IPS Labs using AIP SSM 10

Similar Messages

• Monitoring AIM-IPS-K9 and AIP-SSM-10

  Does anyone have any tips on monitoring the IPS devices for being up, healthy, not-in-bypass, and running normally, I had five of them fail after the E3 upgrade (one is still tweaked due what TAC has identified as a corrupt license issue). Although CSMARS 6.0 lists some unreachable devices once daily, it has all devices in the list making it less that useful information, but that is a different question.
  AIM-IPS-K9: 19 ea.
  AIP-SSM-10: 3 ea.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• How to block p2p applications(Bittorent like) with AIP-SSM-10?

  Hi,
  How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
  Thanks,
  Siva

  There are several signatures that detect p2p, for bit torrent there is 11020.0
  Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
  etc..
  Some are disabled by default though so please ensure you enable the ones that you need.
  If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
  For more information about the event actions please refer the link below:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467

• AIP-SSM-10 auto update issue

  Hi! experts
  I using AIP-SSM-10 module on ASA 5540
  But it is not working auto update signature.
  So I `m going to attach " show statistics host" result.
  Can you tell me some help?
  Thanks in advance
  Auto Update Statistics
  lastDirectoryReadAttempt = 07:34:50 UTC Tue Oct 20 2009
  = Read directory: https://198.133.219.25/cgi-bin/ida/locator/locator.pl
  = Error: AutoUpdate exception: HTTP connection failed [1,0]
  lastDownloadAttempt = N/A
  lastInstallAttempt = N/A
  nextAttempt = 04:00:00 UTC Wed Oct 21 2009

  It is clear that mgmt ifaces are able to connect to the Internet but if they may connect to inet via proxy you must configure proxy-server.

• Using ASA5510 AIP-SSM in IDS mode

  Hi,
  I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
  without the traffic passing through the Firewall.
  I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.
  somebody can help me?
  thanks

  Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
  The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
  The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
  It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
  - Bob

• Best practices for using Normalizer in ASA and in AIP-SSM

  Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
  The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
  Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
  "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
  To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
  So, those who're using ASA with SSM, please share your experience.
  Thx.

  Yes, this is almost correct ;)
  TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
  The testing of 7.2(1) shows the following:
  When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
  There are at least two problems however.
  The first problem is the performance impact.
  ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
  The second problem is THE SECURITY HOLE.
  By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
  Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
  The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
  I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
  Regards,
  Oleg Tipisov,
  REDCENTER,
  Moscow

• IPS AIP-SSM

  Hi,
  What is difference between E3 and E4 system upgrade files in IPS ? Is it possible to upgrade AIP-SSM from 6.0 E3 to 7.0 E4 ?
  Regards
  Amar

  Amar;
    The E3 and E4 designation represents the version of the analysis engine installed on the sensor.  The signature developers create signatures to the most current release of the analysis engine (E4 currently).  Without the most current analysis engine (and an active license) you cannot apply signature updates to the sensor.
    It is possible to upgrade an AIP-SSM from release 6.0 to 7.0 using the current 7.0 upgrade package (.pkg file).
  Scott

• Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

  I have a web proxy ..tunnel filters...and AIP-SSM....inside of the network...i configure host service, network setting and hhtp-proxy to use my proxy when updating global corelation ...
  On proxy I allow hhtps to 204.15.82.17 ---ironport service.
  In proxy log I see that https to 204.15.82.17 is allowed and after that ips try to sending http packets to 80.53.146.82 -----I SEE in the RIPE that is AKAMAI technologies IP..address.
  What is this?
  Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

  This is the new 7.x Global Correlation feature, and it is documented here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/18483_01.html#wp1161779
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
  AFAIK, you can turn off this feature as per your discretion. Cisco has adapted the Ironport senderbase technology to their IPS as well. Its a pretty interesting feature, I hope it becomes as successful as the one for mail traffic.
  Please rate if helpful.
  Regards
  Farrukh

• CSM to update IPS AIP -SSM

  Hi all,
  I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
  I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
  I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
  Thanks

  The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
  It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
  The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
  So which to use?
  If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
  The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
  Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
  There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
  So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
  So then it just depends on your current IPS version.
  If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
  If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
  General Rules of Thumb:
  Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
  If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
  If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
  If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
  Why 60 days?
  If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
  So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
  If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
  As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
  The answer is NO.
  You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• Activating IPS AIP-SSM

  Hello Everyone,
  Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
  I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
  Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
  Thanks,
  Ben

  You will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS".  Take a look at the following Q&A doc which covers some of the part numbers.
  http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

• Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

  I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
  Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

  Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
  The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
  - Bob

