ARP Poisoning & Cisco IDS/IPS Solutions

Similar Messages

• HA for Cisco IDS/IPS 42xx appliances

  Can anyone refer me to documentation on the Cisco site that talks about high-availability options and configuration examples for Cisco IDS/IPS 42xx appliances? Thank you in advance.

  I am also interested in understanding the high availability options.
  I found the following in the IPS V5 datasheet:
  Auto and manual sensor bypass configuration-High availability can be achieved through numerous mechanisms for Cisco IPS sensors. Resiliency and redundancy can be delivered through unique network collaboration, for example, hot Standby Router Protocol (HSRP) configuration and Cisco EtherChannel® load balancing on Cisco Catalyst switches to divert traffic to a secondary IPS device upon the failure of a primary device.
  I would like to have more info about how to divert traffic to a secondary IPS device; info about HSRP and EtherChannel load balancing as it relates to IPS. Is this HA option only available in bypass mode? Thanks.

• Cisco IDS/IPS regular expressions

  Is there any way to perform a NOT on a regular expression match. For instance, in PCRE it would be !"/[A-Z]+/i". I cannot determine if there is a valid way to do this on a Cisco IDS regex string. Any help or info would be greatly appreciated.

  To some extent, there is a way to do this. It would need to be anchored, and couldn't contain a repetition operator.
  And by anchored I mean tied to something, otherwise the first not class in the regex below ([^Qq]) would fire on every/any character that was not a Q or q.
  So I can say "not QUIT", regardless of case as follows:
  [^Qq]|[Qq][^Uu]|[Qq][Uu][^Ii]|[Qq][Uu][Ii][^Tt]
  so:
  BLAH([^Qq]|[Qq][^Uu]|[Qq][Uu][^Ii]|[Qq][Uu][Ii][^Tt])
  matches:
  BLAHz
  BLAHqz
  BLAHquiz
  BLAHq1
  etc. etc.
  but would not match:
  BLAHquit
  BLAHQUIT
  BLAHQUit
  etc. etc.
  So yes, but limited.

• SQL Injection detection with IDS/IPS on cisco ASA?

  Hi
  Is it possible to detect or prevent SQL injection attacks using Cisco IDS/ IPS on ASA or with regular expressions?
  Is there any signature available in IDS/IPS for this? And how effective it is in terms of generating correct alarms?
  Thanks in advance

  Deepak,
  We have several signatures that detect generic SQL injection attacks in the 5930-x family of signatures.

• Can anyone recommend a good document for Cisco IDS and AAA

  I need some basic tutorial for Cisco IDS and AAA. can anyone recommend any document for it?
  thanks

  The Cisco IDS/IPS senors do not perform any AAA functions. You can not validate a user/password externally.

• Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

  We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
  Does anyone use it in their production environments? Do you find it useful?
  Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
  Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
  Just curious if others had similar experiences with CSM.
  Thanks!

  haxworthy,
  I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
  -Mike
  http://cs-mars.blogspot.com

• Detect attack man in the middle with IDS/IPS

  Hi,
  I have aip-ssm 20, IPS Version 7.0(6)E4
  The ID  signature 7101, 7102, 7104 and 7105 is used for detecting attack arp poison.
  The sensor works as IDS in promiscuous mode. All traffic is fordwared to sensor.
  I have made attack man in the middle with cain & abel but sensor doesn't send alarm. I attach image with signatures.
  Why don't sensor detect attack? The network is in zone inside.
  Can anybody help me, please?

  Did you check if SSM is getting those packets by running "packet display .." command on the sensing interface. In SSM the ARP packets would not be forwarded by ASA to the SSM.
  thx
  Madhu

• Which IDS/IPS module for 10 GB WAN/LAN

  I have a question about present scenario in a network where the wan connectivity is 4 GB and Lan network is 10 GB. The firewall for the WAN is cisco 5580-20 with 10 GB ethernet interface and on the LAN 6500 series switch with 10 GB ethernet module. The issue about how to implement IPS in this network. Because cisco 5580 series firewall doesn't support any IPS module even 6500 series switch support IDSM-2 module. But only for 2 GB ethernet module. So what can be the solution for such a network?

  On a machine that can do 10Gb firware rate, it is well advisable to have your IDS/IPS to be a separate box.  IDS/IPS "cost" alot of CPU power.  It gets more expensive when you are talking about pushing beyond 1Gb.  This is why you'll find several forums stating that if you have a firewall with 10Gb speed, separate IDS/IPS is the way to go.  Otherwise, a firewall with IDS/IPS will not necessarily push 10Gb all together.

• Does PIX 515 Support IDS/IPS?

  Recently I need to provide a firewall solution to my customer. I would like to propose Cisco PIX 515E to my customer. I knwo Cisco has a separate IDS (Intrusion Detection System) appliance, they didnt put too much effor into this category for their PIX firewall.
  Anyhow, does the pix support IPS (Intrusion Prevention System) and IDS?

