MARS and AIP-SSM

Similar Messages

• Monitoring AIM-IPS-K9 and AIP-SSM-10

  Does anyone have any tips on monitoring the IPS devices for being up, healthy, not-in-bypass, and running normally, I had five of them fail after the E3 upgrade (one is still tweaked due what TAC has identified as a corrupt license issue). Although CSMARS 6.0 lists some unreachable devices once daily, it has all devices in the list making it less that useful information, but that is a different question.
  AIM-IPS-K9: 19 ea.
  AIP-SSM-10: 3 ea.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• Is there any architectural difference between CSC-SSM and AIP-SSM modules

  Hello security gurus!
  I'm wondering if there's any chance to make Content security module (CSC-SSM) work as IPS (AIP-SSM). It seems to me they are absolutely identical in terms of hardware. Is there any chance to make CSC-SSM boot with the flash from AIP-SSM and have the ASA recognize it as an IPS module ?
  Eugene

  Zheka,
  This is not recommended and you will loose support, these are different devices designed for different purposes, you will also have issues with the license, I have seen it one once, and the customer did it by mistake, the module eventually crashed and we had to add the proper image.
  Regards,
  Felipe.

• Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

  I have a web proxy ..tunnel filters...and AIP-SSM....inside of the network...i configure host service, network setting and hhtp-proxy to use my proxy when updating global corelation ...
  On proxy I allow hhtps to 204.15.82.17 ---ironport service.
  In proxy log I see that https to 204.15.82.17 is allowed and after that ips try to sending http packets to 80.53.146.82 -----I SEE in the RIPE that is AKAMAI technologies IP..address.
  What is this?
  Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

  This is the new 7.x Global Correlation feature, and it is documented here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/18483_01.html#wp1161779
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
  AFAIK, you can turn off this feature as per your discretion. Cisco has adapted the Ironport senderbase technology to their IPS as well. Its a pretty interesting feature, I hope it becomes as successful as the one for mail traffic.
  Please rate if helpful.
  Regards
  Farrukh

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• Obtaining hardware and signature support for AIP SSM-10

  We have a 5510 which we have purchased an AIP SSM-10 card for the ASA which is already under a support contract. We now wish to add hardware maintenance for the new AIP SSM-10 card as well as signature updates. Our Cisco supplier will not confirm that we will receive signature updates with the hardware support though (we have been trying to get an answer from them since June or July now).
  Could someone let us know what the correct part number is so we can ask for the specific option that will provide both hardware cover and signature updates.

  i think this is what you need,
  CON-SU1-AS1A1PK9
  IPS SVC, AR NBD ASA5510-AIP10SP-K9
  cisco smartnet support

• Best practices for using Normalizer in ASA and in AIP-SSM

  Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
  The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
  Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
  "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
  To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
  So, those who're using ASA with SSM, please share your experience.
  Thx.

  Yes, this is almost correct ;)
  TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
  The testing of 7.2(1) shows the following:
  When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
  There are at least two problems however.
  The first problem is the performance impact.
  ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
  The second problem is THE SECURITY HOLE.
  By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
  Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
  The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
  I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
  Regards,
  Oleg Tipisov,
  REDCENTER,
  Moscow

• AIP-SSM Upgrade Procedure

  Hi everybody!
  I have ASA5520 version 8.2(1) with AIP-SSM-20 module
  and I want to upgrade AIP-SSM-20 software from version 6.1(3)E3 to 7.0(2)E4
  I go to the download site and see the following list:
  Intrusion Prevention System (IPS) Recovery Software:
  IPS-K9-r-1.1-a-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS Recovery Image File
  Intrusion Prevention System (IPS) Signature Updates:
  IPS-sig-S481-req-E4.pkg
          Release Date: 31/Mar/2010
          E4 Signature Update S481
  Intrusion Prevention System (IPS) System Software:
  IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img
          Release Date: 29/Mar/2010
          IPS-SSM_20 System Image File
  Intrusion Prevention System (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS 7.0 Major Upgrade File (All Supported Platforms Except AIM-IPS and NME-IPS)
  IPS-engine-E4-req-7.0-2.pkg
          Release Date: 29/Mar/2010
          IPS E4 Engine Update
  I am somewhat confused by the number of files and want to ask what the procedure/sequence I should follow to upgrade?

  This is the file that you would like to use to upgrade it:
  Intrusion Prevention System  (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
  To upgrade:
  1) Upload the "IPS-K9-7.0-2-E4.pkg" file through IDM
  2) IDM --> Configuration --> Sensor Management --> Update Sensor --> choose Update is located on this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update Sensor" button.
  It will take a while (around 20 minutes) to upgrade the sensor, so don't panic if it doesn't come back up in "UP" status straight away.
  Hope that helps.

