With Robert Albach
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. The module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.
Robert Albach is a product manager in the Security Business Unit at Cisco, responsible for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.
Remember to use the rating system to let Robert know if you have received an adequate response.
Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
I am going to expand your question a bit to seperate IDS and IPS slightly from each other. The explanation may be simplistic but I think it is a good starting point.
A firewall is primarily about access control. Firewalls such as Cisco's ASA enforces access rules to certain networked elements based on IP addresses found within the header. One can state that devices within a particular CIDR can or cannot access another network device. This can typically be done using IP addresses and ports. There are additional extensions such as those provided by the ASA such as identity, and then with the the ASA-CX application as well. For the most part, operations are to deny all with exceptions.
An IDS (Intrusion Detection System) is largely a passive listening system which performs deep packet inspection targeting traffic of interest. In the majority of cases the traffic of interest are varying forms of attack traffic. This attack traffic can range across the entire attack life-cycle and represent a large span of different attack vectors and techniques. As a passive system it may or may not be in-line but largely the system is there to observe and report.
An IPS (Intrusion Prevention System) is an in-line system which also performs deep packet inspection with the intent of both observing and acting on the traffic. The difference from the IDS role is the need to be able to impact the traffic it is interested in. As such it is not passive but unlike the firewall it will only potentially stop or alter traffic that meets its policy statement which is normally an attack threat that is identified.
There are several impacts that these definitions may have on your placement of devices and how your organization may wish to treat the results.
If I can summarise simplistically:
A firewall denies all traffic except that whose access it allows.
An IDS impacts no traffic and reports what it discovers.
An IPS allows all traffic except that which is identified as a threat.
I hope this helps.
Can you recommend the best book / video to get up and running on the IPS as quick as possible? I'm familiar with the ASA, but now I need to learn the IPS module within the ASA and fast!
Sorry for the delay - it sounds like you are seeking some quick general operational details. Is that fair?
Sadly there are no books that I know of that are specific to the Cisco IPS and up to date. Mr. Deal's book while strong from the pure ASA perspective is a bit dated and both the ASA and IPS has had some significant changes introduced as well as new models with some significant operational differences.
I would be remiss if I did not mention my coworker's book "Cisco Firewalls" by Alexandrae Moraes. There is not much in terms of the IPS module uniquely but it does cover the newer ASA 5585 models which includes the dedicated IPS blade.
I think we may need to combine a book with a few other sources depending on your particular model. Let me know which solution you will need to manage and I will try to pull together a number of sources for you.
Now if your actual question was more along the lines of "tell me about general intrusion prevention best practices" then that would be a whole different set of references.
So let me know your platform and I'll try to pull some suggestions together.
Yes, I'm looking for quick operational details on the ASA-SSM-10 module running in an ASA5510 (v8.2), so an out of date book may not be that far off for me at this time. The IDS/IPS is running ver 7.0(2).
I've been tasked to do a review of the rulebase. I've worked on GUI based IDS appliances, and understand the theory of IDS/IPS, but I've never worked on the Cisco ASA IDS/IPS, so I just need basic info on how to get started.
I can session into the module from the firewall, but the config is so foriegn to me that I'm not even sure that it's setup and doing anything.
That is an older and lower end product which means the resources available to run a larger number of signatures will be limited relative to the higher end and newer platforms (ASA 5515x) as an example.
I am going to guess that this device is positioned at the company's internet edge (most people start there). In 7.1.5 we introduced a set of protection templates which are our default recomendations for deployment environments. That would be a good place to start as a reference.
I hope this helps.
Thanks for the reply, but I have to be honest - it doesn't help.
I'm looking for a crash course to show me the basics. You mentioned a set of production templates - how do I apply them? How do I see signatures that are there now? They tell me they are running the IPS, but I can't even tell that this is true. What are the commands that divert or copy packets to the IPS module? How do I create an alert to tigger when a specific IP is hit?
Again, basic information I know - but I just need to get started and don't know where to turn. I know I can read the reams of documentation Cisco put out, but I really just want simple, basic instruction to get me started. I'll pour through the rest when I have more time.
I appreciate any help you can provide.
Looking about it appears that we are lacking in having a simplified getting started guide at the ready.
I would like to recomend some of the video documents put together by the execellent members of TAC as a starting point.
Installation and Basic setup of AIP-SSM:
TAC ips media series:
Let me know what you think of them and if there are subjects that you feel are missing.
i just try to test one of DOS attack tool(LOIC) in LAB environment.
but in cisco IME real time monitoring window i am not geeting any alerts regarding this attack.
i am very sure that i am successful in Flooding in the network (cpu of ASA is going more then 60 % at that time)
But there is no event in cisco IME.
can you help in this ?
I am going to assume that you are referencing the Low Orbit Ion Cannon attack tool. Is that corrrect?
I am going to first make a broad sweeping comment on the role of IPS and DOS/DDOS and then get to your question. An IPS is not an optimal dedicated DOS/DDOS prevention tool. It is a good means of initially identifying that the attack is starting but it would optimally signal this information upstream to some other device such as the FW, router, or specialized DOS tool. The closer to the source (ISP) the better.
Now on to your specifics.
Cisco IPS does not have an LION specific signature. While LION is a powerful tool the nature of its attacks are not really unique enough to justify a unique siganture. LION will initiate an attack in either UDP, TCP, or HTTP. There are flood signatures in the 6900 range that may be appropriate to your attack.
As always with our signatures ensure that the ones of interest are UNRETIRED, ENABLED, and that your actions inlude ALERT. Depending on the signature you may want to elevate the base RISK RATING or use an EVENT ACTION Rule (Overrides) to guarantee a response. Given that you are operating within a lab all the other risk rating contributors are not likely to be there.
I hope this helps and thanks for asking.