topic What traffic gets copied to IPS Module?? in Network Security

What traffic gets copied to IPS Module??

mattleayr — Sun, 10 Mar 2019 12:38:37 GMT

We have an ASA5585-X with SSP-10 module installed that we are testing. The firewall's outside interface is connected to the internet and has a public address. We have CSM 4.2 installed and are sending events from the IPS to it.

After we configured the IPS module we expected to get lots of alerts for attacks originating from the internet, but we hardly see anything.

The ACL that we have on the outside interface doesn't actually allow much in, just some SMTP, HTTP, DNS, SSH.

My question is this - should the IPS see all traffic/attacks coming from the internet, or JUST packets that have passed the outside ACL?

I suspect this is why we are seeing very few alerts - can anyone confirm this?

Thanks,

//\/\\\

What traffic gets copied to IPS Module??

jhampt20_ford — Thu, 22 Mar 2012 22:18:47 GMT

The traffic does not automatically get copied to the IPS, you need to create an access-list and class-map to apply (like QoS)

access-list IPS extended permit ip any any

class-map global-ips

match access-list IPS

policy-map global_policy

class global-ips

ips inline fail-open

Internally the traffic is passed from the firewall to the IPS module through an internal interface (port channel on the 5585's) at the last step just prior to the traffic exiting the firewall. This is why the IPS modules do not have a "normalizer" engine, this is already performed by the ASA prior to inspection, the ASA normalizer is essentially the same as what is found on IPS.

What traffic gets copied to IPS Module??

mattleayr — Fri, 23 Mar 2012 12:17:45 GMT

Hi,

I'm aware of that - we have the policy map configured.

We're getting very few alerts from IPS - I was expecting more, as the outside interface has a public IP address and there are scans, probes etc happening all the time.

Let me put my question a different way - does the IPS module ever see traffic that is DROPPED by the outside interface ACL??

What traffic gets copied to IPS Module??

sawgupta — Fri, 23 Mar 2012 13:03:17 GMT

If the traffic has been dropped by ASA, then IPS won't have any visibility to it.

Regards,

Sawan Gupta

What traffic gets copied to IPS Module??

mattleayr — Fri, 23 Mar 2012 14:26:59 GMT

Thanks for the replies.

So if there was a DOS attack occurring on the outside interface (possibly saturating our internet link) and the DOS traffic was being dropped by the ACL, IPS would have no visibility of that??

What traffic gets copied to IPS Module??

sawgupta — Fri, 23 Mar 2012 14:31:13 GMT

Correct.

Regards,

Sawan Gupta