Ask the Expert: Intrusion Prevention Systems

ciscomoderator · ‎08-26-2011

With Madhu Kodali

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to discuss configuration and troubleshooting IDS/IPS sensors with Cisco expert Madhu Kodali. Madhu is a senior QA engineer on the Intrusion Prevention Systems development team in Austin, Texas, which supports the quality assurance of Cisco's intrusion detection and prevention solutions. He has been with Cisco for 10 years. His expertise lies in intrusion detection and prevention and the associated range of Cisco management products including Cisco IPS Manager Express and Cisco Adaptive Security Device Manager. Kodali holds a master's degree in computer science from the University of Texas at Dallas and currently holds CCSP certification.

Remember to use the rating system to let Madhu know if you have received an adequate response.

Madhu might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through September 9, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

fabios · ‎08-27-2011

Hi there and thatk you for sharing your expertise.

My question specifically concerns IOS based IPS on a Cisco 1921.

The router is configured as a IRB with GigabitEthernet 0/1.4 and FastEthernet 0/0/0 in bridge group 1.

The hosts to be protected are on FastEthernet 0/0/0 and Internet connectivity is on GigabitEthernet 0/1.4.

I am trying to achieve transparent firewall between those two interfaces.

I did configure the router by loading the latest SDF compile it after retiring and unreiring as follows:

ip ips config location flash:ips retries 1

ip ips name FW-ips

ip ips signature-category

category all

retired true

category ios_ips advanced

retired false

enabled true

But as soon as I enable the IPS on the Fa0/0/0 with ip ips FW-ips out the servers which are now accessible become invisible from the internet. Some additional details are

the ip address is dinamic and there is NAT on another device 82.x.x.x port 8081 is NAT to 192.168.1.36 port 80 where the server lies

My question concerns how to monitor traffic and see what IPS is doing to interrupt communication i.e. what are the best debug commands to assess why this is happening.

Second questions concern licensing. IPS is not based on subscription but when I downloaded the sig file and compiled my router logged a license bypass message on the log. When a license becomes needed? Can the SDF be manually updated any further without a license?

Thank you

Fabio

mkodali · ‎08-29-2011

Hi Fabio,

I wish I could have helped you but I am familiar only with the IPS on standalone appliances and network modules. For IOS based IPS there should be a separate Expert. I read your question but have no clue on the IOS functionality.

thx

Madhu

rodrigo.cisco · ‎08-29-2011

Hi Dear!

I will start a project with 2 ASA 5520 + AIP-SSM20. I usully send all the traffic to the module analyze, but at this time I dont wanna receive too much traffic come from Internet that probably my ASA will drop. So I would like to send to the module only the ingress and egress traffic of DMZ and INSIDE interfaces. What is the best way to do this configuration?

Regards,

Rodrigo

mkodali · ‎08-29-2011

Hi Rodrigo,

You can do that following the below steps :

- Look for any global service-policy configured on your ASA.

qf1-230# sh run | incl service-policy

service-policy mypolicy global

If you find one please remove that service-policy using "no" prefix

- Now configure the service-policy for the interfaces DMZ and inside interface as shown below

qf1-230(config)# service-policy internalpolicy interface inside

qf1-230(config)# service-policy dmzpolicy interface dmz

I think there is no restriction using same name for the policy. If there is a problem then use separate names for the policy for each interface. Hope this helps

Madhu

rodrigo.cisco · ‎08-29-2011

Hi Madhu,

Tks for your soon reply! Just for double-check, I need to remove my global service-polity to do this configuration, right? How about protocol inspection that I use in my global policy? After that my firewall will continue to work as a stateful firewall for outside interface?

Besides that, I would like to know if the follow configuration will work the same way like your explication:

class-map DMZ

match interface dmz

class-map INSIDE

match interface inside

policy-map global_policy

class DMZ

ips inline fail-open

class INSIDE

ips inline fail-open

By the way tks again for share your knowledge with us.

Regards,

Rodrigo

mkodali · ‎08-29-2011

Yes you should remove the global service-policy else that applies to all interfaces and will conflict with what you need to send to IPS. Protocol inspection or other features will not be affected by removing the global service-policy. Firewall should continue to work as a stateful firewall for outside interface.

There are multiple ways of configuring the class maps and policy maps. You cannot have "match interface xxx" under class-map as you have suggested in your config.

