cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2642
Views
18
Helpful
65
Replies

ASK THE EXPERT – INTRUSION PREVENTION SYSTEMS

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Charlie Stokes about Intrusion Prevention Systems. Charlie works as an Intrusion Prevention Systems (IPS) technical marketing engineer and has been a network security specialist for over eight years. Charlie came to Cisco as part of the Wheelgroup acquisition in 1998 that brought Intrusion Detection Systems (IDS) technology into Cisco. After the acquisition, he worked in the Technical Assistance Center (TAC) for two years covering the Security and VPN products. Since 2000, Charlie has been covering IDS/IPS products as the lead technical marketing engineer.

 

Remember to use the rating system to let Charlie know if you have received an adequate response.

 

Charlie might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 10, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

65 Replies 65

jarhead354
Level 1
Level 1

Charlie,

I have 2 4255s installed at 2 sites inline with pix firewalls (between the inside interface and the switch). I want to block all P2P file sharing but my question is about Bittorrent connections.

I configured signatures 11020, 11030, and 11031 to block attacker inline but swap attacker victim. I did this so that the external and not the internal IP addresses were added as active host blocks. Additionally, I have those 3 signatures configured to deny connection inline and deny packet inline (and alert). Probably overkill but that's how I have it.

My problem is that it looks like Bittorrent connections are still getting through the 4255s. The reason for my suspicion is I'm seeing lots of response connections being blocked inbound at the pix external interface.

Some additional information - for Bittorrent connections, MARS shows the green "S" in a circle which means that MARS interprets these as system false positives.

Also, many (but not all) of the blocked return connections have a source port of 6881 but all have a destination port of 60235.

I know the inbound block connections are caused by the Bittorrent outbound connections since they ONLY occur when outbound Bittorrent activity exists. The graph in MARS verifies this and they taper off over time.

Any ideas on this would be appreciated.

Thanks,

Frank C.

stevew
Level 1
Level 1

Hi Charlie,

I am looking to get a higher volume of data through my IDS’s. It has been suggested by our Cisco engineer that we consider using EtherChanel load balancing to get a greater throughput than 1Gb. My questions have to do with aggregating several sources of information into the EtherChanel load balancer and being able to parse that data out later.

How easy/difficult would it be to use the IPS’s capability to manage the data flow on several different gateways and keep each gateway’s (vlan pair) data separate (separately reportable) if the separate vlan pairs are trunked to the Etherchanel?

Using Etherchanel load balancing, how would you shun on one device versus another or do you have to apply the same rules to all shunning devices?

Can you discuss any future plans, if any, to provide a virtual IDS/IPS appliance kind of like the FWSM for firewalls?

Say you have a 3 vlans you want to do IPS inspection on (1,2, and 3) and that you connected those vlans into the network using new vlans (11, 21 and 31) where 1 is bridged to 11 and 2 to 21 and 3 to 31 using IPS. Now if you had 4 sensors that were all grouped together into an Etherchannel group, and were all configured to watch the same sets of vlan pairs (1<->11, 2<->21, 3<->31), then the events that comes off the group would all have the vlan information in the event itself and those events could be sorted by this vlan information. So regardless of the sensor, if the vlan pair information was 1<->11, then the event came from that pair.

EcLB for devices in an Etherchannel changes somewhat since only one sensor can actually control a network device at the same time (at the same ACL inspection point). So if you had 4 sensors that you wanted to use to shun on one router, you would need to take advantage of the Master Blocking Sensor functionality. As to makeing changes across multiple devices, that is done automatically and it is global and applied to all configured blocking points (network devices).

Not real sure about virtual IPS appliances. If you are referring to modules that do IPS, the IDSMv2 does IPS today using either 5.0 or 5.1 code. If you are asking about virtualized configuration support as first showed up in FWSM but is part of all Pix 7.0, ASA 7.0 and FWSM devices today, then that is on the committed roadmap for the future. Specific dates I can't release on this forum, but feel free to ping your account team about this question.

ovt
Level 4
Level 4

Hi Charlie,

I've asked this question in the previous "Ask the expert" session (ASA 5500), but got no replay.

This is about ASA/SSM packets processing. Does SSM receives post-nat or pre-nat packets? When (in the packets processing path) does ASA send packets to the SSM?

Documentation is very unclear here: "The security appliance diverts packets to the AIP SSM just before the packet exits the egress interface or before VPN encryption occurs, if configured) and after other firewall policies are applied."

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ids.htm#wp1050693

On ther other hand the same documentation says that IPS is the "ingress feature if the policy-map is applied globally and bidirectional if the policy-map is applied to an interface".

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mpc.htm#wp1083060

Clearly the step by step descritpion of packets processing is needed for a) traffic going from the inside to the outside with NAT configured and b) for packets returning from the outside to the inside.

a.kiprawih
Level 7
Level 7

Hi Charlie,

I just replaced 6 of my IDS appliances (4215+4235) with IPS4240. I've upgraded all units from ver 5.0 to 5.1.

With IDS appliances, I am using SPAN/port mirroring to capture the traffic. With IPS4240, I can use either promiscuous mode or inline mode.

Basically, the IPS will replace the IDS exactly in the same spot in my network. I plan to use inline mode instead of promiscuous mode to force all traffics to pass through the box.

In one of of my segment, I have PIX535 DMZ interface connected directly to my DMZ switch via GE port (fiber). But with IPS4240, I can't position the unit between the PIX and my DMZ switch as it only has 4 x Copper ports.

Question:

How do I enable traffic to pass through my IPS without using any UTP-to-fiber converter?

I noticed there is a feature called "Vlan Pair", and basically I understand its functionality. But how do I exactly implement this in my DMZ segment?

Currently, all my DMZ servers are connected to one VLAN, and my DMZ switch is running in Layer-2 mode.

Can you assist me on the configuration (switch-end and if I were to create another VLAN just to facilitate the IPS inline inspection in this switch?

Thank you.

AK

With IDS appliances, I am using SPAN/port mirroring to capture the traffic. With IPS4240, I can use either promiscuous mode or inline mode.

CS> The capabilities of a Cisco appliance (4215/4235/4240) are more dependant on code version than product type. All are IDS appliances when running 4.1 and all can be either IPS or IDS or both when running 5.0 or 5.1.

Question:

How do I enable traffic to pass through my IPS without using any UTP-to-fiber converter?

I noticed there is a feature called "Vlan Pair", and basically I understand its functionality. But how do I exactly implement this in my DMZ segment?

CS> If your DMZ segment on your switch is vlan 10 and your firewall has an interface in VLAN 10, create a new vlan:11 and move the firewall to VLAN 11. Create a trunk port on the switch than includes VLAN 10 and 11 (and is natively in something unused, say 999). Attach the IPS to that trunk port and in the IPS config, create a VLAN pair mapping that maps 10<-> and assign that VLAN mapping to the virtual sensor for inspection.

CS> So now all packets from the servers must go through the IPS device (bridging vlan 10 and 11) to get to the FW and vice versa.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: