AIP SSM mode

I purchased an ASA 5510 with SSM module for IPS to get in PCI compliance. I'm setting up the SSM and I don't know if I should use inline or promiscuous mode to monitor traffic. I'm afraid I'll slow thing down if I do inline but I'm not sure if promiscuous mode is enough to satisfy PCI standards. Does anyone know which can or must be used?

I believe you have to use inline mode, but I'm not 100% on this. I have the PCI compliance file that I can forward to you if you want to send me an email.
What is your bandwidth connection? The 5510 w/ the SSM can handle 150 Mbps. In terms of added latency, check it out for yourself, but I bet it's only an "ms" or two.
Here is a sample config for you as well:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
I have a copy of Cisco's PCI compliance DOC from Paul Serbin (Cisco Security SE for the southwest region) somewhere in my email, but for whatever reason, I can't find it. If you want, shoot me an email, and after I dig it up, I will forward it to you. It has the exact requirements of Cisco hardware to meet PCI compliance.
-brad
www.ccbootcamp.com
(please rate the post if this helps!)

Similar Messages

Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

Hi,
I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

No, both units need the same hardware, that includes the installed modules.
Sent from Cisco Technical Support iPad App

Transparent mode with AIP-SSM-20

I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.

AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin

Using ASA5510 AIP-SSM in IDS mode

Hi,
I' ve a Cisco ASA5510 with AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
without the traffic passing through the Firewall.
I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit all the traffic to the Sensor but it doesn't work, no packet recived on sensor.
somebody can help me?
thanks

Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
- Bob

AIP-SSM Configuration Maintenance in Active Stdby modes

So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?

So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip.

Do I need two AIP-SSM modules if I am configuring failover?

Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
I would like to configure the module in the first ASA with the fail-open setting. Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
Would there be any problems configuring it this way?
Would the active/standby ASA's complain that there is only one AIP-SSM module?
Thanks in advance.

Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
Your kind answer will be greatly appreciated.
Best regards...

Password Reset for AIP-SSM 10

Hi,
i have an ASA5520 with v 7.2(2) running.
but the IPS module spftware is 5.1
when i tried to login to the > session 1
it prompts me for a login and password.
i tried cisco and a few other combinations.. but no luck ,,
how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
how can i be sure if the user cisco even exists on it or not ?
any help please ???

no man it doesnt ..
the link u specified says it too..
hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
hers my ASA and IPS details..
ASA# sh version
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"
ASA up 22 days 3 hours
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
ASA# sh module 1
Mod Card Type Model Serial No.
1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
Mod SSM Apps. Name Status SSM Apps Version
1 IPS Up 5.0(2)S152.0
Mod Status Data Plane Status Compatibility
1 Up Up

Sync configs between AIP-SSMs

We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
We have an AIP-SSM-20 in each.
The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
Thanks.

Thanks for your reply. I've gotten back on this subject....
Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
"Hard Drive
â¢ 100 GB
Memory (RAM)
â¢ 2 GB
Supported Operating Systems
â¢ Windows Vista Business and Ultimate (32-bit only)
â¢ Windows XP Professional (32-bit only)
â¢ Windows 2003 server
Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
100GB for an application, seems rather hefty to me. Is this for real?
Thanks

How to block p2p applications(Bittorent like) with AIP-SSM-10?

Hi,
How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
Thanks,
Siva

There are several signatures that detect p2p, for bit torrent there is 11020.0
Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
etc..
Some are disabled by default though so please ensure you enable the ones that you need.
If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
For more information about the event actions please refer the link below:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467

AIP-SSM-10 status: Unreponsive

Hye All,
wish to know what can result in an AIP-SSM-10 to be in an unreponsive mode.
Thanks ye all.

Power cycle the ASA. If the AIP-SSM console port doesn't come back to life, RMA it with a Cisco TAC case.
- Bob

Configuring SNMP Trap receiver on AIP-SSM sensor

I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?

Hi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike

AIP-SSM (Not Applicable)

Hi Experts,
             We have 2ASA and each one have AIP-SSM,with 2nd ASA AIP-SSM I tried to upload latest image for AIP-SSM 20 but didnt worked and now i see module is dead...pls check the detials below.....pls help me out how to make it up or work properly so that i can config other stuff.Pls its very imp and urgent help me out....
ASA-A:
251-DBSi-ASA5540# sh module 1
Mod Card Type                                    Model              Serial No.
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20         JAF11370608
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
1 0007.0e11.e13b to 0007.0e11.e13b 1.0          1.0(11)2     5.1(6)E1
Mod SSM Application Name           Status           SSM Application Version
1 IPS                            Up               5.1(6)E1
Mod Status             Data Plane Status     Compatibility
1 Up                 Up
ASA-B:
251-DBSi-ASA5540# sh module 1
Mod Card Type                                    Model              Serial No.
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20         JAF1137060C
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
1 001d.4524.a414 to 001d.4524.a414 1.0          1.0(11)2     5.1(6)E1
Mod SSM Application Name           Status           SSM Application Version
1 IPS                            Not Applicable   5.1(6)E1
Mod Status             Data Plane Status     Compatibility
1 Recover            Not Applicable

Please try rebooting the module, if it does not work recovery it using the following procedure
http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/cliimage.html#wpxref68481
Regards
Farrukh

Configuring AIP SSM to monitor only

Hi all,
We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
Thanks!
Jacques

Configure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
fail-open} [sensor {sensor_name | mapped_name}]
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
Geroge

Configuring AIP-SSM modelue

hi,
we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
Please share the experience.
Thanks in advance.
Subodh

Hi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike

AIP-SSM-10 sensor upgrade

I have two ASA5520's with ASA-SSM-10 modules which are running Cisco Intrusion Prevention System, Version 6.0(6)E4. These are located at two different sites (one is local and the other remote from where I am based) and so are not running failover.
I understand there is an auto update signature option with Version 6.1 or later which I would like to set up.
The ASA5520's are running Cisco Adaptive Security Appliance Software Version 8.2(5).
Can anyone recommend whether I should be looking at upgrading to Version 6.2 or 7.0 and perhaps why.
Do I also just apply the engine update and then update the latest signatures for good measure.
I was thinking of doing the upgrade through the IDM and was a bit confused about the recovery and system images and what the correct procedure should be e.g. backup the AIP config, tftp the existing image, install the new engine image and reboot the sensor?
Any comments or assistance would be appreciated.
Thanks, Peter.

Hello Peter,
Hope you are doing fine,
I would encourage you to go to the latest IPS image available now days whitch is : 7.1.7 Engine 4
Why is that?
Because you will ensure you will have a device with the latest image that will provide you fixes to previous bugs, new features, etc etc.
So go for it.
Now regarding the upgrade
From the CLI
On configuration terminal mode
Configuration terminal
upgrade ftp://user:[email protected]/upgrade_file_name
http://www.networkstraining.com/how-to-upgrade-the-cisco-ips-module-aip-ssm/
Regards,
Julio Carvajal

AIP SSM mode

Similar Messages

Maybe you are looking for