Csa and ips on asa

iam providing cisco solution for a customer. I am proposing CSA for the servers and ASA with AIP as the perimeter defense.
What additional component do i need more to implement this. (ie. the management for ASA and ASA etc.)
thanks

Hello fajardo,
I would recommend you to order a basic product of VMS. The Cisco security Agent software is managed and controlled by the CSA MC on the VMS server. This will be the central point of contact for all the CSA agents... ASA can be managed normally through CLI or GUI , like the PIX firewall. But the events on the SSM server requires VMS or IDM for tracking the attacks.
Hope this helps... all the best.. rate replies if found useful...
Raj

Similar Messages

ASA NG 5515-X multicontext support for WSE/AVC and IPS

Hello,
I am designing network security with Cisco ASAs. I have a redundant core / distribution switching in VSS and 2 ASAs (Active / Standby) and trying to evaluate whether I could run multiple security services on one pair of ASA in virtual contexts rather then deploying more ASAs. I need to run DMZ so that it could go in one virtual context, then I need to run WSE, AVC and possibly IPS to protect internal users LANs and also deploy web and application security, here not sure if that is supported in a virtual context and with active/standby setup, apart from that I need to protect the servers with FW rules and IPS, here also a dilemma whether this will work in a virtual context and active / standby setup.
What would you recommend, having separate pair of ASAs for each security service or I could do all that with one pair of ASAs and multi context setup?
Thanks in advance for quick and informative responses.
Remi

OK cool. What is the purpose of the explicit context awareness in PRSM? Is it there but still not supported?
The only concern I have is about DMZ on same ASA pair. I guess it should be fine because I would not sent any DMZ traffic to CX module (where it would get mixed up with users or servers traffic) and since DMZ would be on a separate virtual context the security would be maintained. Also the DMZ will be kept on a separate VRF and will need to do VRF leaking from DMZ inside VLAN into servers VLAN in the services VRF.
How about sending both users (for WSE and AVC) and servers (for IPS) traffic into the same CX module? That would work fine?
Thanks in advance,
Remi

Trend micro and IPS

Hello,
I want to buy an ASA5510 + SSM for my lan.
The goal is :
- Make URL filtering/blocking within work hours
- Deny some application like IM, P2P, web radio, during work hours.
Trend Micro is good for the first think : url filtering by categories
But is not good for blocking IM, ... (only check port 80 http)
So, is it possible on an ASA to have Trend Micro and IPs working on the same appliance ?
If no, what is the solution?
Thx

Hi.
you can only install one module into the ASA. so yes, you can't have both the CSC and the SSM module in the same asa 5510.
however the ASA does support url filtering via Websense or Secure Computing SmartFilter (formerly N2H2) . so if you have a any of those servers, you can configure the ASA to do the url filtering, and install the ssm ips module into the ASA to do the IM blocking.
more info on asa web traffic filtering:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_filter.html#wp1069318
Regards,
Fadi.
if this answers your question please mark the thread as resolved.

How to allow a subnet for a number of hosts to surf internet and ping from inside and outside in ASA in GNS3?

after tried to setup access list, it return drop in packet tracer and can not ping outside router too
is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?
assume all works in GNS3, expect initial network setup too
inside outside
router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3
ASA version: 8.42
when i try the following command,
ASA
conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
no shut
end
conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 100
ip address 192.168.1.4 255.255.255.0
no shut
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end
Router A
conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end
Router B
conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end
ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->

