Cisco AIP-SSM and Inline mode

Posted on 2014-04-30
Medium Priority
Last Modified: 2014-05-28
I recently installed an AIP-SSM-20 in my ASA5520.  I have it configured in promiscuous mode right now, so it just alerts, doesn't block.  I am using the Cisco IPS Manager Express to manage the sensor.  I would like to eventually put the device in inline mode to block packets, but I want to do it the safest way possible.  What is the best approach for signature tuning?  I see now, that I have a lot of alerts, most of which are known good traffic.  What is the best approach in this situation.  I don't want to put the sensor in inline mode and this known good traffic be blocked.
Question by:denver218
LVL 66

Accepted Solution

btan earned 2000 total points
ID: 40033888
Signature tuning is not an overnight matters and you know it too . There is the initial profiling period to let all traffic coming in and out with IPS monitoring and administrator reviewing false positive and the obvious alert based on attack signature. There should be no false negative.

Can catch the "IPS Best Practices" in this PDF

You probably has past the profiling period (no good number as it is environment based and also dependent on where you place the device e.g. before or after  FW). From the default signature enabled, and moving to review false positive based on daily traffic and user verification, you can disable those signature. Eventually you are left with the final set which is either not triggered or simply the obvious attack alert.

Catch this article drilling into the steps of tuning, one good point raised is as a best practice, you must identify critical hosts and networks that should never be blocked. Sometimes, a trusted network device's normal behavior may appear to be a specific attack, and shunning such a device will cause disruption of legitimate services. Sometimes other also term it as whitelisting or exception for the trusted traffic


Sometimes, due to the nature of the traffic, you may have custom signature e.g. for a new security threat on a third-party web application. There can be specific field of parameter length to varied and set as threshold etc. But do note adding a custom signature can affect sensor performance, so it is advisable to monitor the effect the new signature has on the sensor.

click Configuration > Features > IPS > Interface Configuration > Traffic Flow Notifications and configure the Missed Packet Threshold and Notification Interval options. You can configure the missed packet threshold within a specific notification interval and also configure the interface idle delay before a status event is reported. The notification interval specifies how often the AIP-SSM checks for the missed packets percentage. The values depend on your environment.

Taking a step back, we are also not advocating to enable all signatures on the IPS to be at a paranoid stance. This definitely can cause performance degradation as it is not meant to be all enabled. Also your infra folks can have big concern.

One point to note is that Cisco (or any savvy) IPS team has pre-enabled signatures that are current and tweak the signatures on every signature update if it is deemed to be of high security risk. Those that have been disabled are likely to be old signatures that are no longer current at this stage unless you don't patch your end hosts.

Overall, IPS will monitor and/or block threats however, it is still the responsibility of the host administrator to patch the hosts. IPS will only prevent and provide you guidance to patch the end hosts.

- tuning or monitoring is not an "one off" effort or once done and it stays forever. threat landscape and user business evolved - keep the momentum to cultivate regular tuning and assessment via the central ops center getting those IPS  log piped to it.
- Give more attention at the initial stage as many FP (false positive) is inevitable, principle is secure by default and no FN (false negative).

Author Closing Comment

ID: 40095350

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affec…
The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question