Ask the Expert: Cisco Intrusion Prevention System (IPS) - Page 2

ciscomoderator · ‎08-24-2012

With Robert Albach

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. The module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.

Robert Albach is a product manager in the Security Business Unit at Cisco, responsible for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.

Remember to use the rating system to let Robert know if you have received an adequate response.

Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

prashantrecon · ‎08-30-2012

Hi Robert,

Yes you are correct , iam using Low Orbit Ion Cannon tool.

ok i wiil try by tuning 6900 range IPS signature.

Just for Knowledge : could you please recommded the dedicated DOS prevention tool .

Regards,

Prashant

Robert Albach · ‎08-31-2012

Arbor Networks is a dedicated provider of DOS/DDOS defense capable tools. Their products are frequently used by service providers.

-Robert

Robert Albach · ‎09-04-2012

Hi Garris,

This is an area that I 'm not qualified in the "expert" area and am going to ask on of our Technical Marketing members to help out with for an answer and I have a fear that we may have some kind of collision condition at play.

Can you tell me what report you ran where you see the segment overwrite errors? I am interested in knowing what piece of the puzzle is reporting this condition.

Thanks,

-Robert

Garrison Botts · ‎08-30-2012

I'm running a 6500 with an Sup-2 720, FWSM and IDSM-2. Is it possible to monitor/protect the vlan between the firewall and internal router interface, the DMZ, and the external firewall interface? I'm currently just protecting (running inline) the external interface but every now and then, the IDSM-2 blocks internal users from accessing the internet. When running a report, I see tcp segment overwrite errors.

If this was answered previously, please point me to the discussion...

Thanks

Sent from Cisco Technical Support iPad App

Robert Albach · ‎09-04-2012

Hi Garris,

IT looks like you have an open TAC case on this question so I am going to defer to that process for now and let those folks run with your issue.

Should TAC need to escalate to the local team I am certain they will not hesitate.

Hopefully things will resolve soon.

-Robert

coffey.j · ‎08-30-2012

Hello Robert,

What, if any, best practices are there for managing IPS AD KB across a "cluster" of IPS SSP's in an ASA HA PAIR ?

I would have thought the logical thing would be for IPS 1 in the active ASA to copy the KB to IPS2 in the standby ASA but Cisco does not provide a mechanism to do this. Do I have to cludge this with an external scp server and expect scripts ?. If so is it a case of copying the current KB from IPS1 (maybe once a day) to an scp server and then at some time later IPS2 copies the KB form the scp server to itself and makes that the current KB. Any advice is greatly appreciated. Wuuld be nice if CSM could manage this....

Robert Albach · ‎09-05-2012

Hi and my apologies for the late reply.

Starting with some happier news there are plenty of options to copy and manage Anomaly Detection KBs on individual devices so you can certainly script these. Of course there is also some nice tools in IME which expose these commands.

The bad news is as you have already discovered we have not centralized this management through CSM for multi-device management. So yes kludge it is or as we may prefer to call it "creative extensioneering".

Some rambling thoughts here to follow so take them with enough thought before implementing....

Hopefully your systems rarely fail over and the nature of the traffic does not change much meaning your KBs should look very similar over time. I think it would be interesting to run diffs across those to see if there is much change.

Does one sensor happen to generate greater diffs from your "standard"? Just something to consider.

I would be very interesting in knowing how frequently your AD fires. As it was focused on worm propagation it would be good to know how often you run across those.

Thanks

-Robert

coffey.j · ‎09-05-2012

Thanks Robert,

This is a greenfields deployment so no indication yet of what the AD alerts may be or what the KB diffs would be. Given the ASA's are active/passive I need to ensure that the KB that is backed up is the KB from the active firewall. Would be a very bad day if pulled from the passive device that sees normal traffic as virttually no sessions although that would only be initially. over time it should have a backup of the active KB. The only way I could think of how to do this would be to login to the active ASA and then session to the IPS module. Do you have any other suggestions about how to grab the active KB ?

One other gripe I do have is that the copy ad knowledge base scp client only supports ssh version 1 ? Why is that ?

I can ssh to the IPS SSP with version 2 so why would Cisco hamstring the client to version 1 ?

vkumarg89 · ‎09-03-2012

Hi Robert

I have an operational query. How do i block a root user for accessing certain commands in Unix os . Is there a way through IPS signatures . I want to block Tcp based commands

Robert Albach · ‎09-04-2012

Hi Vaibhav,

Pardon me but I will make an assumption here which is that your root user has legitimate access to the Unix box in question. I am uncertain what exactly you mean by Tcp based commands. I will make another leap and guess that you mean that the user is accessing the device in question across the network perhaps?

