Solved

Advice for working with Cisco 5515-X IPS Edition

Posted on 2014-03-19
6
4,481 Views
Last Modified: 2015-05-14
We have an old Cisco ASA 5510 (EOL) and I am interested in getting easy-to-manage IPS functionality. I am looking at the newer version of ASA and there is an IPS Edition which appears to include more capable IPS functionality.

It looks like Cisco got rid of their sensors except for higher end $70k list. Not sure if there are other easy-to-use and tune IPS solutions (we are single site, 150 emp, PCI compliance).

If you use the IPS Edition from Cisco..
1) How do you manage/tune?
2) Is it pretty easy to make changes?
3) Is there any additional software we would want to include for alerting/monitoring?

If you have an alternate easy to use IPS, what is it?

Thanks in advance,

Steve
0
Comment
Question by:smeek
6 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39942209
I have attempted to extract the key info from the below straightforward sharings to ease the referencing to try provide more info to the query.
Comparing Cisco ASA with dedicated IDS / IPS to ASA CX with IDS / IPS
ASA CX and Cisco Prime Security Manager 9.2 Released – First Look
Cisco ASA CX

1) How do you manage/tune? It is mainly no different if you already are tuning the IPS in the learning and subsequent enforcement mode, all IPS has to go through such stage regardless of brand etc. The key thing is the GUI. Regarding migration, you can NOT run ASA CX and dedicated IPS on the same ASA appliances.

The ASA CX IDS/IPS aka Next Gen IPS/IDS is part of CX and managed using PRSM while the dedicated IDS/IPS software is managed with Cisco IME. If you want to migrate from one option to another, it will require configuring the core ASA to specify which service you want to use for the virtual space aka run dedicated IPS/IDS or CX along with associated licensing and support. So for example, if you have dedicated IDS/IPS running on the ASA, you would need to issue “sw-module module ips shutdown” followed by “sw-module module ips uninstall” prior to installing the ASA CX SSD drive and going forward with the ASA CX install

The "-X" version is supposed to provide good coverage and strong application identification and control features. Much further enhancing IP/port only type of filtering. In the ASA 5512-X through 5555-X, the CX next-generation firewall runs as a software module. The ASA CX module runs an application that is separate from the ASA.

Today there are two options for adding IDS/IPS to an ASA.

Option one is installing a dedicated IDS/IPS. This means going with a specific ASA code that includes the IPS/IDS build, giving the IDS/IPS a separate IP address from the core ASA and managing the IDS/IPS separately. You could also use Cisco Security Manager (CSM) to managed both the ASA and IPS/IDS along with other security solutions.

Option two for IPS/IDS is installing Cisco’s next generation security package known as ASA CX. Again, you would install the software and provide a new IP address for te CX features. Again, you would install the software and provide a new IP address for the CX features. So lets say you configure ASA CX part to be IP 192.168.1.20. Once you configure ASA CX, you could access the management at 192.168.1.120 using a web browser to bring up local Cisco Prime Security Manager GUI. You could also use an external version of Cisco Prime Security Manager for managing multiple ASAs and CX SSD drives.
In this case, for software module, the ASA CX management interface shares the Management 0/0 interface with the ASA.

2) Is it pretty easy to make changes? It is not as straightforward and need time to accustomed to the GUI usage. More features also means more to config for CX such as identity of user and resources to access etc...more insight and visibility to enforcing tighter the access control - may be more than the IPS scope

The basic ASA firewall is still handling access control, NAT and VPN. To enable next-generation features, an entry is made in Service Rules, part of the Modular Policy Framework, that defines which traffic is sent over to the CX part of the firewall. This means that any traffic has to be passed first by the normal access control rules, and then is subject to additional checks and controls based on application and user identification information.    

As each connection passes through the CX engine, three different policies come into play. First, the CX engine decodes SSL. Next, it ties user authentication information to the connection. And finally, the access control policies are applied, blocking or allowing the connection based on user identification and application-layer information (including application id, application type, and URL category) and user identification.

Although most application identification and controls are in the new CX policy set, they’re not all there — everything added to the ASA before CX as part of the Modular Policy Framework is still down in the core ASA. This leads to some overlap and confusion, because you have to look in two places to do very similar application controls.

Last known (probably out-dated), ASA 5515-X hardware has a choice of running IPS or next-generation firewall (CX), but can’t run both. Cisco told us that IPS will be integrated with the CX code by the end of 2013, with a separate license to enable the IPS feature set.