current config can not ping, one of packet tracer allow all, another packet tracer drop
can not ping between Router A and Router B
ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network DYNAMIC-PAT
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
<--- More --->
<--- More --->
Phase: 4
<--- More --->
Type: IP-OPTIONS
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
<--- More --->
Phase: 5
<--- More --->
Type: FLOW-CREATION
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
New flow created with id 14, packet dispatched to next module
<--- More --->
<--- More --->
Result:
<--- More --->
input-interface: inside
<--- More --->
input-status: up
<--- More --->
input-line-status: up
<--- More --->
output-interface: outside
<--- More --->
output-status: up
<--- More --->
output-line-status: up
<--- More --->
Action: allow
<--- More --->
ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->
ASA-1#
ASA-1# sh run |
: Saved
ASA Version 8.4(2)
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
interface GigabitEthernet2
shutdown
no nameif
no security-level
<--- More --->
no ip address
<--- More --->
<--- More --->
ftp mode passive
<--- More --->
object network DYNAMIC-PAT
<--- More --->
subnet 192.168.1.0 255.255.255.0
<--- More --->
access-list 101 extended permit icmp any any echo-reply
<--- More --->
access-list 101 extended permit icmp any any source-quench
<--- More --->
access-list 101 extended permit icmp any any unreachable
<--- More --->
access-list 101 extended permit icmp any any time-exceeded
<--- More --->
access-list ACL-OUTSIDE extended permit icmp any any
<--- More --->
pager lines 24
<--- More --->
mtu inside 1500
<--- More --->
mtu outside 1500
<--- More --->
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
no asdm history enable
<--- More --->
arp timeout 14400
<--- More --->
<--- More --->
object network DYNAMIC-PAT
<--- More --->
nat (inside,outside) dynamic interface
<--- More --->
access-group ACL-OUTSIDE in interface outside
<--- More --->
timeout xlate 3:00:00
<--- More --->
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
user-identity default-domain LOCAL
<--- More --->
no snmp-server location
<--- More --->
no snmp-server contact
<--- More --->
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
telnet timeout 5
<--- More --->
ssh timeout 5
<--- More --->
console timeout 0
<--- More --->
threat-detection basic-threat
<--- More --->
threat-detection statistics access-list
<--- More --->
no threat-detection statistics tcp-intercept
<--- More --->
<--- More --->
<--- More --->
prompt hostname context
<--- More --->
no call-home reporting anonymous
<--- More --->
call-home
<--- More --->
profile CiscoTAC-1
<--- More --->
no active
<--- More --->
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->
destination address email [email protected]
<--- More --->
destination transport-method http
<--- More --->
subscribe-to-alert-group diagnostic
<--- More --->
subscribe-to-alert-group environment
<--- More --->
subscribe-to-alert-group inventory periodic monthly
<--- More --->
subscribe-to-alert-group configuration periodic monthly
<--- More --->
subscribe-to-alert-group telemetry periodic daily
<--- More --->
crashinfo save disable
<--- More --->
Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
<--- More --->
: end
ASA-1#

Ports and IPs to be open/permitted in firewall to download and work in creative cloud

What is the complete list of ports and IP addresses to be open/permited in our enterprise firewall in order to let internal PCs download and work with creative cloud applications?

Our firewall only supports IP configuration (not URL). Do you have IP list?
From: Rajshree [email protected]
Sent: miércoles, 06 de noviembre de 2013 17:23
To: Simon, Mariano
Subject: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
Re: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
created by Rajshree <http://forums.adobe.com/people/Rajshree> in Adobe Creative Cloud - View the full discussion <http://forums.adobe.com/message/5819892#5819892

UCCX 8.0.2 Unable to logon CSA and CSD

Hi Guys,
I am not able to logon CSA and CSD. Is appear the message:
"A licensing error has occurred. Please try again in five minutes. If the problem persists, please see your log file or System Administrator for details"
then: License server down
In the logs appear the messages:
ERROR DESK3109 Could not obtain license from LRM.
ERROR DESK3113 Unknown exception while releasing the license(s)
I disable firewall Windows, but, didn´t solved
I disable csa in UCCX (utils csa disable), but, didn´t solved (Disable SYN FLOOD within Cisco Security Agent UCCX)
http://docwiki.cisco.com/wiki/Agent_receives_a_licensing_error_message_when_attempting_to_start_Cisco_Agent_Desktop
I verified the link below and didn´t solved too:
https://supportforums.cisco.com/document/24896/cad-login-fails-licensing-error#comment-10407376
http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-contact-center-express/46882-license-error.html
https://communities.cisco.com/message/69357
Another idea about this?
Thanks,
Wilson

Hi Bala,
Follow the command. I believe that the space is normal.
This command can take significantly long time,
and can also effect the system wide IOWAIT on your system.
Continue (y/n)?y
Filesystem            Size Used Avail Use% Mounted on
/dev/sda6              90G   46G   41G 54% /common
8.0K    /var/log/inactive/
admin:
admin:
admin:show diskusage activelog
This command can take significantly long time,
and can also effect the system wide IOWAIT on your system.
Continue (y/n)?y
Filesystem            Size Used Avail Use% Mounted on
/dev/sda6              90G   46G   41G 54% /common
8.0K    /var/log/active/mgetty
0       /var/log/active/sa
4.0K    /var/log/active/platform/snmp/sappagt/sappagt.index
4.0K    /var/log/active/platform/snmp/sappagt/sappagt.log
4.0K    /var/log/active/platform/snmp/sappagt/startup.txt
16K     /var/log/active/platform/snmp/sappagt
4.0K    /var/log/active/platform/snmp/hostagt/hostagt.index
Thanks,
Wilson

Error HTTP Status 500 after installing DS Management Console and IPS Services on BI Enterprise Server

The following error
HTTP Status 500 - while trying to invoke the method java.util.Properties.entrySet() of an object loaded from local variable 'globalProperties'
occurred after installing DS Management Console and IPS Services on BI Enterprise Server
BI Enterprise Edition 4.1 SP1 and BODS 4.1 SP1

Hi,
If you can't see the login screen of the CMC then it's a problem of webapps and not EIM services.
Try cleaning the Tomcat cache for the BOE webapps and let Tomcat re cache it. Often it does the job.
- Stop Tomcat
- Rename the BOE folder to BOE-OLD in C:\Program Files (x86)\SAP BusinessObjects\tomcat\work\Catalina\localhost\
- Start Tomcat
When the Tomcat process in task manager is done working (it can take 10-20 min+) then try again.
When you're done, you can delete the BOE-OLD folder.
Let me know!

