cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9975
Views
14
Helpful
28
Replies

Ask the Expert: Intrusion Prevention Systems (IPS)

ciscomoderator
Community Manager
Community Manager

Read the bioWith Madhu Kodali

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to discuss configuration and troubleshooting IDS/IPS sensors with Cisco expert Madhu Kodali.

Madhu is a senior QA engineer on the Intrusion Prevention Systems development team in Austin, Texas, which supports the quality assurance of Cisco's intrusion detection and prevention solutions. He has been with Cisco for 10 years. His expertise lies in intrusion detection and prevention and the associated range of Cisco management products including Cisco IPS Manager Express and Cisco Adaptive Security Device Manager. Kodali holds a master's degree in computer science from the University of Texas at Dallas and currently holds CCSP and CISSP certification.

Remember to use the rating system to let Madhu know if you have received an adequate response. 

Madhu might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 1, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

28 Replies 28

Hi Rahul,

ASA and IPS have different areas of application. ASA firewall provides the access control and sometimes vpn services. They also provide some basic application inspection and threat protection but a more advanced protection against malware, evasions, trojans and worms is provided by IPS. To inspect packets and streams beyond layer 4 an IPS would be needed as firewalls usually don't have intensive deep packet inspection capabilities.

Hope this helps

Madhu

sg_network
Level 1
Level 1

Hi Rahul,

1) Does WLC have IPS? If yes, what is different between normal IPS?

2) Does it enough WLC IPS to protect Wireless traffic?

Thanks,

John

John,

          I presume you are referring to Wireless Lan Controller on which I have no familiarity. However looks like there is some integration that goes between WLC and IPS as detailed in this link

http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a00807360fc.shtml

For a better response you can try posting your question on the Wireless forum.

thanks

Madhu

doxenhandler
Level 1
Level 1

Hello Madhu,

We have a pair of IDSM-2 modules, one in each of our core 7613 routers. We are using these in inline mode, with VLAN pairs. One module is dedicated to protecting our inbound internet connection. It handles two VLAN pairs, one is behind the firewall, and the second is behind our F5 load balancer, which does SSL offload.

We are experiencing unacceptably high inspection loads whenever our internet traffic goes above 50Mbps. We see high latency (around 1000ms) and packet drops. So we are compelled to bypass IDSM-2, which is rated at 500Mbps, when the traffic exceeds 100Mbps. We are not using custom rules, or any heavy logging.

The traffic primarily consists of a high number of small file transfers from mobile devices. I understand that 500Mbps may be under ideal conditions, but we're not getting even close. Is there anywhere we can look to improve performance?

Appreciate any suggestions you have!

Hi,

     The IDSM2 is rated at 500 Mbps based on http traffic with average segment size of 650 bytes. Any other traffic profile with lesser packet size and non-TCP protocol can adversely impact the performance. However 50 Mbps sounds very low for any traffic profile. Here are some trouble shooting steps you can follow to debug this issue :

- Configure bypass mode to ON on the IDSM2 to see if that resolves the issue of high latency and inspection load. If it does not resolve the issue then check the memory usage and CPU as IDSM2 has been prone to the HDD issue needing the disk to cool down for approximately 30 min.

- If bypass mode resolves the issue then it is the type of traffic that is causing the high inspection load. If the traffic is primarily TCP then check to see if the normalizer sigs are firing. These sigs are 1330/1300 sigs that show up under "show statistics virtual-sensor". In this case there maybe some tuning needed for the sigs. If normalizer is not an issue then please check if there are any other settings like event action overrides or custom signatures that maybe causing the delay in traffic.

- If the traffic is not TCP then have the traffic sample captured and contact Cisco TAC for further assistance. Cisco TAC can help reproduce the issue and suggest the next appropriate steps. Please provide the software version on the IDSM2 and the output of "show tech-support" while opening a case.

Thanks

Madhu

Madhu,

Thanks for your response. This gives me a few places to look for clues.

  • If I bypass the sensor, then the problem goes away, so the inspection load is definitely the problem.
  • I have about 10 event action overrides, mostly to disable events generated by external/internal security scans (Qualys, etc.). Is processing these rules very resource intensive? I could probably pare these down if I had to, but 10 seems like a fairly modest number.
  • I was seeing a lot of the normalization signatures firing, but I disabled these signatures in an attempt to reduce the load.
  • I was able to reduce the load on the IDSM2 by disabling a number of lower priority and normalization related signatures, but I still find inspection load maxing out at around 100Mbps throughput. The traffic is around 95% TCP.

