Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
0
Helpful
5
Replies

Allowing a new sensor implementation to learn

lcaruso
Level 6
Level 6

‎08-09-2012 07:17 AM - edited ‎03-10-2019 05:45 AM

Hi,

I'm setting up a new IPS sensor on an ASA 5500.

I've heard a recommendation that for a new sensor implementation at a given site, it is better to allow the sensor to learn traffic patterns in promiscous mode before deploying inline mode, otherwise the sensor may not interpret certain events correctly.

Is that a valid statement, and if so, does that mean you must wait to deploy any particular policies until this learning is complete?

Thanks.

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎08-09-2012 10:45 PM

That statement is completely wrong. The right statement would be:

"For a new deployment you want to learn how the sensor behaves in your network before you enable restrictive actions in inline-mode".

For this learning-phase, using the sensor in promiscous-mode is less dangerous than using the sensor in inline mode. As it is only one parameter in your MPF to change from promiscous to inline, it's a good choice to start with promiscous.

For the AIP-IPS the detection-capabilities in promiscous and inline-mode will be the same. For the appliances, the detection is more accurate in inline-mode if the traffic is not normalized.

Sent from Cisco Technical Support iPad App

0 Helpful

lcaruso
Level 6
Level 6
In response to Karsten Iwen

‎08-11-2012 11:37 AM

Hi,

There seems to be some differing opinions on this subject. In the spirit of the forums as a place to learn, agree/disagree, and grow, here is a different view from an engineer, assuming we are referring to exactly the same question.

You can always override the initial deny packet inline action. Signatures work differently in inline and promiscuous modes.  That is why I do not agree with that statement.  Also risk ratings are affected by the promiscuous delta if in promiscuous mode.  Read the link below.
 
 http://www.cisco.com/web/about/security/intelligence/ipsmit.html
 
 Promiscuous Delta: When an IPS is deployed in Promiscuous mode rather than in Inline mode and under certain conditions, attack recognition may not be accurate. In such instances, Promiscuous Delta (PD) is used to lower the overall risk rating of the event. 
 
 Everyone has a different opinion of how to initially deploy an IPS.  Do you want to baseline your network differently than it will run normally? 
0 Helpful

Karsten Iwen
VIP
VIP
In response to lcaruso

‎08-11-2012 01:27 PM

Let me explain my point of view:

The sensor in question is an AIP-SSM, so the traffic is normalized by the firewall. In this setup there is no difference in the detection capabilities between promiscous and inline. Promiscous mode has problems with traffic that the attacker has fragmented in an abnormal way or modified segments. Both are controlled by the ASA and don't show up at the sensor.

So the signatures will behave the same. Now you want to make sure that you don't lose traffic while you are stil in the phase of minimizing or eliminating your false polsitives. You could filter out the deny-actions, but as a human you could make a mistake there and you configure something that has to be reconfigured later when your first tuning-phase is over. Both is not a problem when you observe your sensor in promiscous-mode. The change to inline is then very easy and your sensor doesn't need to be changed any more.

For your promiscous delta: The PD has nothing to do how or if a signature triggers or how the signature behaves. It is only a modifier for your Risk-Rating that helps you to make better decisions when you are at your monitoring-console, have thousands of alarms and have to decide which to process first.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

lcaruso
Level 6
Level 6
In response to Karsten Iwen

‎08-11-2012 01:58 PM

My apologies if the platform was misstated. This is what TAC's comments were referring to

Cisco Intrusion Prevention System, Version 7.1(4)E4

OS Version:             2.6.29.1                  

Platform:               ASA5512-IPS      

Not sure if that changes anything.

0 Helpful

Karsten Iwen
VIP
VIP
In response to lcaruso

‎08-11-2012 02:25 PM

That version doesn't change anything in the way the traffic is processed compared to an AIP-SSM. Instead of a dedicated hardware it just uses dedicated ressoures from that ASA-platform. Still, I don't see where the signatures would behave differently in this situation. Perhaps you can clarify that with the TAC? It's never to late to learn or to change the mind on new input.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card