For your needs say if you need to inspect http traffic entering your "inside" interface and also inspect smtp traffic entering your "dmz" interface then a configuration like this would help

-----------

access-list http_traffic extended permit tcp any any eq www

access-list smtp_traffic extended permit tcp any any eq smtp

class-map smtp_traffic

match access-list smtp_traffic

class-map http_traffic

match access-list http_traffic

policy-map http-map

class http_traffic

ips inline fail-open

policy-map smtp-map

class smtp_traffic

ips inline fail-close

service-policy http-map interface inside

service-policy smtp-map interface dmz

----------------

You can alter your access lists to send the desired type of traffic. You can also combine the two policy-maps into one and apply the same policy to different interfaces.

thx

Madhu

gizbri · ‎09-02-2011

Hello Madhu - I have a pair of ASA 5520s each with the SSM-10 modules in Active/Standby failover mode. Is there a way to excluded the IPS modules from triggering a failover ?

Thanks

Brian

mkodali · ‎09-02-2011

Hi Brian,

The failover due to IPS module is triggered when there is either a control plane or a data plane communication failure beteen the module and ASA. Monitoring of IPS is enabled by default and I did not find any command on ASA to exclude this trigger condition. The monitor-interface command considers only physical external interfaces but does not provide option for SSM. I will go ahead and submit an enhancement to this affect. You maybe tempted to use fail-open configuration under policy-map but this will not have bearing on the failover of the units. Hope this helps.

Madhu

Sirajhussain · ‎09-04-2011

Dear Madhu,

Greetings

All the private IPs (Internet subscribers) are NAT (dynamic) to one public IP. It is service provider network and for NATing we are using ASA 5500 series.

Our problem: The Public IP is black listed due to spamming which is coming from one of the private IP. As it is SP network I can not put filter on SMTP.

Is there any way to detect these type of spamming by ASA and stop the infected traffic only?

Regards,

Siraj

Sirajhussain · ‎09-05-2011

Dear Madhu,

Greetings

All the private IPs (Internet subscribers) are NAT (dynamic) to one public IP. It is service provider network and for NATing we are using ASA 5500 series.

Our problem: The Public IP is black listed due to spamming which is coming from one of the private IP. As it is SP network I can not put filter on SMTP.

Is there any way to detect these type of spamming by ASA and stop the infected traffic only?

Regards,

Siraj

Siebe Brouwer · ‎09-05-2011

Hello Madhu,

I have two ASA5520 firewalls with SSM10 modules in active/standby failover mode. The firewall configuration is synced automatically between the devices, but the does not happen for the IPS modules.

I would like a way to ensure the same rules and configuration are present on both IPS modules. (So in the event of a failover I can expect the same behaviour from the IPS modules.) How would I do this?

Kind regards,

Siebe

mkodali · ‎09-05-2011

Hi Siebe,

In Active/Standby mode the ASA firewalls sync only the ASA configuration but not the IPS configuration. The onus of maintaining the same IPS configuration lies on the network admin. After configuring the IPS modules in the two ASAs exactly same, any delta has to be applied on both, besides backing up the config. On a side note, ASA will not detect or report any difference in the IPS configuration.

Thanks

Madhu

mkodali · ‎09-05-2011

Hi Siraj,

I am not an ASA expert but I believe the ESMTP inspection feature of the ASA can help detecting attacks and spamming. Depending on the ASA version, below is an example on Cisco.com on achieving this. You may have to modify this to suit your network and options needed.

hostname(config)# regex user1 "user1@cisco.com"

hostname(config)# regex user2 "user2@cisco.com"

hostname(config)# regex user3 "user3@cisco.com"

hostname(config)# class-map type regex senders_black_list

hostname(config-cmap)# description "Regular expressions to filter out undesired senders"

hostname(config-cmap)# match regex user1

hostname(config-cmap)# match regex user2

hostname(config-cmap)# match regex user3

hostname(config)# policy-map type inspect esmtp advanced_esmtp_map

hostname(config-pmap)# match sender-address regex class senders_black_list

hostname(config-pmap-c)# drop-connection log

hostname(config)# policy-map outside_policy

hostname(config-pmap)# class inspection_default

hostname(config-pmap-c)# inspect esmtp advanced_esmtp_map

hostname(config)# service-policy outside_policy interface outside

More details are found on the CCO reference link http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1224614.

thanks

Madhu

Sirajhussain · ‎09-06-2011

Thanks Madhu,

Users can be anyone from the internet subscribers..

Thanks,

Siraj