cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14755
Views
4
Helpful
10
Replies

Cisco IPS & ASA design

Hello,

I have several questions about the integration of Cisco ASA 5500 and IPS 4200 devices in my system.

I tried to read everything about the subject but I have to design something quickly and I need several answers as fast as possible:

Concerning Cisco IPS 4200:

- Is there a failover mechanism (active/active or active/passive) in the Cisco IPS 4200 devices (as it is done with ASA)?

- What is exactly the "hardware bypass"? The Cisco glossary says: "Passes traffic at the network interface, does not pass it to the IPS system." but I am not sure about how I must understand it...

- How can I use an IPS 4260 which has only one monitoring interface by default? (on a switch with a mirroring interface, etc?)

- If I understand correctly, the "Standard command and control interface" should not be used to be connected directly on the audited system? What is exactly the meaning of this interface and how should I use it in a productive environment?

My next question concerns the usage of an IPS (e.g. 4240) in such configuration (figure1)


figure1.jpg


There are two chains: an active and a passive because there must be no SPOF. So when one unit of the active chain fails, the passive chain takes over from the active one. The ASA are in an active/passive configuration. The thing is that the routers at the right side use the HSRP protocol. The questions are:

- can the two 4240 let the HSRP traffic pass between the routers or should I use intermediary switches?

- In such configuration (promiscuous IDS), the 4420 is transparent, am I right? Is there an IP address on each interface are has it only one monitoring IP@?

Secondly (in figure2) I need to let Multicast traffic transit through the ASA 5510 as shown as below. I’ve read that the ASA can act as an IGMP proxy (forward the IGMP packets), is that right? And can I use it so that the ASA doesn’t handle the multicast traffic as a router but simply transits the multicast packet without enabling the multicast routing? If yes, are there any constraints (use the ASA in transparent mode, etc)?


figure2.jpg

Thanks for the time you’ll take!

Florent

10 Replies 10

bdalson
Level 1
Level 1

My first question is why don't you use an AIP-SSM module in the ASA 5510s?  The AIP-SSM module is a cheaper and simpler IPS solution to implement unless you specifically need to use a separate sensor.  The only reason I see to use a separate sensor in this case is that an SSM can't handle the bandwidth requirements (the ASA5510 will be more limiting then an AIP-SSM-20 so the sensor needs to be monitoring traffic that is not passing the firewall).

-There is no builtin failover mechanism for the IPS 4200 appliances.  Both sensors would be working independently at all times even the AIP-SSM modules.

-Hardware bypass is a hardware based failure mechanism where inline interfaces will continue to relay traffic if there is a sensor failure.  This is a newer feature on the 4260 and 4270 models only and applies to specific interface combinations only.  There is also the fail-open and fail-close software features which do similar functions.

-The IPS 4260 can take additional interfaces if needed.  You would either need a switch or an additional interface to use the IPS 4260 in the scenario you've outlined.  

-The command and control interface is used strictly for managing the appliance.  This interface should be in an out of band or secured management network.  The interface cannot be used to monitor traffic and shouldn't be in any unsecured network.  The monitoring interfaces cannot be used to manage the appliance.

-You'll need a switch to make HSRP work in this scenario.

-In promiscuous mode the sensor is only listening (IDS) and doesn't effect the traffic unless the sensor has been setup to shun with another device.  The monitoring interfaces have no IP addresses as they are never a host or destination.  The command and control interface has the IP address and communicates with other devices for shun.  "Transparent" is firewall terminology and doesn't really apply to IPS/IDS other than the traffic shouldn't know about the sensor other than in the case of inline deny (in other words IPS is always transparent regardless of it inspecting layer 2 or layer 3 traffic).

-Yes, the ASA can act as an IGMP proxy.  The multicast-routing command is used to enable IGMP proxy or any layer 3 multicast features.  Transparent means layer 2 only so IGMP proxy is layer 3 and requires routing.  A firewall in transparent mode can be setup to pass multicast traffic.  The ASA is setup as either transparent (L2) or routed (L3) for all contexts and cannot be mixed.  My guess is that you want it using routed mode as transparent mode isn't normally used to filter internet traffic.  

Here are some links that should answer most of your questions...

ASA Multicasting: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_multicast.html

ASA CLI configuration guide: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/config.html

IPS Device Manager configuration guide: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/IDMGuide7_0.pdf

AIP-SSM datasheets: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps6120_Products_Data_Sheet.html

HTH


  

First of all, thanks for having taken time to answer my post! I thought it has been "thrown in obscurity" (a French expression...).