  The pix does have some ids built-in. It's a small subset of the IDS/IPS signatures offered by the appliances. The signature ID's are kept the same across hardware (so signature ID 1000 on a pix is the same signature as on an IDS/IPS appliance).
  You add IDS functionality on the pix via "ip audit xxx" commands.
  PIX OS 6.3:
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html
  PIX OS 7.1:
  http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a00805fb9f7.html
  (The 7.1 docs have a nice table of what signatures are supported natively by pis OS)
  Those two links should provide you and overview of the IDS/IPS functionality and signatures available on the PIX itself.

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• Complete IPS Solution

  I just upgraded my network backbone to the 4507r switch using sup IV and netflow cards. I also upgraded my Internet and core routers to the 2821 and 2851 respectively.
  I will also be installing a ASA-5520 w/ csc-ssm-20 module.
  How should I proceed with implementing an IPS solution that will protect my network from the outside world, as well as from other devices on our LAN/WAN environ.
  Our company has 3 remote sites. Two of which are connected to corp via a MPLS network and one is connected to corp via a point-to-point T1.
  What is the Cisco solution to do this?
  Can I use non-Cisco IPS solutions along with Cisco equipment, such as Lancope's StealthWatch XE for Cisco's Netflow?

  Hi ...there are several sensors that could cater for your environment based on the ammount of traffic you are planning to inspect. As per the location I suggest placing a sensor behind the firewall ( in in-line between the inside interface of your ASA and the LAN ). In that way traffic to/from the LAN will be inspected. Also .. if you have cisco devices such as routers or firewalls at the remote sites ,you could further protect them by using the sensor as device manager .. in other words you can configure the sensor so that in the event of an attack it can push down access-list entries to your remote cisco devices as well.
  I suggest to check the sensor portfolio which will provide you with detailed information.
  http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801eeea5.html
  I hope it helps ... please rate it if it does !!!

• IDS/IPS functionality in Catalyst 4500 ?

  Hi,
  is there an IDS/IPS functionality in Catalyst 4500 (Supervisor 6-e), or do we need to propose external IDS/IPS device?

  I think cat 4500 sup 6-e does not have IDS/IPS functionality. You have to externally install it.
  http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps9294/product_data_sheet0900aecd806df543_ps4324_Products_Data_Sheet.html

• Does getting a Smartnet contract also give you IDS/IPS signature updates?

  A client of mine is looking into getting an ASA5510 with AIP-SSM module. I realize that with IDS/IPS systems, it is *crucial* to always keep signature files up-to-date. Does purchasing the Smartnet contract for the bundle give me signature file updates or is there some other package I need to buy?
  I see references to "Cisco Services for IPS" but that seems to be mainly for router/IOS-based firewall/IDS packages.

  There is not a Smartnet contract for the ASA/AIP-SSM bundle.
  The only SmartNET contract for SSM bundles are with the CSC-SSM and not the AIP-SSM.
  When purchasing an ASA/AIP-SSM bundle you will need to purchase a bundle maintenance contract. The bundle maintenance contracts are Cisco Service for IPS contracts and include the signature support for the AIP-SSM as well as the software and hardware support on both the AIP-SSM and ASA (the software and hardware support is what it is normally part of SmartNET).
  For the bundles you will want to purchase a Cisco Service for IPS maintenance contract using one of the following part number formats:
  CON-SUw-ASxAyKz
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "x" will be either 1 for the 5510, 2 for the 5520, or 4 for the 5540.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  The z will be either 8 or 9 depending on the encryption level.
  So for example:
  CON-SU2-AS2A20K9 - Would be 8X5X4 support for the ASA-5520 bundled with the AIP-SSM-20 with the higher encryption.
  NOTE: There are also SP contracts for purchase by Service Providers that follow a slightly different format.
  There are a few users who have purchased the ASA and AIP-SSM separately.
  When purcahsed separately you would need to purchase a SmartNET contract for the ASA, and a separate Cisco Service for IPS maintenance contract for the AIP-SSM.
  The AIP-SSM maintenane contract will be in the following format:
  CON-SUw-ASIPyK9
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  So for example:
  CON-SU2-ASIP20K9 would be 8X5X4 support for the AIP-SSM-20.
  What you will find is that purchasing a separate SmartNET for the ASA and Cisco Service for IPS for the AIP-SSM will be more expensive than purchasing a single Cisco Service for IPS for the ASA/AIP-SSM bundle. This is because there is a discount when purchasing by the bundle.

• Update Network IDS/IPS Signatures

  In the IPS Manager (CSM 3.0) Configuration > Updates > Update Network IDS/IPS Signatures
  Clicking on Apply (For instance, Update File: IPS-sig-S242-minreq-5.0-6.pkg) it appears the following error:
  Object update failed. Unknown update type.
  What is the problem?

  It should be .zip file...
  you can download from the below link
  http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips-sigup-arch

• Ids/ips presentation

  Dear all,
  if any body have ids/ips technologies ppt s can u pls forward me...
  [email protected]
  Thanks in advance
  Nataraj

  You can find the related documentation here : http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/index.htm