Ask the Expert: Cisco Intrusion Prevention System (IPS) - Page 4

ciscomoderator · ‎08-24-2012

With Robert Albach

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. The module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.

Robert Albach is a product manager in the Security Business Unit at Cisco, responsible for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.

Remember to use the rating system to let Robert know if you have received an adequate response.

Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Tarjeet Singh · ‎01-31-2013

Hi Robert,

My client has active (ASA1)/passive (ASA2) firewalls 5520 both firewalls have IPS ASA-SSM-20… On Active (ASA1) Firewall IPS module failed and failover method found ASA1 is unhealthy because IPS is failed and Failover switched over to Standby ASA2.

Yes we need to replace ASA1 IPS to bring back failover to ASA1.. But my client doesn’t want to buy new one.. So he requested me to take out secondary ASA2 IPS. So ASA2 will switch back to ASA1 once Failover will find out that there is no more IPS

Please help me, How I can remove IPS from ASA2 which is Active now. So failover switch back to ASA1 Active.

Should I just shut down IPS on both routers so failover method will not check for IPS

hw-module module 1 shutdown

Robert Albach · ‎02-01-2013

Hi Tarjeet,

The important thing to do is to determine the cause for the initial failure of ASA1/IPS1. It may be the case that this is a potential misconfiguration or software error. In both cases there should be no need to purchase another device. Further if there is a hardware problem and the system is still under warranty then they should look into an RMA.

In all of these cases lets get to the bottom of the failure condition. Please contact TAC and open a case and let them determine a solution. That IPS unit should not fail and force an ASA failover.

Good Luck!

-Robert

jimmyc_2 · ‎02-05-2013

How do you save a copy of the IDS to flash, or the ASA? I understand you can save to backup-config, but I'd really like to save a working copy in a repository, in case future modifications go sour.

Also, if you have failover enabled on 5510s, can you easily update the active ASA and the backup IDS pick up the active config?

thanks.

Jimmyc

Tarjeet Singh · ‎02-05-2013

Hi Jimmyc,

If you have failover then only Active ASA config save on Standby ASA but IPS/IDS do not save config on Standby. you have to make change manually every time on both IPS.

Robert Albach · ‎02-06-2013

Hi Jimmy,

I think that Tarjeet gave you a good answer but I wanted to be certain that what you were asking about was in fact the configuration of the system rather than the image itself. CSM makes much of your configuration import / export and general management process very easy and with varying degrees of granularity as you chose.

-Robert

Pavel Pokorny · ‎02-06-2013

Dear Robert,

I have spent a lot of time with searching but without success.

My answer is simple.

Is there SNMP OID for IPS module (this one is SSM-20), which tell me Inspection Load?

I have found OID for CPU load, but this one is not what I need (CPU load can be high and inspection load can be low at same time), because important for me is inspection load.

Thank you very much,

Pavel

Robert Albach · ‎02-06-2013

Hi Pavel,

This is where I have to apologize for you. In the 7.1 code release there was a whole new set of health metrics available oand also had a new MIB CISCO-CIDS_MIB.my.7.1. The particular OID you would seek is

1.3.6.1.4.1.9.9.383.1.4.30.0.

Unfortunately that MIB has been caught up in our internal processes for far too long and is not posted.

I believe however that TAC has access to it so open a case and ask for it.

Our apologies for the delay and good luck.

Thanks,

-Robert

Pavel Pokorny · ‎02-07-2013

Hi Robert,

Thank you for answer. I have now 7.0.6 version, and now I'm not planning upgrade to 7.1 (I think it's too new).

One more question - is there plan to implement SNMPv3 in IPS module (now it's SNMP 2c max.) ?

Thanks,

Pavel

Robert Albach · ‎02-19-2013

Hi Pavel,

I missed your second question so my apologies. If you are comfortable with 7.0 then stick with it. 7.0.8 is the latest in that revision family.

You are correct that we are only on SNMPv2. SNMPv3 is on a proposed roadmap for about 1 year from now but we do not yet have this plan committed to delivery yet.

