topic Ask the Expert: Cisco Intrusion Prevention System (IPS) in Network Security

Ask the Expert: Cisco Intrusion Prevention System (IPS)

ciscomoderator — Thu, 13 Feb 2020 20:56:44 GMT

With Robert Albach

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. The module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.

Robert Albach is a product manager in the Security Business Unit at Cisco, responsible for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.

Remember to use the rating system to let Robert know if you have received an adequate response.

Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Carlos Lesaige — Mon, 27 Aug 2012 15:47:18 GMT

Hello Robert,

I would like to undertand the main differences between a firewall and IDS/IPS system.... Are there any issues that can only be resolved by IDS/IPS?

Thank you.

Carlos

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Robert Albach — Mon, 27 Aug 2012 18:36:13 GMT

Hi Carlos,

I am going to expand your question a bit to seperate IDS and IPS slightly from each other. The explanation may be simplistic but I think it is a good starting point.

A firewall is primarily about access control. Firewalls such as Cisco's ASA enforces access rules to certain networked elements based on IP addresses found within the header. One can state that devices within a particular CIDR can or cannot access another network device. This can typically be done using IP addresses and ports. There are additional extensions such as those provided by the ASA such as identity, and then with the the ASA-CX application as well. For the most part, operations are to deny all with exceptions.

An IDS (Intrusion Detection System) is largely a passive listening system which performs deep packet inspection targeting traffic of interest. In the majority of cases the traffic of interest are varying forms of attack traffic. This attack traffic can range across the entire attack life-cycle and represent a large span of different attack vectors and techniques. As a passive system it may or may not be in-line but largely the system is there to observe and report.

An IPS (Intrusion Prevention System) is an in-line system which also performs deep packet inspection with the intent of both observing and acting on the traffic. The difference from the IDS role is the need to be able to impact the traffic it is interested in. As such it is not passive but unlike the firewall it will only potentially stop or alter traffic that meets its policy statement which is normally an attack threat that is identified.

There are several impacts that these definitions may have on your placement of devices and how your organization may wish to treat the results.

If I can summarise simplistically:

A firewall denies all traffic except that whose access it allows.

An IDS impacts no traffic and reports what it discovers.

An IPS allows all traffic except that which is identified as a threat.

I hope this helps.

Thanks,

-Robert

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Carlos Lesaige — Tue, 28 Aug 2012 15:51:07 GMT

Thanks for your respnose. Makes a lot of sense. I appreciate it.

Carlos

Ask the Expert: Cisco Intrusion Prevention System (IPS)

JEFF SPRADLING — Tue, 28 Aug 2012 20:10:34 GMT

Hi Robert,

Can you recommend the best book / video to get up and running on the IPS as quick as possible? I'm familiar with the ASA, but now I need to learn the IPS module within the ASA and fast!

Thanks,

Jeff S.

Central, KY

Ask the Expert: Cisco Intrusion Prevention System (IPS)

prashantrecon — Thu, 30 Aug 2012 11:19:56 GMT

Hi Robert,

i just try to test one of DOS attack tool(LOIC) in LAB environment.

but in cisco IME real time monitoring window i am not geeting any alerts regarding this attack.

i am very sure that i am successful in Flooding in the network (cpu of ASA is going more then 60 % at that time)

But there is no event in cisco IME.

can you help in this ?

Regards,

Prashant

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Robert Albach — Thu, 30 Aug 2012 16:27:19 GMT

Hi Jeff,

Sorry for the delay - it sounds like you are seeking some quick general operational details. Is that fair?

Sadly there are no books that I know of that are specific to the Cisco IPS and up to date. Mr. Deal's book while strong from the pure ASA perspective is a bit dated and both the ASA and IPS has had some significant changes introduced as well as new models with some significant operational differences.

I would be remiss if I did not mention my coworker's book "Cisco Firewalls" by Alexandrae Moraes. There is not much in terms of the IPS module uniquely but it does cover the newer ASA 5585 models which includes the dedicated IPS blade.

I think we may need to combine a book with a few other sources depending on your particular model. Let me know which solution you will need to manage and I will try to pull together a number of sources for you.

