topic Re: SSM IPS Configuration in Network Security

SSM IPS Configuration

JHaynes4 — Sun, 10 Mar 2019 09:44:04 GMT

I have a couple of questions regarding the ASA that deal with the SSM module.

I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?

Also, on the ASA factory default configuration there is a service-policy defined as:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/

Sorry for the length of the post and thanks for your help in advance.

Re: SSM IPS Configuration

marcabal — Thu, 03 Nov 2005 16:22:56 GMT

The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.

It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.

This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).

If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:

ips inline|promiscuous fail-open|fail-close

Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.

In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".

NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.

The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.

If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.

Re: SSM IPS Configuration

JHaynes4 — Thu, 03 Nov 2005 19:04:47 GMT

Thanks for the reply. I thought things were a bit odd. I'm not sure why they would put out a document for such a situation instead of one that would be helpful to most people, but your answer is very clear. Thanks again.