My first question is why don't you use an AIP-SSM module in the ASA 5510s?  The AIP-SSM module is a cheaper and simpler IPS solution to implement unless you specifically need to use a separate sensor.  The only reason I see to use a separate sensor in this case is that an SSM can't handle the bandwidth requirements (the ASA5510 will be more limiting then an AIP-SSM-20 so the sensor needs to be monitoring traffic that is not passing the firewall).

Your question is totally relevant. I need 7 network interfaces in my 5510, so I will use a 4GE SSM that will take all the space in the unit. That's why I need an external IDS. But consider I use an AIP-SSM

- Can I use it as an IDS (promiscuous)?

- What is the purpose of the network interface on the AIP-SSM? For management purposes? Is it mandatory or can I manage the AIP-SSM through the firewall?

-There is no builtin failover mechanism for the IPS 4200 appliances.  Both sensors would be working independently at all times even the AIP-SSM modules.


That's what I thought, thanks for the precision.

-Hardware bypass is a hardware based failure mechanism where inline interfaces will continue to relay traffic if there is a sensor failure.  This is a newer feature on the 4260 and 4270 models only and applies to specific interface combinations only.  There is also the fail-open and fail-close software features which do similar functions.

Ok, the interfaces will continue to relay the traffic. But even if there is a power malfunction? By sensor failure, you mean a "software" failure, the unit is still powered-on... yes ?

-The IPS 4260 can take additional interfaces if needed.  You would either need a switch or an additional interface to use the IPS 4260 in the scenario you've outlined.  

I will certainly use additional interfaces using 4-port copper interface cards. I was only surprised to see only one sensing port by default. But I saw a design (http://www.networkworld.com/community/node/18384) where they're using a 4260 in inline mode with only one interface...

-The command and control interface is used strictly for managing the appliance.  This interface should be in an out of band or secured management network.  The interface cannot be used to monitor traffic and shouldn't be in any unsecured network.  The monitoring interfaces cannot be used to manage the appliance.  

Ok that's now clear in my head. But (same question as above), can I manage the IDS by a monitoring port? (apparently not, because after, you say that it hasn't a IP@...)

What about the events generated by the IDS (intrusion, attacks...)? Can I use and receive them on my supervision server? Or must I use the MARS software (or any Cisco software)? Is the IDS able to send SNMP traps or Syslog messages concerning its activity? If yes, which network interface will it use (a monitoring interface or the management interface)?

So I cannot connect the monitoring interface on the same network the sensor interfaces are connected to?

-You'll need a switch to make HSRP work in this scenario.

I agree. Anyway it is not the function of an IDS...

Can I use the IDS in such configuration (promiscuous): the ASA have a mirroring port to the IDS and the IDS sends "alarms" (SNMP traps/Syslog) through the management interface)

design.jpg

or this configuration with two stacked C3750 (same principle):

design2.jpg

-In promiscuous mode the sensor is only listening (IDS) and doesn't effect the traffic unless the sensor has been setup to shun with another device.  The monitoring interfaces have no IP addresses as they are never a host or destination.  The command and control interface has the IP address and communicates with other devices for shun.  "Transparent" is firewall terminology and doesn't really apply to IPS/IDS other than the traffic shouldn't know about the sensor other than in the case of inline deny (in other words IPS is always transparent regardless of it inspecting layer 2 or layer 3 traffic).

Ok, so:

- even in inline mode, the IPS is "transparent" from a network point of view. It is never used as a gateway (next hop), yes?

- the IPS has no IP routing capacity, yes?

Maybe it isn't the right forum for asking these, but may I ask 2 questions:

- Can I use 1000BASE-T SFP modules in the ASA 5550 SFPs? (http://www.securemart.com/SM10159042?pcode=2&utm_source=Shopping&utm_medium=cse&utm_campaign=PPC)

- If yes can I use the 12 ports (8 Gb + 4 SFPs) simultaneously? I've read in the "Cisco ASA 5500 Series Getting Started Guide" that maximum throughput is got when traffic flows from Bus 0 to Bus 1. But what is the max throughput if the incoming and outgoing traffic comes and goes through the same slot/bus? (end of chapter 2)

Thanks for the useful links concerning the multicast.

Again, thank you for the time you'll take,

Regards,

Florent

First of all, thanks for having taken time to answer my post! I thought it has been "thrown in obscurity" (a French expression...).