Regards,

-Daniel

Hi Daniel,

                 Please check if you are at the latest sig level as there were a few sigs that were affecting the performance in file transfer scenarios. A show version on the IDSM2 would tell us the major version and also the Sig level. If you are at the latest sig level, then you may need to use Regex Depth setting to get better performance with file transfers (under the RegexDepth setting )

https://techzone.cisco.com/t5/Intrusion-Prevention-Systems/sensorApp-conf-Configuration-Tokens/ta-p/5657

The even action overrides should not add to the processing load. I suspect it is the type of traffic that IPS is analyzing. If possible please provide a sample capture of the packets which would truly represent the traffic. This would give us an idea of the protocol and ports that are being used for the file transfer. 


thanks

Madhu

Madhu,

The traffic is predominantly http and https. The IDSM-2 is inline behind the firewall, so traffic is mostly https at this point. Then the traffic goes through the load balancer, where it is decrypted to http and then fed through the IDSM-2 again. We have two VLAN pairs set up.

File transfer is not really how I would characterize the traffic. These are 1000s of mobile devices, each uploading 100K-1000K payloads.

I tried the RegexDepth setting to 800000 but it made no difference. The bug report suggested a lower value could be tried. Do have any suggestions how I should step it down? Is 700000 a reasonable next step?

The smartnet on these ran out 4/1/2012. We are reluctant to renew if these are not going to sufficient for our use case, so I'm in a bind to find some way to tune the performance to handle 100Mbps easily (two 50Mbps VLAN pairs).

Thanks for all your help so far!

Daniel

Hi Daniel,

Please make sure you have reset the IPS after changing the RegexDepth setting in sensorApp.conf.

Also, if the IDSM2 are inspecting traffic twice, please make sure that you have each vlan pair in a different virtual sensor.  Or you can keep them in one virtual sensor and set

'inline-TCP-session-tracking-mode interface-and-vlan' so that each session in each vlan is tracked separately. This options appears under service analysis-engine as shown below :

idsm(config)# service analysis-engine

idsm(config-ana)# virtual-sensor vs0

idsm(config-ana-vir)# inline-TCP-session-tracking-mode ?

virtual-sensor         All packets with the same session key (AaBb) within a

                       virtual sensor belong to the same session.

interface-and-vlan     All packets with the same session key (AaBb) in the same

                       VLAN (or inline VLAN pair) and on the same interface

                       belong to the same session. Packets with the same key but

                       on different VLANs or interfaces are tracked

                       independantly.

vlan-only              All packets with the same session key (AaBb) in the same

                       VLAN (or inline VLAN pair), regardless of the interface,

                       belong to the same session. Packets with the same key but

                       on different VLANs are tracked independantly.

thanks

Madhu

Madhu,

Changing the inline-TCP-session-tracking-mode made a huge difference. Performance seems to be almost 2X what it was before. I was able to leave the IDS inline during a period of peak traffic (over 120Mbps counting both VLAN pairs). At this rate the inspection load was about 70.

Thanks again for your time - this conversation has been extremely helpful.

Warm regards,

Daniel

Chris McCann
Level 1
Level 1

Hello Madhu,

We have a pair of 5520 with IPS modules fitted in each. We have had to reinstall the IPS module on the secondary but I would like it to syncronise configuration with the IPS module in the Active ASA. Could you let me know what needs to be done, I have done the 'basic' setup on the IPS module so it has the correct IP addressing and same software ver (7.0(6))as the Active IPS but nothing seems to be syncronising.

many thanks,

Chris.

Hi Chris,

           Configuration on IPS is not synchronized between ASA failover pair. For IPS we have to manually copy the same configuration on both modules. Once you have configured the first IPS fully you can copy that to a tftp or a ftp server and then copy that configuration back on the second IPS.

Hope this helps

Madhu

Thank you Madhu, exactly what I needed to know. It will save me a lot of time looking for a 'syncronise' tick box that does not exist

many thanks,

Chris.

SurendraBabu
Level 1
Level 1

Madhu

 

I am looking for a process document / process out line on the Capacity Maangement for IPS

Can you please guide

 

Surendra

 

 

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card