I am configuring failover?
Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
I would like to configure the module in the first ASA with the fail-open setting. Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
Would there be any problems configuring it this way?
Would the active/standby ASA's complain that there is only one AIP-SSM module?
Thanks in advance.Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
Your kind answer will be greatly appreciated.
Best regards... -
Configuring AIP SSM to monitor only
Hi all,
We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
Thanks!
JacquesConfigure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
fail-open} [sensor {sensor_name | mapped_name}]
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
Geroge -
Hi all,
I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
ThanksThe IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
So which to use?
If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
So then it just depends on your current IPS version.
If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
General Rules of Thumb:
Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
Why 60 days?
If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
The answer is NO.
You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg. -
AIP-SSM crash during S389 Signature upgrade
Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.Based on your show version, you already have E4, what is it that you are trying to do?
Mike
Maybe you are looking for
-
This is second part of a qyestion: I am working on Airbook, how do I delete forward?
-
"Disk is too slow/system overload"??? Help!
Hey I'm running Logic Express on a G4 with OS X 10.4.10. My processor is 450 MHz, and my memory is 896 MB SDRAM. When playing back around 6-7 tracks, i get a message saying: "CoreAudio - Disk is too slow or System Overload (-10010)" or "CoreAudio - S
-
Calling Windows File Open Dialog from Forms
Has anyone used the File Open Dialog of MS-Windows from within forms? How do you invoke it and how do you pass arguements (in and out) to communicate with it?
-
Last night's TB update gets stuck trying to attach if CV is in the body.
I sent an email day before yesterday. I upgraded to the latest TB last night. I had a reply today and tried to reply to that. There was a well-known "possible attachment" keyword in the original body. Send got stuck trying to attach ("attaching ...")
-
What to do?? My iPod only shows apple logo and does nothing else!
Does this mean the death knoll for my 2005 iPod white 30GB? It won't connect to the computer either. I haven't had a problem with it at all for 6 years and now this....