[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco AIP-SSM and Inline mode

Posted on 2014-04-30
2
Medium Priority
?
719 Views
Last Modified: 2014-05-28
I recently installed an AIP-SSM-20 in my ASA5520.  I have it configured in promiscuous mode right now, so it just alerts, doesn't block.  I am using the Cisco IPS Manager Express to manage the sensor.  I would like to eventually put the device in inline mode to block packets, but I want to do it the safest way possible.  What is the best approach for signature tuning?  I see now, that I have a lot of alerts, most of which are known good traffic.  What is the best approach in this situation.  I don't want to put the sensor in inline mode and this known good traffic be blocked.
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40033888
Signature tuning is not an overnight matters and you know it too . There is the initial profiling period to let all traffic coming in and out with IPS monitoring and administrator reviewing false positive and the obvious alert based on attack signature. There should be no false negative.

Can catch the "IPS Best Practices" in this PDF

You probably has past the profiling period (no good number as it is environment based and also dependent on where you place the device e.g. before or after  FW). From the default signature enabled, and moving to review false positive based on daily traffic and user verification, you can disable those signature. Eventually you are left with the final set which is either not triggered or simply the obvious attack alert.

Catch this article drilling into the steps of tuning, one good point raised is as a best practice, you must identify critical hosts and networks that should never be blocked. Sometimes, a trusted network device's normal behavior may appear to be a specific attack, and shunning such a device will cause disruption of legitimate services. Sometimes other also term it as whitelisting or exception for the trusted traffic

http://secret-epedemiology-statistic.org.ua/1587052091/ch20lev1sec3.html

Sometimes, due to the nature of the traffic, you may have custom signature e.g. for a new security threat on a third-party web application. There can be specific field of parameter length to varied and set as threshold etc. But do note adding a custom signature can affect sensor performance, so it is advisable to monitor the effect the new signature has on the sensor.

click Configuration > Features > IPS > Interface Configuration > Traffic Flow Notifications and configure the Missed Packet Threshold and Notification Interval options. You can configure the missed packet threshold within a specific notification interval and also configure the interface idle delay before a status event is reported. The notification interval specifies how often the AIP-SSM checks for the missed packets percentage. The values depend on your environment.

Taking a step back, we are also not advocating to enable all signatures on the IPS to be at a paranoid stance. This definitely can cause performance degradation as it is not meant to be all enabled. Also your infra folks can have big concern.

One point to note is that Cisco (or any savvy) IPS team has pre-enabled signatures that are current and tweak the signatures on every signature update if it is deemed to be of high security risk. Those that have been disabled are likely to be old signatures that are no longer current at this stage unless you don't patch your end hosts.

Overall, IPS will monitor and/or block threats however, it is still the responsibility of the host administrator to patch the hosts. IPS will only prevent and provide you guidance to patch the end hosts.

Importantly,
- tuning or monitoring is not an "one off" effort or once done and it stays forever. threat landscape and user business evolved - keep the momentum to cultivate regular tuning and assessment via the central ops center getting those IPS  log piped to it.
- Give more attention at the initial stage as many FP (false positive) is inevitable, principle is secure by default and no FN (false negative).
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40095350
Thanks
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question