cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1490
Views
4
Helpful
1
Replies
Highlighted
Beginner

IOS IPS/IDS on a BGP Peering Router?

We have a pair of BP peerings between our network and our upstream service provider.  Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.

Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points.  Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs.  We also observed that some upstream service provider web sites became inaccessible to our users.  Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.

Three questions:

  1. Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
  2. Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
  3. Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session?  (We already perform NAT on the customer site routers for that reason.)
1 REPLY 1
Highlighted

Hello Bill,

1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)

2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics  on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)

3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad