Solved: Sure thing.

druva.kumar · ‎12-30-2015

This is for AS2 traffic over HTTP/S.

Our current set up is to filter the traffic on firewall (both inbound & outbound) with respect to IP's and ports.

But now we're on the verge of changing the settings on our Firewall to Source= ANY (Inbound traffic) and destination=ANY (for outbound traffic).

Now its the time to activate the IPS blade for this settings to monitor the traffic and block rogue traffic.

Please can someone be helpful in assisting so as to what signatures are required in the protection?

I did look in to the signature list but was not confident enough to point out particular ones.

Also Pros and Cons for changing the white list to "ANY" are welcome.

Philip D'Ath · ‎01-01-2016

The default configuration only triggers once the IPS is 90% confident an attack is underway.

I would stick with the default set if signatures selected. The selected set will vary as you update the IPS (make sure you update it regularly) based on the current risks in the wild.

View solution in original post

Philip D'Ath · ‎12-30-2015

I thought AS2 had to be configured for point to point data exchanges so I'm surprised you would need to change to an any/any rule.

Are you using a Firepower blade on a modern ASA? I don't think it will need too much protection beyond the defaults.

druva.kumar · ‎12-30-2015

Thanks Dath for your response.

The need is, sometimes partners AS2 URL will be associated with set of IP's and each time it take a different IP may block the inbound/outbound communication (this is a rare condition though).

Its not any to any on a single rule but Source= ANY (Inbound traffic) and destination=ANY (for outbound traffic).

So I was thinking how an IPS can play a role in monitoring this traffic?

Its a modern ASA5540 with IPS capability.

Would you think we need to stay on the current config or can the changes made as I've described?

Philip D'Ath · ‎12-31-2015

Wouldn't it be just as easy to create a object group for all the partners IP addresses and allow them through as a whole?

I haven't worked with AS2 much, but as I recall, its secured by certificates. Have I remember correctly?

If you have a large number of partners so it is becoming difficult to manage or frequent rule changes are being required then I think I would change to the any/any approach and rely on the certificates to secure the access.

druva.kumar · ‎01-01-2016

Wish you happy New Year Dath :)

You're correct. AS2 is secured by Cert. Our current setup is same as you said. But to ease it up planning to any/any rule on Firewall.

So how IPS can play a role here? (Its over HTTP/s). Any signatures in particular to avoid DOS and rogue traffic?

Philip D'Ath · ‎01-01-2016

The default configuration only triggers once the IPS is 90% confident an attack is underway.

I would stick with the default set if signatures selected. The selected set will vary as you update the IPS (make sure you update it regularly) based on the current risks in the wild.

druva.kumar · ‎01-02-2016

Sure thing.

So in any case SSL/HTTPS inspection is a compulsion? (just a thought from IPS load perspective).

Best possible way to monitor AS2 traffic and block rogue Traffic