Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Inspecting traffic via AIP-SSM-20 in ASA5520

Posted on 2014-04-28
3
Medium Priority
?
456 Views
Last Modified: 2014-06-22
I am sending traffic through my AIP-SSM that I installed in my ASA.  Here are the pertinent part of the configuration:

access-list IPS extended permit ip any any


class-map my-ips-class
 match access-list IPS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 1200
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip

  inspect netbios
  inspect tftp
  inspect icmp
policy-map my-ips-policy
 class my-ips-class
  ips promiscuous fail-close
!
service-policy global_policy global
service-policy my-ips-policy interface outside

Does this inspect traffic both directions?  Meaning all traffic coming in and leaving the network gets inspected?
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40028104
yes but you're working on promiscuous mode which is like (IDS) not (IPS) , and in case you don't realize the difference :

Promiscuous mode means that a copy of the data is sent to the AIP-SSM while the ASA forwards the original data on to the destination. The AIP-SSM in promiscuous mode can be considered to be an intrusion detection system (IDS). In this mode, the trigger packet (the packet that causes the alarm) can still reach the destination. Shunning can take place and stop additional packets from reaching the destination, however the trigger packet is not stopped.

Inline mode means that the ASA forwards the data to the AIP-SSM for inspection. If the data passes AIP-SSM inspection, the data returns to the ASA in order to continue being processed and sent to the destination. The AIP-SSM in inline mode can be considered to be an intrusion prevention system (IPS). Unlike promiscuous mode, inline mode (IPS) can actually stop the trigger packet from reaching the destination.



Fail-open allows the ASA to continue to pass to-be-inspected traffic to the final destination if the AIP-SSM cannot be reached.

Fail-closed blocks to-be-inspected traffic when the ASA cannot communicate with the AIP-SSM.
0
 
LVL 4

Accepted Solution

by:
denver218 earned 0 total points
ID: 40028311
Thanks, yes I know I am in promiscuous mode, I don't want it inline yet.  I just wasn't sure if it inspects traffic both leaving and entering the network.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40150152
Thanks
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question