Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1890
Views
5
Helpful
7
Replies

IPS Virtual Sensors

Go to solution
new_networker
Level 1
Level 1

‎08-28-2008 11:33 AM - edited ‎03-10-2019 04:16 AM

hi,

1. Can I use the default virtual sensor vs0 for the incoming traffic on all the interfaces.

2. How can I allocate interfaces to the AIP-SSM module.

3. How can I allocate interafces to the IDSM module.

I am assuming that the interfaces assigned are the ones on which inline inspection is performed.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to new_networker

‎08-29-2008 12:34 PM

The AIP-SSM does not have 'both' of these modes. This is only valid for sensors/IDSM AFAIK.

The AIP is 'internally connected' to the ASA and has only two deployment modes available instead of three, here is a brief description from CCO:

#Is the AIP-SSM module to function or be deployed in promiscuous or inline mode?

* Promiscuous mode means that a copy of the data is sent to the AIP-SSM while the ASA forwards the original data on to the destination. The AIP-SSM in promiscuous mode can be considered to be an intrusion detection system (IDS). In this mode, the trigger packet (the packet that causes the alarm) can still reach the destination. Shunning can take place and stop additional packets from reaching the destination, however the trigger packet is not stopped.

* Inline mode means that the ASA forwards the data to the AIP-SSM for inspection. If the data passes AIP-SSM inspection, the data returns to the ASA in order to continue being processed and sent to the destination. The AIP-SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, inline mode (IPS) can actually stop the trigger packet from reaching the destination.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Regards

Farrukh

View solution in original post

0 Helpful
7 Replies 7

Go to solution
NotMeHere
Level 1
Level 1

‎08-29-2008 08:43 AM

I'd encourage you to read the manual, as it explains these things in quite good detail.

Your first question:

You simply assign via the GUI which interfaces you want the vs0 to listen on. That is assuming you are speaking of an IPS/IDS appliance. If you are talking about an ASA module see the next question.

Also see:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmAnEng.html

For your second question, you can qualify what traffic you wish to send to the AIP-SSM with and ACL and then use the modular policy framework to send that traffic to the module on a per interface basis.

See this link:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ssm.html#wp1050744

As for your third question, there are a couple of ways to do this depending on the configuration of your switch. See this link for more detail.

http://www.cisco.com/en/US/docs/security/ips/6.0/installation/guide/hwIntro.html#wp489653

Go to solution
new_networker
Level 1
Level 1
In response to NotMeHere

‎08-29-2008 09:06 AM

I had read much of the referenced materials. However, I feel that the Cisco documentation on IPS leaves many gaps unlike other Cisco materials.

Thanks.

0 Helpful

Go to solution
NotMeHere
Level 1
Level 1
In response to new_networker

‎08-29-2008 09:44 AM

Did my post answer your questions? Do you have more specific questions?

0 Helpful

Go to solution
new_networker
Level 1
Level 1
In response to NotMeHere

‎08-29-2008 11:56 AM

My previous post has been answered.

Another question I have is whether inline mode is the same as inline interface pair mode. In the latter, is it a condition to define to dual interfaces.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to new_networker

‎08-29-2008 12:01 PM

There are two types of inline deployments, 'inline vlan pair' or 'inline interface pair'. The first one utilizes only one port on the sensor (which is trunked to the switch and can contain multiple VLANs). The second one is a 'combination' of two physical interfaces allowing the sensing to bride traffic as it passes through these two interfaces.

Regards

Farrukh

0 Helpful

Go to solution
new_networker
Level 1
Level 1
In response to Farrukh Haroon

‎08-29-2008 12:09 PM

Would the following configuration on AIP-SSM be called inline interface pair.

AIP-SSM

-> virtual-sensor vs0

-> physical-interface GigabitEthernet0/1

ASA

-> service-policy interface_policy interface DMZ

Rgds.

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to new_networker

‎08-29-2008 12:34 PM

The AIP-SSM does not have 'both' of these modes. This is only valid for sensors/IDSM AFAIK.

The AIP is 'internally connected' to the ASA and has only two deployment modes available instead of three, here is a brief description from CCO:

#Is the AIP-SSM module to function or be deployed in promiscuous or inline mode?

* Promiscuous mode means that a copy of the data is sent to the AIP-SSM while the ASA forwards the original data on to the destination. The AIP-SSM in promiscuous mode can be considered to be an intrusion detection system (IDS). In this mode, the trigger packet (the packet that causes the alarm) can still reach the destination. Shunning can take place and stop additional packets from reaching the destination, however the trigger packet is not stopped.

* Inline mode means that the ASA forwards the data to the AIP-SSM for inspection. If the data passes AIP-SSM inspection, the data returns to the ASA in order to continue being processed and sent to the destination. The AIP-SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, inline mode (IPS) can actually stop the trigger packet from reaching the destination.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card