My first question is why don't you use an AIP-SSM module in the ASA 5510s?  The AIP-SSM module is a cheaper and simpler IPS solution to implement unless you specifically need to use a separate sensor.  The only reason I see to use a separate sensor in this case is that an SSM can't handle the bandwidth requirements (the ASA5510 will be more limiting then an AIP-SSM-20 so the sensor needs to be monitoring traffic that is not passing the firewall).

Your question is totally relevant. I need 7 network interfaces in my 5510, so I will use a 4GE SSM that will take all the space in the unit. That's why I need an external IDS. But consider I use an AIP-SSM

- Can I use it as an IDS (promiscuous)?

- What is the purpose of the network interface on the AIP-SSM? For management purposes? Is it mandatory or can I manage the AIP-SSM through the firewall?

-There is no builtin failover mechanism for the IPS 4200 appliances.  Both sensors would be working independently at all times even the AIP-SSM modules.


That's what I thought, thanks for the precision.

-Hardware bypass is a hardware based failure mechanism where inline interfaces will continue to relay traffic if there is a sensor failure.  This is a newer feature on the 4260 and 4270 models only and applies to specific interface combinations only.  There is also the fail-open and fail-close software features which do similar functions.

Ok, the interfaces will continue to relay the traffic. But even if there is a power malfunction? By sensor failure, you mean a "software" failure, the unit is still powered-on... yes ?

-The IPS 4260 can take additional interfaces if needed.  You would either need a switch or an additional interface to use the IPS 4260 in the scenario you've outlined.  

I will certainly use additional interfaces using 4-port copper interface cards. I was only surprised to see only one sensing port by default. But I saw a design (http://www.networkworld.com/community/node/18384) where they're using a 4260 in inline mode with one interface ...

-The command and control interface is used strictly for managing the appliance.  This interface should be in an out of band or secured management network.  The interface cannot be used to monitor traffic and shouldn't be in any unsecured network.  The monitoring interfaces cannot be used to manage the appliance.  

Ok that's now clear in my head. But (same question as above), can I manage the IDS by a monitoring port? (apparently not, because after, you say that it hasn't a IP@...)

What about the events generated by the IDS (intrusion, attacks...)? Can I use and receive them on my supervision server? Or must I use the MARS software (or any Cisco software)? Is the IDS able to send SNMP traps or Syslog messages concerning its activity? If yes, which network interface will it use (a monitoring interface or the management interface)?

So I cannot connect the monitoring interface on the same network the sensor interfaces are connected to?

-You'll need a switch to make HSRP work in this scenario.

I agree. Anyway it is not the function of an IDS...

Can I use the IDS in such configuration (promiscuous): the ASA have a mirroring port to the IDS and the IDS sends "alarms" (SNMP traps/Syslog) through the management interface)

design.jpg

or this configuration with two stacked C3750 (same principle):

-In promiscuous mode the sensor is only listening (IDS) and doesn't effect the traffic unless the sensor has been setup to shun with another device.  The monitoring interfaces have no IP addresses as they are never a host or destination.  The command and control interface has the IP address and communicates with other devices for shun.  "Transparent" is firewall terminology and doesn't really apply to IPS/IDS other than the traffic shouldn't know about the sensor other than in the case of inline deny (in other words IPS is always transparent regardless of it inspecting layer 2 or layer 3 traffic).

Ok, so:

- even in inline mode, the IPS is "transparent" from a network point of view. It is never used as a gateway (next hop), yes?

- the IPS has no IP routing capacity, yes?

Maybe it isn't the right forum for asking these, but may I ask 2 questions:

- Can I use 1000BASE-T SFP modules in the ASA 5550 SFPs? (http://www.securemart.com/SM10159042?pcode=2&utm_source=Shopping&utm_medium=cse&utm_campaign=PPC)

- If yes can I use the 12 ports (8 Gb + 4 SFPs) simultaneously? I've read in the "Cisco ASA 5500 Series Getting Started Guide" that maximum throughput is got when traffic flows from Bus 0 to Bus 1. But what is the max throughput if the incoming and outgoing traffic comes and goes through the same slot/bus? (end of chapter 2)

Thanks for the useful links concerning the multicast.

Again, thank you for the time you'll take,

Regards,

Florent

My first question is why don't you use an AIP-SSM module in the ASA 5510s?  The AIP-SSM module is a cheaper and simpler IPS solution to implement unless you specifically need to use a separate sensor.  The only reason I see to use a separate sensor in this case is that an SSM can't handle the bandwidth requirements (the ASA5510 will be more limiting then an AIP-SSM-20 so the sensor needs to be monitoring traffic that is not passing the firewall).

