IPS solution in 2821

Similar Messages

• Complete IPS Solution

  I just upgraded my network backbone to the 4507r switch using sup IV and netflow cards. I also upgraded my Internet and core routers to the 2821 and 2851 respectively.
  I will also be installing a ASA-5520 w/ csc-ssm-20 module.
  How should I proceed with implementing an IPS solution that will protect my network from the outside world, as well as from other devices on our LAN/WAN environ.
  Our company has 3 remote sites. Two of which are connected to corp via a MPLS network and one is connected to corp via a point-to-point T1.
  What is the Cisco solution to do this?
  Can I use non-Cisco IPS solutions along with Cisco equipment, such as Lancope's StealthWatch XE for Cisco's Netflow?

  Hi ...there are several sensors that could cater for your environment based on the ammount of traffic you are planning to inspect. As per the location I suggest placing a sensor behind the firewall ( in in-line between the inside interface of your ASA and the LAN ). In that way traffic to/from the LAN will be inspected. Also .. if you have cisco devices such as routers or firewalls at the remote sites ,you could further protect them by using the sensor as device manager .. in other words you can configure the sensor so that in the event of an attack it can push down access-list entries to your remote cisco devices as well.
  I suggest to check the sensor portfolio which will provide you with detailed information.
  http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801eeea5.html
  I hope it helps ... please rate it if it does !!!

• ASA5510-AIP10 as Dedicated IPS solution?

  Current setup is: Internet drop-point -> 2 ASA5505-SEC-BUN (primary/failover) -> Switch (multiple VLANs) -> machines
  Can I use an ASA5510-AIP10-K9 as a dedicated IPS solution?
  Can I use it in all modes?  (Promiscuous, Inline, Hybrid)
  I created a few images demonstrating the different setups.  Can I do each setup?  If not, can you briefly explain why?

  Hello Matt!
  To be honest I am not fully understand what do you mean under "dedicated solution".
  In my mind "dedicated solution" is something that stands alone of ASA and is independet from it (like 42xx/43xx/45xx appliances).
  AIP module is rather "built-in" solution rather than "dedicated"
  Judging by your schemas your main aim is to inspect traffic between internet edge and internal network.
  All your scenarios are easy to implement: you will need to use virtual sensors feature on AIM to create two sensors for promiscuous and inline modes.
  On ASA you will need to use MPF to tell ASA which traffic should go to which sensor.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_ips.html#wp1088096
  If you want to inspect traffic between VLANs that are behind the switch you will need to force traffic flow through the ASA (for example ASA can perform inter-vlan routing).
  PS: Keep in mind that you will need two AIP modules when you use two ASA in failover. Modules also should be identical.

• How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

  Hello there!
  I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS  throughput), what main points I should consinder?

  If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
  Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
  - Bob

• ARP Poisoning & Cisco IDS/IPS Solutions

  I am trying to find out if someone familiar with Cisco's IDS/IPS (network and/or host-based) solutions can tell me if the product(s) can identify and/or prevent ARP poison routing attacks. If so, does it require customizing signatures or is there out of the box detection signatures?
  Thanks for any information

  There are some. Go here and do a search for "arp":
  http://tools.cisco.com/security/center/search.x?search=Signature
  Perhaps it goes without saying, but remember that the sensor has to see the relevant layer 2 traffic for these to work.

• Custom IPS sigs on NGFW (ASA-CX) IPS solution?

  Hi folks,
  I am trying to determine if it is possible to create custom IPS sigs on the ASA-CX module?  Not the ASA + Legacy IPS combo, but the ASA + ASA-CX (Application Detection, Web Filtering, IPS) combo.
  I couldn't find anything in the docs that said this was possible.
  Thanks!
  Neil

  Thank you for your response.  However my question was targeted towards Intrusion Prevention signatures such as the ones found on the traditional IPS units.  I would want the ability to use the various IPS engines such as Atomic IP, HTTP, etc and create sigs that match on things inside the packet, URL string, etc.
  Thanks!

• IOS IPS Sig Updates

  It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
  Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
  Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IOS IPS SIG Updates via IDSMDC

  When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
  So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
  SHM

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• How to order IPS Svc for ASA5515-K8 and L-ASA5515-IPS-SSP=?

  Hello!
  I have got ASA5515-K8 and IPS license L-ASA5515-IPS-SSP= ordered separately.
  What smartnet should I order to enable IPS singnature updates?
  I tried to order SU1 smartnet for ASA5515-K8, but Product ID ASA5515-K8 is not mapped to SU1 service.
  Thank you!