• AIP-SSM module hung

  I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
  Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
  Below is the status of show module and show failover command.
  FW1-5540# sh module
  Mod Card Type                                    Model              Serial No.
    0 ASA 5540 Adaptive Security Appliance         ASA5540            JMX1234L11F
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1341ADPS
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    0 0021.d871.77ab to 0021.d871.77af  2.0          1.0(11)4     8.0(3)6
    1 0023.ebf6.11ce to 0023.ebf6.11ce  1.0          1.0(11)5     6.2(2)E4
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Not Applicable   6.2(2)E4
  Mod Status             Data Plane Status     Compatibility
    0 Up Sys             Not Applicable
    1 Unresponsive       Not Applicable
  FW1-5540# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 250 maximum
  Version: Ours 8.0(3)6, Mate 8.0(3)6
  Last Failover at: 09:06:14 UTC Jun 15 2010
          This host:
                  This host: Primary - Failed
                  Active time: 191436 (sec)
                  slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                    Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
                    Interface INTRANET (10.192.154.13): Normal (Waiting)
                    Interface management (0.0.0.0): Link Down (Waiting)
                  slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
                    IPS, 6.2(2)E4, Not Applicable
          Other host: Secondary - Active
                  Active time: 192692 (sec)
                  slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                    Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
                    Interface INTRANET (10.192.154.5): Unknown (Waiting)
                    Interface management (0.0.0.0): Unknown (Waiting)
                  slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                    IPS, 7.0(2)E4, Up
  Stateful Failover Logical Update Statistics
          Link : Unconfigured.
  I have tried using the
  hw-module module 1 reset
  to reset the IPS module but the status is always unresponsive.
  Its production environment where i cannnot expirement much. Ned help to rectify the problem.

  Hi Scott, 
  I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
    ciscoasa2(config)# failover
          Detected an Active mate
    ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
  I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
    ciscoasa2# sh module ips
    Mod  Card Type                                    Model              Serial No.
     ips Unknown                                      N/A                FCH1712J7UL
    Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
     ips 7cad.746f.8796 to 7cad.746f.8796  N/A          N/A 
    Mod  SSM Application Name           Status           SSM Application Version
     ips Unknown                        No Image Present Not Applicable  
    Mod  Status             Data Plane Status     Compatibility
     ips Unresponsive       Not Applicable 
    Mod  License Name   License Status  Time Remaining
     ips IPS Module     Disabled        perpetual
  According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
    ciscoasa2# hw-module module 1 reload
               ^
    ERROR: % Invalid input detected at '^' marker
  What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
    ciscoasa2# sh flash
    --#--  --length--  -----date/time------  path
     11  4096        Sep 12 2013 13:56:54  log
     21  4096        Sep 12 2013 13:57:10  crypto_archive
    100  0           Sep 12 2013 13:57:10  nat_ident_migrate
     22  4096        Sep 12 2013 13:57:10  coredumpinfo
     23  59          Sep 12 2013 13:57:10  coredumpinfo/coredump.cfg
    101  34523136    Sep 12 2013 14:00:14  asa861-2-smp-k8.bin
    102  17851400    Sep 12 2013 14:04:36  asdm-66114.bin
    103  38191104    Apr 24 2014 12:59:58  asa912-smp-k8.bin
    104  6867        Apr 24 2014 13:01:20  startup-config-jcl.txt
    105  24095116    Jun 17 2014 14:54:14  asdm-721.bi
  But another ASA (#1) have image:
  ciscoasa1# sh flash
  --#--  --length--  -----date/time------  path
     11  4096        Sep 10 2013 06:42:56  log
     21  4096        Apr 17 2014 03:13:12  crypto_archive
    123  5276864     Apr 17 2014 03:13:12  crypto_archive/crypto_eng0_arch_1.bin
    110  0           Sep 10 2013 06:43:12  nat_ident_migrate
     22  4096        Sep 10 2013 06:43:12  coredumpinfo
     23  59          Sep 10 2013 06:43:12  coredumpinfo/coredump.cfg
    111  34523136    Sep 10 2013 06:44:24  asa861-2-smp-k8.bin
    112  42637312    Sep 10 2013 06:45:46  IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
  But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained ! 
  Because I didn't applied the Failover condition to system. 
  What can I do now ?
  Thank you very much in advance.
  Leonardo_Melo.(CCAI-JCL-Brazil).

• How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

  Hello there!
  I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS  throughput), what main points I should consinder?

  If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
  Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
  - Bob

• Do I need two AIP-SSM modules if I am configuring failover?

  Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
  I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
  Would there be any problems configuring it this way?
  Would the active/standby ASA's complain that there is only one AIP-SSM module?
  Thanks in advance.

  Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
  Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
  Your kind answer will be greatly appreciated.
  Best regards...