Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
0
Helpful
5
Replies

What traffic gets copied to IPS Module??

Go to solution
mattleayr
Level 1
Level 1

‎03-21-2012 02:59 PM - edited ‎03-10-2019 05:38 AM

We have an ASA5585-X with SSP-10 module installed that we are testing. The firewall's outside interface is connected to the internet and has a public address. We have CSM 4.2 installed and are sending events from the IPS to it.

After we configured the IPS module we expected to get lots of alerts for attacks originating from the internet, but we hardly see anything.

The ACL that we have on the outside interface doesn't actually allow much in, just some SMTP, HTTP, DNS, SSH.

My question is this - should the IPS see all traffic/attacks coming from the internet, or JUST packets that have passed the outside ACL?

I suspect this is why we are seeing very few alerts - can anyone confirm this?

Thanks,

//\/\\\

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sawgupta
Level 1
Level 1
In response to mattleayr

‎03-23-2012 06:03 AM

If the traffic has been dropped by ASA, then IPS won't have any visibility to it.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jhampt20_ford
Level 1
Level 1

‎03-22-2012 03:18 PM

The traffic does not automatically get copied to the IPS, you need to create an access-list and class-map to apply (like QoS)

access-list IPS extended permit ip any any

!

class-map global-ips

     match access-list IPS

!

policy-map global_policy

   class global-ips

     ips inline fail-open

!

Internally the traffic is passed from the firewall to the IPS module through an internal interface (port channel on the 5585's) at the last step just prior to the traffic exiting the firewall. This is why the IPS modules do not have a "normalizer" engine, this is already performed by the ASA prior to inspection, the ASA normalizer is essentially the same as what is found on IPS.

0 Helpful

Go to solution
mattleayr
Level 1
Level 1
In response to jhampt20_ford

‎03-23-2012 05:17 AM

Hi,

I'm aware of that - we have the policy map configured.

We're getting very few alerts from IPS - I was expecting more, as the outside interface has a public IP address and there are scans, probes etc happening all the time.

Let me put my question a different way - does the IPS module ever see traffic that is DROPPED by the outside interface ACL??

0 Helpful

Go to solution
sawgupta
Level 1
Level 1
In response to mattleayr

‎03-23-2012 06:03 AM

If the traffic has been dropped by ASA, then IPS won't have any visibility to it.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful

Go to solution
mattleayr
Level 1
Level 1
In response to sawgupta

‎03-23-2012 07:26 AM

Thanks for the replies.

So if there was a DOS attack occurring on the outside interface (possibly saturating our internet link) and the DOS traffic was being dropped by the ACL, IPS would have no visibility of that??

0 Helpful

Go to solution
sawgupta
Level 1
Level 1
In response to sawgupta

‎03-23-2012 07:31 AM

Correct.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card