cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2456
Views
0
Helpful
3
Replies
Highlighted
Beginner

IPS Signature Updates with no Internet Access

Hi all,

I've got a bit of an interesting dilemma that I'm hoping that someone could help with. I have two distinct networks: A "regular" network, along with a "secure" network. I've not been involved in the setup/configuration, but I've been handed some work to do now that has me puzzled.

The two networks are separated with a pair of ASA devices with IPS modules installed. User access to the secure side works by using Cisco VPN client, terminating on the ASA's, and once connected applications are delivered via Citrix. Management of the ASA's involves connecting via management VPN to the "external" ASA interface, connecting to a management server via Citrix and from there, management via MARS, ASDM & IME.

My issue is that I have been asked to configure auto-updates for the IPS modules. However, there is no internet access from the secure network. Servers on the secure side can request files, etc, from the regular side but there is no direct access can be initiated from the regular side back to the secure network. There are no ASA devices that are contactable/manageable from the regular side.

I've read that it's possible to somehow download updates from cisco.com via FTP or similar, but I fail to see how I can automate the process. What I originally thought to do was to install another copy of IME on the regular network, set up a dummy device and there on configure auto-updates, but unfortunately the IPS needs to be contactable for that to work.

Can anybody think of a solution that could make this work for me?

3 REPLIES 3
Highlighted
Cisco Employee

You can configure a local server (FTP or HTTP server) to download the signature update from cisco.com, and the IPS sensor then auto update from your local server.

Here is more information on that for your reference:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016040

Highlighted

Hi Jennifer,

Thanks for that, but the instructions in that document appear to be related to updating a sensor from an FTP server where the updates have already been copied to it.

I have searched and searched, but I'm unable to locate the relevant location to download the signatures direct via FTP/SCP. I have attempted to locate them on ftp.cisco.com, but with no luck.

Regards,

James

Highlighted

Yes, that is correct. You would still need to download the signature to your local server, you can configure your local server to check the cisco.com site with script. There is no way to FTP directly from cisco.com for the signature update.

Content for Community-Ad