Solved

Cisco AIP-SSM and Inline mode

Posted on 2014-04-30
2
669 Views
Last Modified: 2014-05-28
I recently installed an AIP-SSM-20 in my ASA5520.  I have it configured in promiscuous mode right now, so it just alerts, doesn't block.  I am using the Cisco IPS Manager Express to manage the sensor.  I would like to eventually put the device in inline mode to block packets, but I want to do it the safest way possible.  What is the best approach for signature tuning?  I see now, that I have a lot of alerts, most of which are known good traffic.  What is the best approach in this situation.  I don't want to put the sensor in inline mode and this known good traffic be blocked.
0
Comment
Question by:denver218
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40033888
Signature tuning is not an overnight matters and you know it too . There is the initial profiling period to let all traffic coming in and out with IPS monitoring and administrator reviewing false positive and the obvious alert based on attack signature. There should be no false negative.

Can catch the "IPS Best Practices" in this PDF

You probably has past the profiling period (no good number as it is environment based and also dependent on where you place the device e.g. before or after  FW). From the default signature enabled, and moving to review false positive based on daily traffic and user verification, you can disable those signature. Eventually you are left with the final set which is either not triggered or simply the obvious attack alert.

Catch this article drilling into the steps of tuning, one good point raised is as a best practice, you must identify critical hosts and networks that should never be blocked. Sometimes, a trusted network device's normal behavior may appear to be a specific attack, and shunning such a device will cause disruption of legitimate services. Sometimes other also term it as whitelisting or exception for the trusted traffic

http://secret-epedemiology-statistic.org.ua/1587052091/ch20lev1sec3.html

Sometimes, due to the nature of the traffic, you may have custom signature e.g. for a new security threat on a third-party web application. There can be specific field of parameter length to varied and set as threshold etc. But do note adding a custom signature can affect sensor performance, so it is advisable to monitor the effect the new signature has on the sensor.

click Configuration > Features > IPS > Interface Configuration > Traffic Flow Notifications and configure the Missed Packet Threshold and Notification Interval options. You can configure the missed packet threshold within a specific notification interval and also configure the interface idle delay before a status event is reported. The notification interval specifies how often the AIP-SSM checks for the missed packets percentage. The values depend on your environment.

Taking a step back, we are also not advocating to enable all signatures on the IPS to be at a paranoid stance. This definitely can cause performance degradation as it is not meant to be all enabled. Also your infra folks can have big concern.

One point to note is that Cisco (or any savvy) IPS team has pre-enabled signatures that are current and tweak the signatures on every signature update if it is deemed to be of high security risk. Those that have been disabled are likely to be old signatures that are no longer current at this stage unless you don't patch your end hosts.

Overall, IPS will monitor and/or block threats however, it is still the responsibility of the host administrator to patch the hosts. IPS will only prevent and provide you guidance to patch the end hosts.

Importantly,
- tuning or monitoring is not an "one off" effort or once done and it stays forever. threat landscape and user business evolved - keep the momentum to cultivate regular tuning and assessment via the central ops center getting those IPS  log piped to it.
- Give more attention at the initial stage as many FP (false positive) is inevitable, principle is secure by default and no FN (false negative).
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40095350
Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question