Your question is totally relevant. I need 7 network interfaces in my 5510, so I will use a 4GE SSM that will take all the space in the unit. That's why I need an external IDS. But consider I use an AIP-SSM

- Can I use it as an IDS (promiscuous)?

- What is the purpose of the network interface on the AIP-SSM? For management purposes? Is it mandatory or can I manage the AIP-SSM through the firewall?

Yes the AIP-SSM can be used in promiscuous only mode.

The nic in the AIP-SSM is for management only.  The AIP-SSM can be managed from the ASA using the session command, but IDM, IME and CSM management tools all require the management interface.  Auto signature/software updates, NTP, global correlation and many other features require the management interface.  In general the primary method of managing and configuring is done using IDM, IME or CSM.  IDM is included and IME is free.  IPS is not easy to manage from the command line.  I gave you some links for IME and CSM below.

Hardware bypass works even if the unit loses power.

What about the events generated by the IDS (intrusion, attacks...)? Can I use and receive them on my supervision server? Or must I use the MARS software (or any Cisco software)? Is the IDS able to send SNMP traps or Syslog messages concerning its activity? If yes, which network interface will it use (a monitoring interface or the management interface)?

The IPS software supports SNMP traps based on fired signatures but each signature must be configured to send a trap.  Syslog is not supported on the appliance but can be setup on the ASA/AIP-SSM.  I like IME (IPS Manager Express) for small environments (1-10 sensors) and CSM (Cisco Security Manager) and MARS for large environments (10+ sensors). IME can be configured to send email notification on alerts.

So I cannot connect the monitoring interface on the same network the sensor interfaces are connected to?

I think you meant connecting a monitoring interface to the same network as the management is connected to.  Yes you can monitor the management newtork.

Can I use the IDS in such configuration (promiscuous): the ASA have a mirroring port to the IDS and the IDS sends "alarms" (SNMP traps/Syslog) through the management interface)

The ASA5510 does not offer mirror or span port functionality.  IPS appliances are generally attached to swithes as in your 2nd diagram with the stacked 3750s.  Also you need to consider which side of the firewall you are monitoring.  Most people want to see only the attacks that have gotten through the firewall or are happening inside the firewall so the sensor would be placed on the inside or on the LAN side of your diagram.  For instance if you place a sensor outside of a firewall attached to the internet you will get millions of false alarms because there are so many automated attacks on the internet which your firewall will block by default.  The sensor won't be able to keep up and it will be challenging to tune the sensor.

Ok, so:

- even in inline mode, the IPS is "transparent" from a network point of view. It is never used as a gateway (next hop), yes?

- the IPS has no IP routing capacity, yes?

Both of these statement are correct.  An IPS sensor doesn't route or appear as a routing hop.  The end point devices have no way of knowing that thier communications were monitored.

- Can I use 1000BASE-T SFP modules in the ASA 5550 SFPs? (http://www.securemart.com/SM10159042?pcode=2&utm_source=Shopping&utm_medium=cse&utm_campaign=PPC)

- If yes can I use the 12 ports (8 Gb + 4 SFPs) simultaneously? I've read in the "Cisco ASA 5500 Series Getting Started Guide" that maximum throughput is got when traffic flows from Bus 0 to Bus 1. But what is the max throughput if the incoming and outgoing traffic comes and goes through the same slot/bus? (end of chapter 2)

Never worked on an ASA5550 but according to the datasheet only 8 interfaces can be in service at any time.  You would never need to use the 1000BASE-T SFP but it would probably work if you tried.  No idea on the maximum thruput question.  You could call Cisco presales support.

Again, thank you for the time you'll take,

Glad to be of assistance.

Brent

Yes the AIP-SSM can be used in promiscuous only mode

Promiscuous only? Not IPS?

The nic in the AIP-SSM is for management only.  The AIP-SSM can be managed from the ASA using the session command, but IDM, IME and CSM management tools all require the management interface.  Auto signature/software updates, NTP, global correlation and many other features require the management interface.  In general the primary method of managing and configuring is done using IDM, IME or CSM.  IDM is included and IME is free.  IPS is not easy to manage from the command line.  I gave you some links for IME and CSM below.

Okay, so the use of the command & control interface is mandatory to manage the IPS 4200, right?

