ASA5510-AIP10 as Dedicated IPS solution?

Similar Messages

• Complete IPS Solution

  I just upgraded my network backbone to the 4507r switch using sup IV and netflow cards. I also upgraded my Internet and core routers to the 2821 and 2851 respectively.
  I will also be installing a ASA-5520 w/ csc-ssm-20 module.
  How should I proceed with implementing an IPS solution that will protect my network from the outside world, as well as from other devices on our LAN/WAN environ.
  Our company has 3 remote sites. Two of which are connected to corp via a MPLS network and one is connected to corp via a point-to-point T1.
  What is the Cisco solution to do this?
  Can I use non-Cisco IPS solutions along with Cisco equipment, such as Lancope's StealthWatch XE for Cisco's Netflow?

  Hi ...there are several sensors that could cater for your environment based on the ammount of traffic you are planning to inspect. As per the location I suggest placing a sensor behind the firewall ( in in-line between the inside interface of your ASA and the LAN ). In that way traffic to/from the LAN will be inspected. Also .. if you have cisco devices such as routers or firewalls at the remote sites ,you could further protect them by using the sensor as device manager .. in other words you can configure the sensor so that in the event of an attack it can push down access-list entries to your remote cisco devices as well.
  I suggest to check the sensor portfolio which will provide you with detailed information.
  http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801eeea5.html
  I hope it helps ... please rate it if it does !!!

• How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

  Hello there!
  I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS  throughput), what main points I should consinder?

  If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
  Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
  - Bob

• ARP Poisoning & Cisco IDS/IPS Solutions

  I am trying to find out if someone familiar with Cisco's IDS/IPS (network and/or host-based) solutions can tell me if the product(s) can identify and/or prevent ARP poison routing attacks. If so, does it require customizing signatures or is there out of the box detection signatures?
  Thanks for any information

  There are some. Go here and do a search for "arp":
  http://tools.cisco.com/security/center/search.x?search=Signature
  Perhaps it goes without saying, but remember that the sensor has to see the relevant layer 2 traffic for these to work.

• Custom IPS sigs on NGFW (ASA-CX) IPS solution?

  Hi folks,
  I am trying to determine if it is possible to create custom IPS sigs on the ASA-CX module?  Not the ASA + Legacy IPS combo, but the ASA + ASA-CX (Application Detection, Web Filtering, IPS) combo.
  I couldn't find anything in the docs that said this was possible.
  Thanks!
  Neil

  Thank you for your response.  However my question was targeted towards Intrusion Prevention signatures such as the ones found on the traditional IPS units.  I would want the ability to use the various IPS engines such as Atomic IP, HTTP, etc and create sigs that match on things inside the packet, URL string, etc.
  Thanks!

• IPS solution in 2821

  Hi All,
  We are trying to deploy IPS inline on Software in 2821 routers. The objective of this is to demonstrate ourself on deploying IPS functionality on this routers and testing the same to verify its working.
  We are thinking,if we could understand ourself well ,it may be deployed in our network wherever appropriate.
  If somebody would help us in pointing to valid resource and even suggesting the way to proceed would be greatly appreciated.
  Currently we tried enabling IPS in-line on this router and configured to send any trigger logs to a syslog server. We want to test the same, whether it works and also whenever we reboot the router,the signature associated to the interface get removed.Any suggestion on this would be hugely appreciated.
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Please have a look at this:
  http://www.cisco.com/en/US/products/ps6634/products_configuration_example09186a008097dbe8.shtml
  Regards
  Farrukh

• Difference between MARS LMS and IPS

  I am trying to understand the difference between MARS, LMS and IPS and why you would use one over the other.
  Thank you all.

  MARS is an appliance that aggregates/deduplicates syslog and netflow data from routers,switches,firewalls, and IPS sensors. In addition to Cisco devices it also supports things like Checkpoint Firewalls, Snort IPS, etc.
  LMS (Ciscoworks LMS) is primarily a device configuration and IOS management platform that runs on your own Windows server (not sure if Unix is still supported.) We use it to maintain the configs of hundreds of Cisco routers and switches, easily push out config changes to said devices, and mass-deploy IOS upgrades.
  IPS is sort of like anti-virus "on the wire" - it runs on dedicated IPS sensors, plug-in modules on firewalls or 6500's, and on routers via IOS IPS. Events can be forwarded to MARS for correlation, etc.
  You didn't ask, but CSM (Cisco Security Manager) is the more appropriate tool for mass-configuration and 'group policy' for firewalls and IPS sensors.
  Each product solves a particular problem; you wouldn't choose one over the other since they all work together to provide a cohesive solution. The specifics of your environment (particularly the number and type of devices) would dictate your choices here.

