Solved

Cisco AIP-SSM and Inline mode

Posted on 2014-04-30
2
697 Views
Last Modified: 2014-05-28
I recently installed an AIP-SSM-20 in my ASA5520.  I have it configured in promiscuous mode right now, so it just alerts, doesn't block.  I am using the Cisco IPS Manager Express to manage the sensor.  I would like to eventually put the device in inline mode to block packets, but I want to do it the safest way possible.  What is the best approach for signature tuning?  I see now, that I have a lot of alerts, most of which are known good traffic.  What is the best approach in this situation.  I don't want to put the sensor in inline mode and this known good traffic be blocked.
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40033888
Signature tuning is not an overnight matters and you know it too . There is the initial profiling period to let all traffic coming in and out with IPS monitoring and administrator reviewing false positive and the obvious alert based on attack signature. There should be no false negative.

Can catch the "IPS Best Practices" in this PDF

You probably has past the profiling period (no good number as it is environment based and also dependent on where you place the device e.g. before or after  FW). From the default signature enabled, and moving to review false positive based on daily traffic and user verification, you can disable those signature. Eventually you are left with the final set which is either not triggered or simply the obvious attack alert.

Catch this article drilling into the steps of tuning, one good point raised is as a best practice, you must identify critical hosts and networks that should never be blocked. Sometimes, a trusted network device's normal behavior may appear to be a specific attack, and shunning such a device will cause disruption of legitimate services. Sometimes other also term it as whitelisting or exception for the trusted traffic

http://secret-epedemiology-statistic.org.ua/1587052091/ch20lev1sec3.html

Sometimes, due to the nature of the traffic, you may have custom signature e.g. for a new security threat on a third-party web application. There can be specific field of parameter length to varied and set as threshold etc. But do note adding a custom signature can affect sensor performance, so it is advisable to monitor the effect the new signature has on the sensor.

click Configuration > Features > IPS > Interface Configuration > Traffic Flow Notifications and configure the Missed Packet Threshold and Notification Interval options. You can configure the missed packet threshold within a specific notification interval and also configure the interface idle delay before a status event is reported. The notification interval specifies how often the AIP-SSM checks for the missed packets percentage. The values depend on your environment.

Taking a step back, we are also not advocating to enable all signatures on the IPS to be at a paranoid stance. This definitely can cause performance degradation as it is not meant to be all enabled. Also your infra folks can have big concern.

One point to note is that Cisco (or any savvy) IPS team has pre-enabled signatures that are current and tweak the signatures on every signature update if it is deemed to be of high security risk. Those that have been disabled are likely to be old signatures that are no longer current at this stage unless you don't patch your end hosts.

Overall, IPS will monitor and/or block threats however, it is still the responsibility of the host administrator to patch the hosts. IPS will only prevent and provide you guidance to patch the end hosts.

Importantly,
- tuning or monitoring is not an "one off" effort or once done and it stays forever. threat landscape and user business evolved - keep the momentum to cultivate regular tuning and assessment via the central ops center getting those IPS  log piped to it.
- Give more attention at the initial stage as many FP (false positive) is inevitable, principle is secure by default and no FN (false negative).
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40095350
Thanks
0

Featured Post

Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question