So I cannot connect the monitoring interface on the same network the sensor interfaces are connected to?

I think you meant connecting a monitoring interface to the same network as the management is connected to.  Yes you can monitor the management newtork.

No I meant exactly the opposite! Can I connect the command & control interface on the same network I am monitoring?

The ASA5510 does not offer mirror or span port functionality.  IPS appliances are generally attached to swithes as in your 2nd diagram with the stacked 3750s.  Also you need to consider which side of the firewall you are monitoring.  Most people want to see only the attacks that have gotten through the firewall or are happening inside the firewall so the sensor would be placed on the inside or on the LAN side of your diagram.  For instance if you place a sensor outside of a firewall attached to the internet you will get millions of false alarms because there are so many automated attacks on the internet which your firewall will block by default.  The sensor won't be able to keep up and it will be challenging to tune the sensor.

2 remarks about your comment:

- In the ASA Command Reference Guide the "switchport monitor" command is described. So this command is only available on the 5505? Won't it be available on the 4GE SSM card in a 5510?

- Concerning the design (WAN -> Firewall -> IDS -> LAN) I agree with you.

Never worked on an ASA5550 but according to the datasheet only 8 interfaces can be in service at any time.  You would never need to use the 1000BASE-T SFP but it would probably work if you tried.  No idea on the maximum thruput question.  You could call Cisco presales support.

Apparently only fiber SFPs are supported (http://www.cisco.com/en/US/docs/security/asa/asa82/getting_started/asa5500/quick/guide/inst5550.html#wp1041205)...

Regards,

Florent

The AIP-SSM can be used in either Promiscuous (IDS) or inline (IPS) modes.

The AIP-SSM management interface is not technically mandatory as everything can be configured from command line using the session command from the ASA however the management interface adds much to the capabilities and managability of a sensor.  I consider the management interface a must have unless there are special deployment requirements that won't allow for the use of a management interface.

Yes the management interface can be connected to a monitored network, however the network that the management interface connects to should be secure.

- In the ASA Command Reference Guide the "switchport monitor" command is described. So this command is only available on the 5505? Won't it be available on the 4GE SSM card in a 5510?

The switchport monitor command is a special case for the ASA5505 because it has a 8 port switch built into the device.  There is an internal firewall interface that connects to the builtin switch.  The switch portion of the ASA5505 can have a span port.  No other ASA appliance has a switch builtin or supports span ports.

Thanks for these precisions! I have now a better overall view of the Cisco ASA/IPS solution!

Florent

Also forgot to mention that there are a couple tricks to get more interfaces out of the base firewall.  The management interface can be used as the stateful failover interface if you use the inside interface for manangement. (that was how the PIX used to work).  The ASA5510 supports 50 VLAN interfaces so you can connect 1 port to a switch with a trunk and 1 physical firewall interface can act like many virtual interfaces.  Obviously there are security considerations to be aware of if you try either of these tricks but firewall interfaces are expensive.  You may be able to go with the AIP-SSM if you get creative with the design.

Hi All,

What is the best practise when it comes to placing the IPS is it before or after the Firewall (i.e before < Internet - IPS - Firewal - LANl > and after   . Please through some of your thoughts and if possible with some explanation.

Thanks in advance,

We addressed IPS placement earlier in the thread:

For instance if you place a sensor outside of a firewall attached to the internet you will get millions of false alarms because there are so many automated attacks on the internet which your firewall will block by default.  The sensor won't be able to keep up and it will be challenging to tune the sensor.

The most common placement is inside the firewall .  Technically you can monitor anywhere you want and there are valid reasons for monitoring outside of the firewall but doing so is somewhat less common.  To clarify "inside" the firewall means after passing an access list into any screened subnet.  So you would want to monitor in any perimeter (DMZ) or screened subnet that sits behind a firewall access list.  With the ASA/AIP-SSM combination it's common to send global traffic (traffic from all interfaces) to the AIP-SSM for inspection however the ASA engine only sends traffic after it has passed ACLs applied to the interfaces.  Effectively this is like placing the sensor "inside" the firewall.  One great aspect of the AIP-SSM is that you can monitor all the networks the firewall is connected to with one internal interface between the ASA and AIP-SSM.  With an IPS 4200 appliance you need a physical or virtual (VLAN) interface (2 in inline mode) for each network that needs to be monitored.  Of course their are times when you need the extra physical interfaces available on the appliances.

Review Cisco Networking for a $25 gift card