cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
0
Helpful
1
Replies

Anti-X, IPS in ASA w/ SSM

ontariomd
Level 1
Level 1

Hi,

I am a bit confused with configuring IPS in the ASA (with installed SSM module). I appresiate your feedback for this scenario:

Case

This is our ASA configuration portion relevant to IPS. I did this to block instant messaging ...

http-map TestHTTPMap

strict-http action allow log

port-misuse p2p action drop log

port-misuse tunnelling action drop log

port-misuse im action drop log

class-map global-class_ForIM

description Traffic Class to block IM

match any

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect esmtp

inspect rsh

inspect rtsp

inspect sqlnet

inspect dns

inspect http

inspect pptp

class global-class_ForIM

inspect http TestHTTPMap

ips inline fail-open

!

service-policy global_policy global

I also used "Deny Connection Inline" in the Signature Configuration of SSM (for signatures related to instant messaging, peer to peer file sharing and http tunnelling).

Questions

1. Does blocking happen at SSM or at ASA level or both!? I had to drop/deny connections both in http map configutation (ASA) and signature configuration (SSM)

2. With the above configuration, what would be the best to do to block virus, worm and other malicious code? I think I can just inspect all types of traffic under the "class global_class_ForIM" above by adding more inspect commands. I also need to deny connections as the Action for signatures related to viruses and worms. Is this correct?

Thanks in advance for your help.

AA

1 Reply 1

mchin345
Level 6
Level 6

Cisco IDS Network Sensor identifies web application attacks, which include those used by the Nimda worm. The Network Sensor is able to identify attacks and provide details about the affected or compromised hosts to isolate the Nimda infection.

These Cisco IDS Network Sensor alarms fire:

WWW WinNT cmd.exe Access (SigID 5081)

IIS CGI Double Decode (SigID 5124)

WWW IIS Unicode Attack (SigID 5114)

IIS Dot Dot Execute Attack (SigID 3215)

IIS Dot Dot Crash Attack (SigID 3216)

For more information refer to the following url:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_tech_note09186a0080093f4d.shtml.

Review Cisco Networking for a $25 gift card