IPS Tech Tips - Introducing NGFW with IPS

Similar Messages

• IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services

  Hi Folks -
  Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
  Hope to see you there.
  -Robert
  Cisco invites you to attend a 30-45 minute Web seminar on IPS Best   Practices delivered via WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management   Services
  Host: Robert Albach
  Date and Time:
  Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago,   GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation. If you wish to be excluded from these invitations   then please let me know!

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• IPS Tech Tip - Evasions - TCP/IP examples and handling - Sig team presentation

  Hi Customers,
  Its summer time and nothing evokes cool quite like a discussion into the TCP / IP stack and how creative attacker types try to hide attacks behind it. This presentation will feature a security researcher from our signature team and will be the first of several presentations on evastions and how the Cisco IPS handle them.
  We hope that you can make it.
  Thanks,
  -Robert
  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco IPS internal operations using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - Handling Evasions
  Host: Robert Albach
  Date and Time:
  August 25, 2011 9:30 am, Central Daylight Time (Chicago, GMT-05:00)
  To register for the online event
  1. Go to https://ciscosales.webex.com/ciscosales/onstage/g.php?d=201261254&t=a&EA=ralbach%40cisco.com&ET=64ed8e6d81005252203f6671cfeee480&ETR=fb46b8799a6afe989e9a744f0fac0d77&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.

  Sadly we did not get the recording done. The presentation and the example pcaps  however are on this forum now.
  -Robert

• IPS Tech Tip - "show tech" command part 2 - IPS dev team webinar

  Hi Folks,
  The IPS product management and development team would like to invite you to this 30-40 minute webinar followed by Q&A sessions. These will be recorded and put on this forum as well. We hope you can attend.
  -Robert
  Robert Albach invites you to attend a Web seminar using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - show tech part 2
  Host: Robert Albach
  This month's Cisco IPS Tech Tip will continue December's show tech command discussion. The show tech command holds a wealth of information regarding your IPS's performance and status. Cisco IPS development team members will continue to talk about what all this information means to you and then answers your questions.
  Date and Time:
  January 27, 2011 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=202882129&t=a&EA=ralbach%40cisco.com&ET=85576c2dbfd6dca4b756de40b6728a2b&ETR=5d7e40b0e38f564be0a8bd55114369fc&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.

  Sadly we did not get the recording done. The presentation and the example pcaps  however are on this forum now.
  -Robert

• Cisco IPS Tech Tips: Data Center Protections and Platforms

  Hello Cisco Community Forum Members;
  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco   IPS internal operations using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - Data Center Protections and Platforms
  Host: Robert Albach
  Date and Time:
  Thursday, July 19, 2012 10:00 am, Central Daylight Time (Chicago, GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=206048546&t=a&EA=ralbach%40cisco.com&ET=ade69a0aa29f279471b6a85feae46a71&ETR=5b39cf5f535442c1763f090845d7ddd3&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• Cisco IPS Tech Tips - Protecting Industrial Environments - Nov. 20 2012

  Robert Albach invites you to attend a 30-45 minute Web seminar on protecting   Industrial Environments with Cisco IPS. This event requires registration.
  Topic: Cisco IPS Tech Tips - Protecting Industrial Environments
  Host: Robert Albach
  Date and Time:
  Tuesday, November 20, 2012 10:00 am, Central Standard Time (Chicago,   GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=204100621&t=a&EA=ralbach%40cisco.com&ET=9a66f6e8f36ecbaab4ac37ed47bae5cf&ETR=c55c84ed345001203dd77689eca88777&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation.

• Cisco IPS Tech Tips: 2010 Dec 16 - show tech commands

  Robert Albach invites you to attend a Web seminar using WebEx. This event requires registration.
  IPS Tech Tips are monthly webinars lasting approximately 30 minutes with question and answer to follow. This month’s event will focus on the “show tech” command and its potential relevance to your IPS operation.
  Topic: Cisco IPS Tech Tip 2010 Dec 16 - Show Tech
  Host: Robert Albach
  Date and Time:
  December 16, 2010 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=205452108&t=a&EA=ralbach%40cisco.com&ET=72ce549014a807001ae666a6d82dcc7c&ETR=6ff5ff3ebf442ab68017b906c9ead1a7&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
  For assistance
  You can contact Robert Albach at:
  [email protected]
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• Cisco IPS Tech Tips: 2010 Dec. 16 - Show Tech Part 1 Recording

  Hi Cisco IPS Users,
  I've attached the recording from our last Tech Tips regarding the "show tech" command. We hope that you will find this of value in the operation of your Cisco IPS.
  As always feel free to leave comments on the content or future subjects you would like to see us address.
  The continuation of this discussion will take place today (Jan 27th).
  Thanks,
  -Robert
  Robert Albach
  IPS Product Management
  [email protected]

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• IPS Tech Talk -Global Correlation

  Robert Albach of the Cisco IPS Team invites you to attend a Web seminar using WebEx. This event requires registration.
  The event is a 30 minute webinar on Global Correlation - its operation and how it works with your Cisco IPS. Following the presentation there will be Question and Answer period with members of the IPS development team.
  Topic: Cisco IPS Tech Talk 2010 Nov 18
  Host: Robert Albach
  Date and Time:
  November 18, 2010 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=204029379&t=a&EA=ralbach%40cisco.com&ET=6511931d5b5055f2311dc9824532002a&ETR=2c3560b429c7cfc0c2553092a899c175&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
  For assistance
  You can contact Robert Albach at:
  [email protected]

  Will this event be available for viewing later?  10am CST is about 1am here in Korea, so I don't think I'll be able to attend live.

• How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

  Hi
  The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
  How to setup MARS to monitor ASA with IPS with active standby topology?
  Thanks!