• Upgrade AIP SSM with Signature Engine 4 file

  When I tried to upload Signature Engine 4 file (IPS-engine-E4-req-7.0-2.pkg),  using FTP server both by CLI and IDM, to new AIP SSM sensor, I got the following  error message:
  Cannot upgrade software on the sensor - socket error:110.
  When I tried to do the same by using these steps: IDM --> Configuration  --> Sensor Management --> Update Sensor --> choose Update is located on  this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update  Sensor" button, I got the following error message
  The current signature level is S480.The current signature level must be  less than s480 for this package to install.
  Here is the output for sh ver command
  AIP_SSM# sh version
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E4
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S480.0                   2010-03-24
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1514BAHS
  Licensed, expires:      07-Jun-2012 UTC
  Sensor up-time is 21 days.
  Using 695943168 out of 1032495104 bytes of available memory (67% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 45.4M out of 166.8M bytes of available disk space (29% usage)
  boot is using 41.6M out of 68.6M bytes of available disk space (64% usage)
  application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  AnalysisEngine     BE-BEAU_E4_2010_MAR_25_02_09_7_0_2   (Ipsbuild)   2010-03-25T02:11:05-0500   Running
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500
  Upgrade History:
    IPS-K9-7.0-2-E4   02:00:07 UTC Thu Mar 25 2010
  Recovery Partition Version 1.1 - 7.0(2)E4
  Host Certificate Valid from: 30-May-2011 to 30-May-2013
  Any idea what could be the problem?
  Regards,

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• Do I need two AIP-SSM modules if I am configuring failover?

  Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
  I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
  Would there be any problems configuring it this way?
  Would the active/standby ASA's complain that there is only one AIP-SSM module?
  Thanks in advance.

  Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
  Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
  Your kind answer will be greatly appreciated.
  Best regards...

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• Using ASA5510 AIP-SSM in IDS mode

  Hi,
  I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
  without the traffic passing through the Firewall.
  I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.
  somebody can help me?
  thanks

  Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
  The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
  The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
  It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
  - Bob

• Will the AIP-SSM for the ASA stop this?

  I have a client emailed me today that someone did a script injection attack on one of their web servers. It ran a backdoor Trojan virus on their web server. I know the AIP-SSM will stop the Trojan, but will it stop someone from doing the script injection attack. If so, is it documented and can you point me to the document.
  Thanks.
  Dan

  Hi,
  If you know exactly which of the various script injection attacks was used you can simply look it up here:
  http://tools.cisco.com/security/center/home.x
  If you don't know exactly which one then it's slightly harded to know whether it would have been stopped, but searching on "script injection" or similar should narrow down the candidates and give you an idea on whether it would have been stopped or not.
  Remember that an IPS isn't perfect, but it *will* significantly lower your risk if setup and maintained properly.
  HTH
  Andrew.

• Password Reset for AIP-SSM 10

  Hi,
  i have an ASA5520 with v 7.2(2) running.
  but the IPS module spftware is 5.1
  when i tried to login to the > session 1
  it prompts me for a login and password.
  i tried cisco and a few other combinations.. but no luck ,,
  how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
  how can i be sure if the user cisco even exists on it or not ?
  any help please ???

  no man it doesnt ..
  the link u specified says it too..
  hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
  Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
  hers my ASA and IPS details..
  ASA# sh version
  Cisco Adaptive Security Appliance Software Version 7.2(2)
  Device Manager Version 5.2(2)
  Compiled on Wed 22-Nov-06 14:16 by builders
  System image file is "disk0:/asa722-k8.bin"
  Config file at boot was "startup-config"
  ASA up 22 days 3 hours
  Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  ASA# sh module 1
  Mod Card Type Model Serial No.
  1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
  Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
  1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
  Mod SSM Apps. Name Status SSM Apps Version
  1 IPS Up 5.0(2)S152.0
  Mod Status Data Plane Status Compatibility
  1 Up Up

• Sync configs between AIP-SSMs

  We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
  We have an AIP-SSM-20 in each.
  The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
  Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
  Thanks.

  Thanks for your reply. I've gotten back on this subject....
  Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
  Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
  "Hard Drive
  • 100 GB
  Memory (RAM)
  • 2 GB
  Supported Operating Systems
  • Windows Vista Business and Ultimate (32-bit only)
  • Windows XP Professional (32-bit only)
  • Windows 2003 server
  Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
  100GB for an application, seems rather hefty to me. Is this for real?
  Thanks