VPN clients are top attackers?

Justin Westover · ‎08-29-2011

I have a 5520 with an AIP-SSM-40 module. I also use the same 5520 as our terminal for VPN clients and the odd thing is that the IDS actually sees our VPN clients as the top attackers? I do not tunnel the VPN clients into the inside interface either. The IDS shows the VPN clients connecting to services internally as a threat. I obviously want to ensure that I continue forward the VPN traffic through to the IDS but I would like our IDS to report actual threats not false positives. Have any of you had problems with this and what did you do to resolve it?

rhermes · ‎08-30-2011

In order to make the top attacker list, your VPN clients are most likely triggering a signature falsely.

First order of business is to verify that indeed this is a false positive. Do this by investigating the signature, what it is trying to detect and verify that the VPN clients are not presenting the attack represented by this signature.

Next you need to decide if this signature is worthy keeping around for the rest of your network traffic. If not, it should be retired. If it does provide some value, then create an Event Action Filter to block the signature from firing on the VPN Client host IP addresses

http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idm_event_action_rules.html#wp2136561

In order to run an IPS Sensor effectively, you need to review what signatures are firing and tune you sensor accordingly.

- Bob