I will work the rest of my discussion based on the above paragraph assumptions.

First this *may* be possible and the nature of the request is not all that unusual. It is often the case that people wish to use their IPS as an application control vehicle by which they want to manage commands that are remotely executed over the network. There are a number of existing signatures which already exist for similar ideas but not necessarily unique Unix commands. You can certainly write your own to apply here as well.

Second I would hope that the communication between the external user and the device is encrypted as a general best practice. If this is the case then it is probable that your IPS will not be able to see these commands in which case what *may* be possible is made not possible. Here a good security practice prohibits what you desire.

Third, given that your potential newly created Unix command signatures detect legal commands it is important that you deploy these carefully. Think through the scenarios that you want these working carefully. Are there potential situations in which you might block necessary activity from others that will need to manage this system. Remember that unless you have an ASA in place the IPS does not differentiate "who" the user is. Unless you can guarantee a network identifieir such as a VLAN or source IP the application of the signature may hit others you did not wish it to.

Thanks,

-Robert

farkascsgy · ‎09-03-2012

Hi Robert,

I have AIP-SSM 10 installed in my firewall the question is how I can disable weak cipher for the management, so how I can force that only stron encryption mechanism should be sued for https management session?

Thanks for your reply in advance.

Robert Albach · ‎09-06-2012

Hi and my apology as I overlooked this question for a while!

This was definately a challenge in the 7.0 code base. If you upgrade to 7.1.6 though the problem is resolved and this release does support your platform too. Look at the 7.1.3 release notes for more details

If you need to remain on 7.0 then give TAC a call and they can point you to a less elegant solution.

And credit for this goes to Stijn Vanveerdeghem (Cisco IPS TME) who pointed me to the solution.

Thanks,

-Robert

Sonugnair_2 · ‎09-04-2012

Hello,

I had posted this as a separate discussion, but just wanted to know your opinion on this.

I am trying to upgrade the AIP SSM 20 to IPS-K9-6.2-4-E4.pkg.

The problem is that this error as below comes:-

Error: execUpgradeSoftware : Connect failed

I can confirm the following:-

1) Ping from FTP server to sensor and vice versa is OK

2) FTP server works OK, as i am able to upload/download files from other clients

3) Command given is as upgrade ftp://anonymous@192.168.1.56/IPS-K9-6.2-4-E4.pkg

4) I also created another user in FTP server, tested but same results

5) The FTP server listens on port 21 and does not gets any request.

6) Current image is a bit old i.e. 6.0(4)E2

Some information from show version is as:-

Using 1023815680 out of 2093600768 bytes of available memory (48% usage)

system is using 17.7M out of 29.0M bytes of available disk space (61% usage)

application-data is using 39.3M out of 166.8M bytes of available disk space (25% usage)

boot is using 38.4M out of 68.6M bytes of available disk space (59% usage)

Image that i am trying to upload i.e. IPS-K9-6.2-4-E4.pkg. is about 28.6 MB in size, could the issue be related to the disk size (show in bold above)?

Please help

Thanks in advance.

PG

Robert Albach · ‎09-04-2012

Hi PG,

The size of the package relative to your resources could definately be the problem but not just the storage space but potentially the memory as well.

For any device with a somewhat limited amount of storage it is a good idea to perform some occasional cleanup. Look for unnecessary prior packages, packet captures, and the like then remove them if possible. That should provide more space for laying down the package.

The second area is memory available. Best to initiate this download when things are as idle as possible. You might want to interrupt eventing activity and ensure that there are no reports being generated or signatures being downloaded (only twice a week so likely ok).

I will note that yes - your 6.0 software is rather old. In fact it is no longer a maintained rev. I would suggest as big a leap forward as possible to the 7.0.8 release if you feel comfortable with that.

Beyond that if your clean up and upgrade does not work then be certain to get some TAC help.

Good Luck!

-Robert

prashantrecon · ‎09-05-2012

Hi Robert,

I am not clear on below documention

https://supportforums.cisco.com/docs/DOC-14995

TAC IPS Media Series, Episode 3 - IPS Placement

i have cisco ASA 5520 with IPS module so what you suggest about ips placement in my case..

I want to protect my internal and DMZ network from internet and also i want to protect DMZ server from internet and internal Attack..

currently i am using IPS-CLASS service policy rule with in Global Policy service policy rule

and configuration is like

IPS-CLASS ---source any destination any service ip rule action ips inline,permit traffic,sensor vs0

is this configuration is ok