CSA and Deny CMD.EXE

Hi,
I am new to CSA and have been trying to figure out how to block the Windows cmd.exe process outright? Is anyoneableto assist or point me in the right direction
thanks?

No, you should never change the built-in ruleset unless needed, in this case, you need to create a Policy, a rule module, and add an application control rule with the info i gave you. You attach the policy to the group that your hosts are in, the rule module to the policy, and generate. Just be carefull, CSA is a very powerful tool, and rules can have massive impact in your setup if you are not careful. Try it out on one machine first, this can be done be creating a group and assigning the new policy you just created to that, and then add that group to the host.

How do I backup an IPS config (ASA-SSM-10)

Hi,
How do I backup an IPS config (ASA-SSM-10)?
Thanks

There is a copy command in the IPS CLI that can be used to copy the current configuration to a backup configuration on the sensor itself.
Or to copy the current configuration to an FTP or SCP server.
The copy command can then be used to copy a configuration from backup or from an FTP or SCP server back to the running configuration of the sensor.
http://www.cisco.com/en/US/docs/security/ips/6.2/command/reference/crCmds.html#wp458440

Setting DNS TTL to 0 for specific DNS names and IPs

A company we do business with has a service we are trying to contact over the internet. They have requested that we set the TTL for their DNS and IPs on a specific port to 0. Im having a hard time understanding what they are asking for. I thought that
DNS ttl is generally set by the Registrar. And can you even have ttl on an ip address? That doesnt make any sense tome. They are asking for screen shots of nslookups of 3 ips on port 1443 and they want to see the ttl set to 0. How would I do that on SBS2011/Server2008r2?
Obvously I only want this on the 3 ips and the dns name, I dont want to set the whole DNS infrastructre to a ttl of 0.

Sounds screwy to me!
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+

Catalyst 6500 and IPS

I have a catalyst 6500 switch on my network and I know it supports an IDS module.What I am not sure is an IPS.
Could somebody who knows be kind enough to tell me if there is the support of IPS in the Catalyst 6500 switch.

The IDSM-2 module is capable of both IDS (promiscuous mode) AND IPS (inline mode).
So if you need IPS (inline mode) you still just buy the same IDSM-2 but configure it for InLine Interface Pair or InLine Vlan Pair mode instead of configuring for Promiscuous mode.

Placing IDS and IPS

Hi,
Kindly brief about placement of NIDS in a bank network scenario and IPS placement also...

You didn't get an answer because the question is too vague. I think that banks have different requirements depending on their size. As I recall, there can be different regulatory bodies involved (OTS vs OCC) based on size.
I would say at a minimum you should have IDS/IPS at all perimeter points. A bank should probably also have some sort of IDS/IPS protecting servers (Network and/or Host based).
You might take a peek here for some more high-level info:
http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

IDS and IPS ?

Hi
I am using before 4215 IDS in my network.
My question is what is basic difference IDS and IPS ?. why I am using IPS in place of IDS , what is the key point and benefit ?.
Thanks
biplob

Hi,
Here are the definitions from IPS 5.1 guide.
Understanding Promiscuous Mode (IDS)
In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router).
Understanding Inline Interface Mode (IPS)
Operating in inline interface mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device.
In inline interface mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033759
Hope this helps.
Edward

IDS and IPS Hardware Information

Hi,
Can anybody give me a detailed information in all the possible hardware that is used for IDS and IPS technologies till date.

Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers are supported by IPS.

Difference between MARS LMS and IPS

I am trying to understand the difference between MARS, LMS and IPS and why you would use one over the other.
Thank you all.

MARS is an appliance that aggregates/deduplicates syslog and netflow data from routers,switches,firewalls, and IPS sensors. In addition to Cisco devices it also supports things like Checkpoint Firewalls, Snort IPS, etc.
LMS (Ciscoworks LMS) is primarily a device configuration and IOS management platform that runs on your own Windows server (not sure if Unix is still supported.) We use it to maintain the configs of hundreds of Cisco routers and switches, easily push out config changes to said devices, and mass-deploy IOS upgrades.
IPS is sort of like anti-virus "on the wire" - it runs on dedicated IPS sensors, plug-in modules on firewalls or 6500's, and on routers via IOS IPS. Events can be forwarded to MARS for correlation, etc.
You didn't ask, but CSM (Cisco Security Manager) is the more appropriate tool for mass-configuration and 'group policy' for firewalls and IPS sensors.
Each product solves a particular problem; you wouldn't choose one over the other since they all work together to provide a cohesive solution. The specifics of your environment (particularly the number and type of devices) would dictate your choices here.

Csa and ips on asa

Similar Messages

Maybe you are looking for