  Hi,
  The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
  Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
  In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
  Don't forget that you have to manually replicate all IPS configuration every time you make a change.
  HTH
  Andrew.

• Looking for a List of GT72 with IPS screen

  hi guys !
  I'm looking to buy a GT72 with a 970M or 980M , but my main focus is on the screen . i really want a IPS screen with my GT 72 , and i know that there is a few which got one.
   when i look on website a lot of information are missing and i'm never sure if there is actually a IPS screen or not.
  My budget is like between 1.7k€ and 1.9k€ so if someone could make a list of GT72 with IPS screen in this price average it would be nice
  sorry for my bad english
  thanks

  Hi Ann  Thanks for that. I did come across that list too. There is a wiki site started also that has bugn to show how each works too. That's what I'd love to create for the entire list with a thumbnail as a visual   When I have time!
  http://premierepro.wikia.com/wiki/Transitions

• NeedHelp Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??

  Dear All,
  i have idsm with IPS-K9-7.0-2-E3.pkg installed,
  i use inline mode for this idsm, and idsm place is front on server farm
  but i have some problem that one segment in my network cant access the server
  but another segment can access that server,
  that server is oracle database aplication (real time)
  in this is happend only for that server.
  when i filter the traffic with idsm, the result that transaction match with
  signature number 7000, evenly that signature dont have action to deny the traffic,
  the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
  evenly other segment can access that server normally.
  anyone can explain to me why this happen??
  ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
  anyone can help me please..

  Hi Josh..
  This is my answer
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?
  Im not yet  downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3
  This is capture from my isdm
  OTIDSM# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E3
  Host:                                                        
      Realm Keys          key1.0                               
  Signature Definition:                                        
      Signature Update    S425.0                   2009-08-17  
      Virus Update        V1.4                     2007-03-02  
  OS Version:             2.4.30-IDS-smp-bigphys               
  Platform:               WS-SVC-IDSM-2                        
  Serial Number:          SAD132802TL                          
  Licensed, expires:      20-Oct-2010 UTC                      
  Sensor up-time is 2 days.
  Using 1415421952 out of 1983504384 bytes of available memory (71% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)
  boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500            
  Upgrade History:
    IPS-K9-7.0-2-E3   07:43:07 UTC Thu Oct 15 2009  
  Maintenance Partition Version 2.1(3)
  Recovery Partition Version 1.1 - 7.0(2)E3
  Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012
  On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue. That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue
  What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,
  And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)
  If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.
  Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2
  If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.
  Oke,  I will…
  Btw, thanks for your help boss
  GBU …

• Configure ASA5515-X with IPS as standalone IPS.

  There are instances in our organization when our customers need to have a standalone IPS device due to environment restrictions.  In the past we used the 4240 sensors which are now, or soon to be, EOL.  The upgrade path is the ASA 5515-X with IPS services and I have heard that the device will be able to operate as a standalone IPS device.
  Does anyone know if this is indeed possible or does anyone have experience configuring the device this way?  It'd definitely be cheaper than going with the 4300 devices so I'd be interested in feedback on this.

  We've done this with ASA5500 models, so it's a safe bet you could do this with the ASA5500x devices as well.
  The difference between using an ASA and an appliance for an IPS sensor is there's all sorts of firewall technology that you'll need to disable (as much as possible at least, you can't turn it all off) and I believe the sensor will be blind to layer 2 attacks.
  - Bob

• Are there any Lenovo X220 owners with IPS that don't notice ghosting?

  I need to pull the trigger soon and have been watching all the posts about fan noise, throttling and IPS ghosting. 
  Are there any users with an IPS screen who do not notice, or are not bothered by, ghosting on their IPS screen?
  I would prefer IPS for the better viewing angles and color reproduction.

  As far as I can tell, the two units I got all exhibit ghosting if I just let the screen idle for too long (assuming idle at max brightness for more than 15 minutes), I think it's an issue that will be addressed by Lenovo later and for the time being, it doesn't hinder productivity unless your use of the company requires the image to stay stationary for an extended period of time.

• Tech Tip of the Week: Syncing Distribution Groups in Office 365

  Having trouble getting your distribution groups to sync when migrating to Office 365?
  We recently worked with a customer who had over 300 distribution groups that were not syncing to Office 365. Upon review, we noticed that the distribution groups did not have a Display Name.
  Here are the steps we took in order to resolve the problem:
  1. Open ADUC “Active Directory Users and Computers “On the top menu click on view and select Advanced Features.
  2. Find the Distribution List that is not syncing to your Office 365 tenant > right click the Distribution List > select Properties > click on the attribute editor tab.
  3. There are a couple attributes that must be filled out in order  for it to Synchronize to Office 365.
  Attributes: mail,
  displayName – if they do not have any data, fill it in. Once completed click ok.
  4. Open the MIISClient. This is located on your DIRSYNC Server. The default path is: “C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”
  5. Click on Metaverse Search > input the following:
  Attribute: Mail
  Operator: Contains
  Value: 
  “Email Address of the DG”
  6. Once filled in click on search > double click the search results > click on the connectors tab. Note: If
  you only see SourceAD Management Agent, perform the following:
  7. Click on Management Agents > Right click SourceAD > click on Run > click on Full Import Stage Only > click on ok.
  8. Right click SourceAD > click on run > click on Full Sync > click on ok.
  9. Right click TargetWebService > click on Run > click on Full Confirming Import Stage > click on ok.
  10. Right click TargetWebService > click on Run > click on Full Confirming Sync > click on ok.
  11. Right click TargetWebService > click on Run > click on Export > click on ok.
  We hope you found this week’s Tech Tip useful! Do you have a problem you want us to solve in our Tech Tip of the week series? Let us know!

  Check to see that your remote session is still active, using Get-PSSession.