-Robert

eng.malak · ‎02-19-2013

Hi Robert

is there any way to make the IME,IDSM,or IPS to do reverse DNS lookup so the report or the signature event generated on IME show the hostname instead of the ip address ?

thank you

Malak

Robert Albach · ‎02-19-2013

Hi Malak,

First my apologies as I cannot seem to paste screen shots which I am certain would be helpful but alas. I am referencing IME 7.2.3.

So within the EVENT MONITORING / EVENT VIEWS / BASIC VIEW - select an Event and the Tools / WhoIs / Attacker.

Then within the Reports section look at a Top Attacker Report such as Top 10 Attackers last 1 hour - in the Report Settings / General tab in the Report box on the left the lowest postioned option is a check box which says Resolve Addresses using DNS.

That should do what you are asking.

Hope this helps.

-Robert

eng.malak · ‎02-20-2013

Thank you Robert for your reply

I have another question , i configured IDSM-2 to send TCP RESET and it works fine except for users behind FWSM so i expect that the FWSM drops the message , is there anyway solve it ?

Regards

Malak

tiwang · ‎02-19-2013

Hi Robert

Can you give me some tips about the signature-update problems with the IPS modules? We have several ASA with SSM-10, SSM-20 and SSP-IPS10 ips modules in. The SSM-20 and SSP-IPS10 modules are quite simple to keep updated (in fact I haven't experienced any problems in updating neither the engine nor the signatures) but we have a also a set of SSM-10 modules which are hard to update. I have disabled automatic update and are dowloading the signatur file manually to it through IME (newest version - 7.2.3). The engine on all the IPS modules is also the newest 7.1(6)E4 and currently I am running signatur 690.0 on the primary IPS module and I succeded in upgrading the other to 695.0 - but right now both the SSM10 modules fails when trying to upgrading to 696 or 697.

The IPS module is not "overloaded" - enough storage avalibly as far as I can see:

Host:

Realm Keys key1.0

Signature Definition:

Signature Update S695.0 2013-02-11

OS Version: 2.6.29.1

Platform: ASA-SSM-10

Serial Number: JAB100402LD

Licensed, expires: 29-May-2013 UTC

Sensor up-time is 55 min.

Using 618M out of 974M bytes of available memory (63% usage)

system is using 29.0M out of 160.0M bytes of available disk space (18% usage)

application-data is using 81.5M out of 169.2M bytes of available disk space (51% usage)

boot is using 57.4M out of 69.6M bytes of available disk space (87% usage)

application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)

Any suggestion on what I can do? I am aware of that the SSM-10 module is fairly underpowered compared to the other modules but I would iexpect it to have the signatur update installed after an hour - it is split into 3 virtual sensors (vs0 - vs2)

best regards /tiwang

Marius Micodan · ‎02-19-2013

Hi Robert,

I Have the same issue like Tiwang with SSM-10 modules.

The modules it's running with last version of E4 - 7.1.(6) but i can't update to the last signatures.

I am stucked to S689. I tried to upgrade from local server or online but did not succeed.

The process starts OK , the IPS unzip the file and start to install the update.

In the end the IME show that CPU is 100% , in sh ver still S689 it's in use, the Health status it's ok and with sh tech i not see any errors
But the statistics for analysis-engine, anomaly-detection and virtual-sensor cannot be completed.

After restart/reload i am back to S689.

The licences are valid.

Best regards,

Marius

Robert Albach · ‎02-19-2013

Marius / Tiwang;

So first let me apologize for the troubles you are experiencing. This is not what we want to see happening to you.

Second let me ask that you be certain to open a case with TAC. It is always very helpful to track issues in the official systems - it helps us to weight priorities and customer issues are at the top!

Now onto your problem - it sounds like an issue which has arisen in which some signatures updates, when "compiled" if you will, can result in a corruption. Of course contact TAC to ensure that our situations are what I've described. Some amount of tuning of signatures, exceptions, and other customizations aligned with a virtual sensor can trigger this corruption to occur. The specific triggers are not necessarily specifiable - it appears to be related to a combination of things.

What about a resolution? There is a new release we are targeting for the end of this month to address this instability. So please - open that TAC case and check back over the next two weeks for a new release to address this.

Again our apologies.

-Robert