  Hello Andy,
  Here is the information you are looking for:
  Cisco Services for IPS
  Cisco Services for IPS is an integral part of the Cisco ASA 5500-X Series IPS Solution and enables operators to
  receive time-critical signature file updates and alerts. Part of the Cisco Technical Support Services portfolio, Cisco
  Services for IPS allows your Cisco ASA 5500-X Series IPS Solution to stay current on the latest threats so that
  malicious or damaging traffic is accurately identified, classified, and stopped. Cisco Services for IPS features
  include:
  ● Signature file updates and alerts
  ● Registered access to Cisco.com for online tools and technical assistance
  ● Access to the Cisco Technical Assistance Center
  ● Cisco IPS software updates
  ● Advance replacement of failed hardware
  For more information about Cisco Services for IPS, visit
  http://www.cisco.com/en/US/products/ps6076/serv_group_home.html.

• Configure IPS on Router

  Dear All,
  I am novice in the security, excuse me if my question is very basic.
  I want to configure IPS on Cisco 2821 router. I do not have any server for storing the logs.
  Kindly let me know:
  Is it possible to configure IPS on a router 2821?
  Is it going to increase the CPU utilisation?
  Kindly let me have the command/link to configure IPS on the router.
  Thnx,
  Ashish

  Hi Ashish,
  You can configure IPS on Cisco 2821.Just load it with an image that supports security features.
  Here's a good Q&A guide that may help you.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_qas0900aecd806fc530.html
  For configuration, you can refer to http://www.cisco.com/en/US/products/ps6634/products_configuration_example09186a008097dbe8.shtml
  The CPU util depends on the number of signatures enabled and the amount/type of traffic the router is handling.
  HTH.
  --Raj

• Cisco IPS - IOS vs Appliance vs ASA vs IDSM2

  Hello CSC
  I am trying to find information on performance of the various IPS implementation options.
  In short I've been asked to enable IPS on our 2 ISP routers 7206VXR (NPE-G1), 1 with 45Mbps connection, the other with 100mbps; LAN int for both 1Gbps. In addition, we have some internal WAN networks so would like to secure on this perimeter using ISDM2 in a 6509.
  I have some doubts that using IOS IPS on each device will be able to cope with the load, with efficient throughput.
  I found this info:
  ASA - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps4077_Products_Data_Sheet.html
  IPS Appliance - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html
  Does anyone have any similar stats for IOS IPS and IDSM2, or better still a comparison of all IPS solutions.
  Help appreciated.
  Thanks all
  Phil

  Here is a little info.
  http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/prod_presentation0900aecd806ccf26.pdf

• Connect MSFC to FWSM context through and external IPS.

  Somebody knows if is possible to successfully pass traffic through an interface bridge between a FWSM and the MSFC using an external IPS Solution as inline physical interfaces?
  In theory should work just like vlan bridging in the connection through and internal IDSM-2, like this:
  MSFC<---vlan 10--->Inline IDMS-2<---vlan 20--->FWSM Context
  What I want is this:
  Thanks in advance and sorry for my bad english :)
  Regards!

  I think the same, but I dont want to try it in the production enviroment ;)
  Anybody??

• IPS recomendation

  Hi Netpros,
  I would like to implement IPS solution in our company along with Management software to manage IPS boxes. What is the latest version of Cisco Management software i should deploy. Will it be compatible with IDS?
  Thanks in advance.

  You can implement Cisco VMS 2.3 which has the CiscoWorks Management Center for IDS Sensors
  For more information please check http://www.cisco.com/en/US/partner/products/sw/cscowork/ps2330/products_qanda_item09186a008009253c.shtml
  Hope it helps
  Franco Zamora

• Internet edge router & IPS

  I am looking for some recommended settings or pointers for what to enable on an Internet facing edge router (ISR). Currently the defaults have pretty much been accepted with regards to the IPS setup. The router was configured initially from the CLI and I am happy with this part, but all the IPS stuff was configured from SDM. At the moment it just reports for the 338 default enabled Signatures, however it can be configured to react (drop or reset connections). I am just looking for some recommendations or pointers as to what should be enabled.
  I have noticed a performance hit with IPS enabled but nothing too bad, the main bottleneck is the ISP link.
  Thanks
  Andy

  Andy,
  Generally Cisco only deny packets for the signatures which correspond to the attack sig section,also many of those would be only sending a log message rather then denying the packet.This is done to keep only the relevant signatures enabled and dropping traffic and to avoid false positives.For most of the networks,these settings would be good enough.Intergrating an ips solution into ur n/w is an ongoing process rather then one time implementation.U would need to keep an eye on the events,change the sig. accordingly for a typical cycle of 2 months.So,if you see an event which refers to an ongoing attack,enable the sig.At other times,keep it disabled as it would save a lot of cpu/memory cycles on ips ( and would save permormance bottlenack )