Pre-setup questions on IPS on Cisco ASA Cluster

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Pre-setup questions on IPS on Cisco ASA Cluster

Post by Guest » Wed Jan 05, 2005 8:36 pm

Hello I am looking for some guidance configuring and IPS. I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about configuring it. We have a customer who will require that their web servers be protected with the IPS Module.  I have the following questions: 1. Is it possible to install the IPS in a learning type mode to see what sort of traffic is hitting it? 2. Can you syslog the alerts?   3. Is it possible to use snmp traps around alerting also? 4. If you put it in promiscuous mode IDS does this mean when you get an alert about a possible attack, an admin has to log on to the    firewall to then block the traffic if they choose to do so?  Is it possible for an admin to block the traffic (or allow it if its   a false positive in IPS) without having to log in to the ASDM?  If you have a scenario where you dont want to give users access to    the firewall whats the best way to go about this? 5. is it possible to setup an alert that if its a DDOS email the alert, if its a split handshake then just syslog the alert? 6. I am nervous that if I put it in with a profile it may start blocking valid traffic.  Whats the best way to start off with IPS to protect   a server? 7. If its possible to do syslog, what sort of detail does the syslog capture?  Does it take attack name etc? Lots of questions!  Hopefully someone can help thanks a mill 

Guest

Re:Pre-setup questions on IPS on Cisco ASA Cluster

Post by Guest » Wed Jan 05, 2005 10:09 pm

1. Is it possible to install the IPS in a learning type mode to see what sort of traffic is hitting it?Yes. Ther are several ways of doing this, but the easiest is to put the sensor into promiscuous mode (in the ASA config) 2. Can you syslog the alerts? No. The cisco IPS OS does not support syslog. 3. Is it possible to use snmp traps around alerting also?Yes. But you have to set the "action" on each signature you want to send a trap. 4.  If you put it in promiscuous mode (IDS) does this mean when you get an  alert about a possible attack, an admin has to log on to the   firewall to then block the traffic if they choose to do so?  Is it possible for an admin to block the traffic (or allow it if its   a false positive in IPS) without having to log in to the ASDM?  If you have a scenario where you don want to give users access to   the firewall whats the best way to go about this?Typically the person(s) performing analysis of IPS events have sufficient privilege and access to make the necessary security changes to your firewall and IPS sensors. It takes time, knowledge and skill to perform IPS analysis. Most customers do not have those resources to properly do the job you describe.  5. is it possible to setup an alert that if its a DDOS email the alert, if its a split handshake then just syslog the alert?No syslog. You can set email alerts on a per signature basis.  6. I am nervous that if I put it in with a profile it may start blocking valid traffic.  Whats the best way to start off with IPS to protect   a server?Start in Promiscuous mode and see what signatures are hitting. Investigate these, tune out your false positive until you have a tight, actionable set of signatures. Then move into in-line mode. 7. If its possible to do syslog, what sort of detail does the syslog capture?  Does it take attack name etc?No syslog. - Bob

Guest

Re:Pre-setup questions on IPS on Cisco ASA Cluster

Post by Guest » Wed Jan 05, 2005 10:43 pm

Hi Bob, Thanks so much for you
reply. What would you think is the best way to log the IPS/IDS events?  Just email everything to a support address?  So I think putting it in to IDS and tuning could be a waste of time and energy and potentially has little value.  On a difficulty scale to get and IPS up and running (card already installed) what would you rate it at.  I would be very experienced with ASA, just have not done any cofiguration on IPS. Many thanks

Guest

Re:Pre-setup questions on IPS on Cisco ASA Cluster

Post by Guest » Wed Jan 05, 2005 11:41 pm

Im sorry to tell you, but running an IPS is a time consuming task. They do require some consistent time and attention and are not a "set and forget" type of security device. If you enable email alerts you will quickly start ignoring them (like all the other spam you receive).If you only have a handful of sensors, I would recomend downloading the free Cisco IME manager. It will let you collect events and tune the sensor to get rid of the useless signatures that do not provide you any value.You really will only care about signatures that fire that you need to do something about. These are called actionable signatures. Things like an internal infected host that is attempting to infect your internal network is something you want to know about and deal with as soon as possible. You can rely on an IPS to block all hostile traffic. It takes some analysis of events to see what is going on in your network. - Bob


Post Reply