Now if your actual question was more along the lines of "tell me about general intrusion prevention best practices" then that would be a whole different set of references.

So let me know your platform and I'll try to pull some suggestions together.

Thanks,

-Robert

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Robert Albach — Thu, 30 Aug 2012 17:01:23 GMT

Hi Prashant,

I am going to assume that you are referencing the Low Orbit Ion Cannon attack tool. Is that corrrect?

I am going to first make a broad sweeping comment on the role of IPS and DOS/DDOS and then get to your question. An IPS is not an optimal dedicated DOS/DDOS prevention tool. It is a good means of initially identifying that the attack is starting but it would optimally signal this information upstream to some other device such as the FW, router, or specialized DOS tool. The closer to the source (ISP) the better.

Now on to your specifics.

Cisco IPS does not have an LION specific signature. While LION is a powerful tool the nature of its attacks are not really unique enough to justify a unique siganture. LION will initiate an attack in either UDP, TCP, or HTTP. There are flood signatures in the 6900 range that may be appropriate to your attack.

As always with our signatures ensure that the ones of interest are UNRETIRED, ENABLED, and that your actions inlude ALERT. Depending on the signature you may want to elevate the base RISK RATING or use an EVENT ACTION Rule (Overrides) to guarantee a response. Given that you are operating within a lab all the other risk rating contributors are not likely to be there.

I hope this helps and thanks for asking.

-Robert

Ask the Expert: Cisco Intrusion Prevention System (IPS)

JEFF SPRADLING — Thu, 30 Aug 2012 17:03:52 GMT

Thanks, Robert.

Yes, I'm looking for quick operational details on the ASA-SSM-10 module running in an ASA5510 (v8.2), so an out of date book may not be that far off for me at this time. The IDS/IPS is running ver 7.0(2).

I've been tasked to do a review of the rulebase. I've worked on GUI based IDS appliances, and understand the theory of IDS/IPS, but I've never worked on the Cisco ASA IDS/IPS, so I just need basic info on how to get started.

I can session into the module from the firewall, but the config is so foriegn to me that I'm not even sure that it's setup and doing anything.

Thanks again,

Jeff

Re: Ask the Expert: Cisco Intrusion Prevention System (IPS)

Garrison Botts — Thu, 30 Aug 2012 21:47:28 GMT

I'm running a 6500 with an Sup-2 720, FWSM and IDSM-2. Is it possible to monitor/protect the vlan between the firewall and internal router interface, the DMZ, and the external firewall interface? I'm currently just protecting (running inline) the external interface but every now and then, the IDSM-2 blocks internal users from accessing the internet. When running a report, I see tcp segment overwrite errors.

If this was answered previously, please point me to the discussion...

Thanks

Sent from Cisco Technical Support iPad App

Ask the Expert: Cisco Intrusion Prevention System (IPS)

coffey.j — Thu, 30 Aug 2012 23:58:56 GMT

Hello Robert,

What, if any, best practices are there for managing IPS AD KB across a "cluster" of IPS SSP's in an ASA HA PAIR ?

I would have thought the logical thing would be for IPS 1 in the active ASA to copy the KB to IPS2 in the standby ASA but Cisco does not provide a mechanism to do this. Do I have to cludge this with an external scp server and expect scripts ?. If so is it a case of copying the current KB from IPS1 (maybe once a day) to an scp server and then at some time later IPS2 copies the KB form the scp server to itself and makes that the current KB. Any advice is greatly appreciated. Wuuld be nice if CSM could manage this....

Ask the Expert: Cisco Intrusion Prevention System (IPS)

prashantrecon — Fri, 31 Aug 2012 03:36:24 GMT

Hi Robert,

Yes you are correct , iam using Low Orbit Ion Cannon tool.

ok i wiil try by tuning 6900 range IPS signature.

Just for Knowledge : could you please recommded the dedicated DOS prevention tool .

Regards,

Prashant

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Robert Albach — Fri, 31 Aug 2012 15:56:22 GMT

Arbor Networks is a dedicated provider of DOS/DDOS defense capable tools. Their products are frequently used by service providers.

-Robert

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Robert Albach — Fri, 31 Aug 2012 16:05:12 GMT

Hi Jeff,

That is an older and lower end product which means the resources available to run a larger number of signatures will be limited relative to the higher end and newer platforms (ASA 5515x) as an example.

I am going to guess that this device is positioned at the company's internet edge (most people start there). In 7.1.5 we introduced a set of protection templates which are our default recomendations for deployment environments. That would be a good place to start as a reference.

I hope this helps.

-Robert

Ask the Expert: Cisco Intrusion Prevention System (IPS)

JEFF SPRADLING — Fri, 31 Aug 2012 23:38:39 GMT

Robert,

Thanks for the reply, but I have to be honest - it doesn't help.

I'm looking for a crash course to show me the basics. You mentioned a set of production templates - how do I apply them? How do I see signatures that are there now? They tell me they are running the IPS, but I can't even tell that this is true. What are the commands that divert or copy packets to the IPS module? How do I create an alert to tigger when a specific IP is hit?

Again, basic information I know - but I just need to get started and don't know where to turn. I know I can read the reams of documentation Cisco put out, but I really just want simple, basic instruction to get me started. I'll pour through the rest when I have more time.

I appreciate any help you can provide.

Regards,

Jeff

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Garrison Botts — Sat, 01 Sep 2012 01:19:27 GMT

Jeff,

I just sent you a private message.. Check that out and let me know if it works for you .... 🙂 If not, hit me back up and we'll get you going....

Ask the Expert: Cisco Intrusion Prevention System (IPS)

vkumarg89 — Mon, 03 Sep 2012 10:51:32 GMT

Hi Robert

I have an operational query. How do i block a root user for accessing certain commands in Unix os . Is there a way through IPS signatures . I want to block Tcp based commands

Ask the Expert: Cisco Intrusion Prevention System (IPS)

farkascsgy — Mon, 03 Sep 2012 20:23:20 GMT

Hi Robert,

I have AIP-SSM 10 installed in my firewall the question is how I can disable weak cipher for the management, so how I can force that only stron encryption mechanism should be sued for https management session?

Thanks for your reply in advance.

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Sonugnair_2 — Tue, 04 Sep 2012 10:43:00 GMT

Hello,

I had posted this as a separate discussion, but just wanted to know your opinion on this.

I am trying to upgrade the AIP SSM 20 to IPS-K9-6.2-4-E4.pkg.

The problem is that this error as below comes:-

Error: execUpgradeSoftware : Connect failed

I can confirm the following:-

1) Ping from FTP server to sensor and vice versa is OK

2) FTP server works OK, as i am able to upload/download files from other clients

3) Command given is as upgrade ftp://anonymous@192.168.1.56/IPS-K9-6.2-4-E4.pkg

4) I also created another user in FTP server, tested but same results

5) The FTP server listens on port 21 and does not gets any request.

6) Current image is a bit old i.e. 6.0(4)E2

Some information from show version is as:-

Using 1023815680 out of 2093600768 bytes of available memory (48% usage)

system is using 17.7M out of 29.0M bytes of available disk space (61% usage)

application-data is using 39.3M out of 166.8M bytes of available disk space (25% usage)

boot is using 38.4M out of 68.6M bytes of available disk space (59% usage)

Image that i am trying to upload i.e. IPS-K9-6.2-4-E4.pkg. is about 28.6 MB in size, could the issue be related to the disk size (show in bold above)?

Please help

Thanks in advance.

Ask the Expert: Cisco Intrusion Prevention System (IPS)

Robert Albach — Tue, 04 Sep 2012 14:14:06 GMT

Hi Garris,

This is an area that I 'm not qualified in the "expert" area and am going to ask on of our Technical Marketing members to help out with for an answer and I have a fear that we may have some kind of collision condition at play.

Can you tell me what report you ran where you see the segment overwrite errors? I am interested in knowing what piece of the puzzle is reporting this condition.

Thanks,

-Robert