Is it a good practice to place an IPS on the inside of the firewall or outside?

1. CS) Generally speaking, if I was deciding where to position an IPS I would always start inside the firewall vs outside the firewall. The reason is because in a layered approach to defense, it doesn't really make sense to analyze every packet from layer 2 to layer 7 only to have those packets get simply denied by policy at the firewall. Firewalls are designed to enforce a specific policy on traffic flows, so why not let that occur to filter off anything that doesn't need to be inspected anyway. That will also prevent the IPS from firing alarms on attacks that would not normally have even been permitted through the firewall (blaster packets).

2. CS) Correct. To protect the DMZ, you will generally put the IPS between the DMZ switch or vlan and the firewall. That way you ensure that all traffic going to the DMZ will go through the IPS device. This of course assumes a standard network setup.

3) This will specifically depend on the performance required at the position you need to do inspection. For instance, if you have 100 megs of DMZ traffic (from outside and inside) along with 100 megs of internal traffic, you would need an IPS capable of handling at least 200 megs of traffic.

Just to add a few more possibilities

.

The AIP-SSM with IPS software is a good answer to these types of questions dealing with placements of IPS sensors and firewalls.

The ASA is the new family of Adaptive Security Appliances which include Firewall and VPN functionality in one system.

The AIP-SSM is the Adaptive Inspection and Prevention Security Services Module. It is a hardware module that can be placed within the ASA, and can run the same IPS software as the Cisco IPS Appliances, and has almost all of the exact same functionality as the IPS Appliances, and even uses the same updates as the IPS Appliances.

So instead of deciding whether to place an IPS in front of or behind the firewall, you now have the option of placing the IPS actually within the firewall. With the AIP-SSM you can monitor all or just a portion of the traffic as it flows through the firewall (you use a service policy to decide which traffic gets sent to the AIP-SSM for IPS analysis, and can apply the policy globally to the firewall as a whole or to just one interface of the firewall). And can be configured for inline or promiscuous monitoring of the traffic.

Hello marcabal,

I have recently installed an ASA-5510 with AIP-SSM-10. It all works fine as long as I monitor the traffic in promiscuous mode. However, when I change my service-policy and change the monitoring to inline mode, after a few seconds the ASA reloads! After reloading it is back in promiscuous mode, of course. There's nothing to see in the logging.

Am I doing something wrong? I exactly followed the documentation.

Regards,

Albert Bruggeman

iSOFT Netherlands

hi charlie could u pls tell me what is the architecture difference between an IDS and IPS . PLS explain me on this . i have got a 4215 cisco IPS could u pls tell me any method by which i can downgrade it to 4.1 IDS. thank u

sebastan

Hi charlie, my question is that if i am running IPS software on my IDSM-2, when will i be able to inspect inline multiple vlans. Last time i checked we could only monitor 2 vlans.

We have a core switch and would like to monitor all internal vlans as well as the traffic going out to the internet, what is the best way to doing this?

Thanks,

Parwal

I assume you are running 5.0.x code on your IDSM.

5.0 is limited to what is called interface pairing, and with IDSM, that means you can assign each interface to sit on one specific vlan. On the IDSM, you would pair the two interfaces together and assign them to be monitored. The IDSM is now inspecting traffic traversing between the two vlans.

5.0 code has no support for what is referred to an VLAN pairing. This is a feature new to 5.1 code released last Fall. With this code on your IDSM (and that the Catalyst switch is running CAT OS), you will be able to use just one interface and make it a trunk port. You will then be able to create, in the IDSM config, pairs of vlans that define which vlans the IDSM inspects traffic between. In this way, the IDSM can sit between as many as 250 vlan pairs per physical interface (up to the performance bandwidth of the sensor).

I am looking for example diagrams/schematics on where to place the ips appliance in the network such as for example extranet, dmz, outside, etc. Also I wonder how to connect the management interface of the appliance to the corporate LAN.

Thanks

There are far too many possible network diagrams to be as specific (or general) as saying this is how to deploy on the DMZ, outside, etc. The more important piece of the puzzle is at a specific location, how can this box be put inline. That is done by either using interface pairs and treating the box as a wire between two other network devices, or vlan pairs (5.1 only) and attaching the device to a switched environment using a trunked port and having the device sit between two vlans on the switch. What kind of question were you having about the management interface? It's a copper ethernet interface and can be plugged in almost anywhere. If you are asking about what network to connect to, the first answer is always using the management network as described in the SAFE whitepaper.

The primary difference between an IPS and an IDS is that the IPS sits in the packet flow and when an attack is detected can actually deny or drop the packet. An IDS works with copies of packets and thus can't take those actions.

As to specifically downgrading a 4215, this is down by downloading the 4215 4.1.x system image from CCO:

http://www.cisco.com/cgi-bin/tablebuild.pl/ids4-app-recovr

IDS-4215-K9-sys-4.1-4-S91a.img

and then walking through the steps necessary to load it:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/hwclipr.htm#wp200511

I have to admit, personally, I haven't heard of either of these signatures causing a problem.

First let's talk about 1330 -- are you sure that these signatures being fired are not valid? are the packets sourced from several IP addresses, and are they destined to several different IP addresses and?or does this traffic look spoofed? Do these sigs affect any other applications besides Citrix? . I would recommend some strong forensics investigations done in this area, because normal IP traffic should not cause 1330 the fire.

That being said if you are relatively sure that these signatures are benign and If the problem is isolated to Citrix I would say your best option is to use the “Event Action Filter” and specify that packets destined to my Citrix servers, matching signature 1330, and the associated sub strings should not be dropped. In general, I would not just recommend turning off 1330 because it may allow IPS evasion attacks against your network

1308.

While it's true that a firewall will modifies sequence numbers, I haven't heard that a firewall willl trigger TTL evasion type traffic. Again, you may want to use the same techniques described above to bypass the signature while potentially dangerous traffic is being investigated.

Many times when normalizer signatures fire it's because of traffic symmetry problems. Is there any chance that you have multiple data paths and your network? And that the IPS is only seeing part of a dataflow and not the entire flow?

Another suggestion that may be of value is to consider CS-MARS to do automated event log correlation for you. This makes it much more easy to determine if the signature is a false positive or a potential serious problem.

Is the security issue with moving the device from one location to another (example: classified network to non classified network)? Or with the storage of data in general? If the former, then you would have to work out some kind of replacement strategy with your account team and TAC. If the latter then you will have some issues as all IPS devices on the market have the capability to store entire packet data in some type of persistent storage.

1) Correct. 4255 and 4240 have a compact flash only (same as ASA product line) with no hard drive.

2) The compact flash is used to store everything persistent to the sensor (base OS, sensor code, compacted event store, config) when the sensor is shut down. No temporary data is stored in flash as flash has limited writes (although numerous but still limited). All temporary data is stored in memory (ram disks etc).

3) Certainly. All IDS and IPS devices have to do inspection of the packets beyond the header data. Full packet data can be stored in compact flash in various cases (produce verbose alert stored the trigger packet in the event, log attacker/victim/etc stores binary copies of all packets seen on the wire that meet the filter). All of these can be stored in compact flash.