If you have an active service policy redirecting traffic to an IPS module (that you replaced with the ASA CX), you must remove that policy before you configure the ASA CX service policy.

The ASA CX is only managed by PRSM, which creates a disconnect between the next-generation firewall rules and the rest of the ASA management. Without a separate management server, PRSM presents a risk to the firewall by running hosting reporting, log storage, and management all on the same CPU that is handling packets.

3) Is there any additional software we would want to include for alerting/monitoring? Overall, I don't see there is need to further enhance but note there is no anti-malware scanning so that likely be another separate candidate. Nonetheless, going into CX capability will be the key front defender before drilling into the other network security checks by the proxy. web app /content filter, AV checks, secuity intelligence online checks etc...

Running CX does come with a performance penalty. For example, the ASA 5515-X we tested is rated for 1.2Gbps of raw firewall throughput, but only 350Mbps of next-generation throughput.

Actually there is no easy tuning for IPS as a whole (i hope there is too), other alternative is free source but probably you want to challenge Cisco folks to hear them out how they can convince you above mentioned can be made more friendly in long run...

Also not forgetting Cisco acquired SourceFire and they may have latest changes and roadmap that is worth listening too...

The first milestone for the Cisco/SourceFire integration is Advanced Malware Protection (AMP) Everywhere, which will bring SourceFire to all Cisco content gateways (IronPort email, cloud/web security, etc.).

The AMP package includes the new FirePOWER 8300 appliance series for enabling threat detection at higher network speeds, promising up to a 50 percent increase in inspected throughput and the ability to stop threats in real-time. Cisco executives defended that previous response periods were slowed down by countless levels of checks and requirements before taking reactive, not preventative, actions.

Cisco said the addition of open source application detection and control to Snort, through its new OpenAppID language, will give users the ability to create custom app detection and control for their unique environments.
0
 
LVL 8

Author Closing Comment

by:smeek
ID: 39945875
I am still working on this but I REALLY appreciate how you summarized the links to field my questions instead of just listing links and asking "did you see this".

Based on the links, I probably want the ASA IPS Edition to replace my current old ASA and enable the IPS functionality and manage with the IPS Express Management running on the ASA. Giving you all the points.
0
 
LVL 61

Expert Comment

by:btan
ID: 39946669
Glad to help thanks. Simple is good and go with what you can manage and manage well instead of the "new" stuff
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Expert Comment

by:chescotech
ID: 40325183
We have been using the Cisco ASA 5555-x and ASA 5512-X with Prime security manager for 5 months.
It crashes constantly and code upgrades have been a nightmare, with every upgrade there is a new set of problems! Do not buy this product!It is a piece of garbage!

We have been working with CiSCo TAC through out the whole ordeal and the issues persist.
0
 

Expert Comment

by:FlatheadIT
ID: 40777917
I can agree with chescotech - we have issues with PRSM on our CISCO 5525-X platform.  We have struggled with this for a long time now and it is not consistently up and working.  We use the PRSM VMWare appliance and the CDA server for AD.

We have experienced the crashing chescotech mentioned but I am not sure if we have the exact same issues - rather sometimes the product works and at others - no dice.  WSE (web security essentials) is our primary issue.  Using URL filter policies has been a pain - not to implement the policy, but to make it workable.  At this point, it works after we fiddle with it and then it stops when there is a failover or something changes in the firewall.  Then we struggle with it some more.  Right now... we have it working on the primary firewall - but when we failover - the internet is DOWN for all users.

We have put off several departmental requests because we found PRSM and its ability to apply policies after a failover is shaky at best.  We are currently working with CISCO TAC on this issue.  I hope we can resolve it.  Recently, CISCO has stated the nextgen firewalls will all use FIREPOWER (SourceFire purchase by CISCO) and PRSM is basically end of life (but it is still supported with your smartnet contract.)  I am unsure whether the cost to upgrade is reasonable or not at this time.

One other annoyance is that there are not a great number of experts out there on the PRSM/CDA platform.  Some of the CISCO peeps I look to for help have confessed they don't know much about it.  The documentation is a bit over-whelming to look through for a specific issue or example.
0
 
LVL 8

Author Comment

by:smeek
ID: 40778161
Thanks for the additional input. So far we have not made significant changes nor do we actively manage it but has not crashed more than periodically.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Read about achieving the basic levels of HRIS security in the workplace.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now