• Multiple MX records with PIX and ASA5510

  I need some help with a setup for email.
  Setup
  I have a PIX525 and an ASA5510VPN and an internal 2950 router. The PIX does firewalling and the ASA does VPN. Currently all outbound Internet traffic goes through the PIX via the router with this command:
  ip route 0.0.0.0 0.0.0.0 10.1.1.2 1
  The ASA5510 with its dedicated external IP is used to allow VPN traffic in.
  The problem:
  I have two separate domain names and two MX records. One (mail.PIX.com)is pointed at the external IP of the PIX the other (mail.ASAVPN.com) is pointed at the ASA5510. I can receive inbound mail through both of the devices. I'd like to mail go out using both domains one through PIX and the other thru ASA. The problem is the router says all unknown traffic go to PIX.
  How do I route mail from a host (10.1.1.5) to the ASA5510(10.1.1.4), while sending the mail from host (10.1.1.3) to PIX(10.1.1.2)

  I am not folliwing something here. If your gateway for 10.1.1.5 is truly set to the ASA and the ASA has the nat rule on the outside for the 10.1.1.5 address there should be no issue. It sounds like you are sending your traffic back out the pix interface. If your gateway is the 10.1.1.254 address the router will send the traffic to the PIX or redirect you to do so with an ICMP redirect.
  Just the simple fact that it's coming out with the wrong external address leads me to beleive that that is the issue.
  Any configs/route tables on the servers and firewalls would help.

• IOS IPS Sig Updates

  It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
  Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
  Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IOS IPS SIG Updates via IDSMDC

  When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
  So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
  SHM

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• How to order IPS Svc for ASA5515-K8 and L-ASA5515-IPS-SSP=?

  Hello!
  I have got ASA5515-K8 and IPS license L-ASA5515-IPS-SSP= ordered separately.
  What smartnet should I order to enable IPS singnature updates?
  I tried to order SU1 smartnet for ASA5515-K8, but Product ID ASA5515-K8 is not mapped to SU1 service.
  Thank you!

  Hello Andy,
  Here is the information you are looking for:
  Cisco Services for IPS
  Cisco Services for IPS is an integral part of the Cisco ASA 5500-X Series IPS Solution and enables operators to
  receive time-critical signature file updates and alerts. Part of the Cisco Technical Support Services portfolio, Cisco
  Services for IPS allows your Cisco ASA 5500-X Series IPS Solution to stay current on the latest threats so that
  malicious or damaging traffic is accurately identified, classified, and stopped. Cisco Services for IPS features
  include:
  ● Signature file updates and alerts
  ● Registered access to Cisco.com for online tools and technical assistance
  ● Access to the Cisco Technical Assistance Center
  ● Cisco IPS software updates
  ● Advance replacement of failed hardware
  For more information about Cisco Services for IPS, visit
  http://www.cisco.com/en/US/products/ps6076/serv_group_home.html.

• Cisco IPS - IOS vs Appliance vs ASA vs IDSM2

  Hello CSC
  I am trying to find information on performance of the various IPS implementation options.
  In short I've been asked to enable IPS on our 2 ISP routers 7206VXR (NPE-G1), 1 with 45Mbps connection, the other with 100mbps; LAN int for both 1Gbps. In addition, we have some internal WAN networks so would like to secure on this perimeter using ISDM2 in a 6509.
  I have some doubts that using IOS IPS on each device will be able to cope with the load, with efficient throughput.
  I found this info:
  ASA - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps4077_Products_Data_Sheet.html
  IPS Appliance - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html
  Does anyone have any similar stats for IOS IPS and IDSM2, or better still a comparison of all IPS solutions.
  Help appreciated.
  Thanks all
  Phil

  Here is a little info.
  http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/prod_presentation0900aecd806ccf26.pdf

• Connect MSFC to FWSM context through and external IPS.

  Somebody knows if is possible to successfully pass traffic through an interface bridge between a FWSM and the MSFC using an external IPS Solution as inline physical interfaces?
  In theory should work just like vlan bridging in the connection through and internal IDSM-2, like this:
  MSFC<---vlan 10--->Inline IDMS-2<---vlan 20--->FWSM Context
  What I want is this:
  Thanks in advance and sorry for my bad english :)
  Regards!

  I think the same, but I dont want to try it in the production enviroment ;)
  Anybody??