cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1014
Views
5
Helpful
4
Replies

Pre-setup questions on IPS on Cisco ASA Cluster

agent2007
Level 1
Level 1

Hello

I am looking for some guidance configuring and IPS.

I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about configuring it.

We have a customer who will require that their web servers be protected with the IPS Module.  I have the following questions:

1. Is it possible to install the IPS in a learning type mode to see what sort of traffic is hitting it?

2. Can you syslog the alerts? 

3. Is it possible to use snmp traps around alerting also?

4. If you put it in promiscuous mode (IDS) does this mean when you get an alert about a possible attack, an admin has to log on to the

   firewall to then block the traffic if they choose to do so?  Is it possible for an admin to block the traffic (or allow it if its

   a false positive in IPS) without having to log in to the ASDM?  If you have a scenario where you dont want to give users access to

   the firewall whats the best way to go about this?

5. is it possible to setup an alert that if its a DDOS email the alert, if its a split handshake then just syslog the alert?

6. I am nervous that if I put it in with a profile it may start blocking valid traffic.  Whats the best way to start off with IPS to protect

   a server?

7. If its possible to do syslog, what sort of detail does the syslog capture?  Does it take attack name etc?

Lots of questions!  Hopefully someone can help

thanks a mill

2 Accepted Solutions

Accepted Solutions

rhermes
Level 7
Level 7

1. Is it possible to install the IPS in a learning type mode to see what sort of traffic is hitting it?

Yes. Ther are several ways of doing this, but the easiest is to put the sensor into promiscuous mode (in the ASA config)

2. Can you syslog the alerts?

No. The cisco IPS OS does not support syslog.

3. Is it possible to use snmp traps around alerting also?

Yes. But you have to set the "action" on each signature you want to send a trap.

4.  If you put it in promiscuous mode (IDS) does this mean when you get an  alert about a possible attack, an admin has to log on to the

   firewall to then block the traffic if they choose to do so?  Is it possible for an admin to block the traffic (or allow it if its

   a false positive in IPS) without having to log in to the ASDM?  If you have a scenario where you don't want to give users access to

   the firewall whats the best way to go about this?

Typically the person(s) performing analysis of IPS events have sufficient privilege and access to make the necessary security changes to your firewall and IPS sensors. It takes time, knowledge and skill to perform IPS analysis. Most customer's do not have those resources to properly do the job you describe.

5. is it possible to setup an alert that if its a DDOS email the alert, if its a split handshake then just syslog the alert?

No syslog. You can set email alerts on a per signature basis.

6. I am nervous that if I put it in with a profile it may start blocking valid traffic.  Whats the best way to start off with IPS to protect

   a server?

Start in Promiscuous mode and see what signatures are hitting. Investigate these, tune out your false positive until you have a tight, actionable set of signatures. Then move into in-line mode.

7. If its possible to do syslog, what sort of detail does the syslog capture?  Does it take attack name etc?

No syslog.

- Bob

View solution in original post

I'm sorry to tell you, but running an IPS is a time consuming task. They do require some consistent time and attention and are not a "set and forget" type of security device. If you enable email alerts you will quickly start ignoring them (like all the other spam you receive).

If you only have a handful of sensors, I would recomend downloading the free Cisco IME manager. It will let you collect events and tune the sensor to get rid of the useless signatures that do not provide you any value.

You really will only care about signatures that fire that you need to do something about. These are called actionable signatures. Things like an internal infected host that is attempting to infect your internal network is something you want to know about and deal with as soon as possible. You can't rely on an IPS to block all hostile traffic. It takes some analysis of events to see what is going on in your network.

- Bob

View solution in original post

4 Replies 4

rhermes
Level 7
Level 7

1. Is it possible to install the IPS in a learning type mode to see what sort of traffic is hitting it?

Yes. Ther are several ways of doing this, but the easiest is to put the sensor into promiscuous mode (in the ASA config)

2. Can you syslog the alerts?

No. The cisco IPS OS does not support syslog.

3. Is it possible to use snmp traps around alerting also?

Yes. But you have to set the "action" on each signature you want to send a trap.

4.  If you put it in promiscuous mode (IDS) does this mean when you get an  alert about a possible attack, an admin has to log on to the

   firewall to then block the traffic if they choose to do so?  Is it possible for an admin to block the traffic (or allow it if its

   a false positive in IPS) without having to log in to the ASDM?  If you have a scenario where you don't want to give users access to

   the firewall whats the best way to go about this?

Typically the person(s) performing analysis of IPS events have sufficient privilege and access to make the necessary security changes to your firewall and IPS sensors. It takes time, knowledge and skill to perform IPS analysis. Most customer's do not have those resources to properly do the job you describe.

5. is it possible to setup an alert that if its a DDOS email the alert, if its a split handshake then just syslog the alert?

No syslog. You can set email alerts on a per signature basis.

6. I am nervous that if I put it in with a profile it may start blocking valid traffic.  Whats the best way to start off with IPS to protect

   a server?

Start in Promiscuous mode and see what signatures are hitting. Investigate these, tune out your false positive until you have a tight, actionable set of signatures. Then move into in-line mode.

7. If its possible to do syslog, what sort of detail does the syslog capture?  Does it take attack name etc?

No syslog.

- Bob

Hi Bob,

Thanks so much for you'r reply.

What would you think is the best way to log the IPS/IDS events?  Just email everything to a support address?  So I think putting it in to IDS and tuning could be a waste of time and energy and potentially has little value.  On a difficulty scale to get and IPS up and running (card already installed) what would you rate it at.  I would be very experienced with ASA, just have not done any cofiguration on IPS.

Many thanks

I'm sorry to tell you, but running an IPS is a time consuming task. They do require some consistent time and attention and are not a "set and forget" type of security device. If you enable email alerts you will quickly start ignoring them (like all the other spam you receive).

If you only have a handful of sensors, I would recomend downloading the free Cisco IME manager. It will let you collect events and tune the sensor to get rid of the useless signatures that do not provide you any value.

You really will only care about signatures that fire that you need to do something about. These are called actionable signatures. Things like an internal infected host that is attempting to infect your internal network is something you want to know about and deal with as soon as possible. You can't rely on an IPS to block all hostile traffic. It takes some analysis of events to see what is going on in your network.

- Bob

Thanks a lot

Review Cisco Networking for a $25 gift card