Solved

Cisco AIP-SSM and Inline mode

Posted on 2014-04-30
2
648 Views
Last Modified: 2014-05-28
I recently installed an AIP-SSM-20 in my ASA5520.  I have it configured in promiscuous mode right now, so it just alerts, doesn't block.  I am using the Cisco IPS Manager Express to manage the sensor.  I would like to eventually put the device in inline mode to block packets, but I want to do it the safest way possible.  What is the best approach for signature tuning?  I see now, that I have a lot of alerts, most of which are known good traffic.  What is the best approach in this situation.  I don't want to put the sensor in inline mode and this known good traffic be blocked.
0
Comment
Question by:denver218
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40033888
Signature tuning is not an overnight matters and you know it too . There is the initial profiling period to let all traffic coming in and out with IPS monitoring and administrator reviewing false positive and the obvious alert based on attack signature. There should be no false negative.

Can catch the "IPS Best Practices" in this PDF

You probably has past the profiling period (no good number as it is environment based and also dependent on where you place the device e.g. before or after  FW). From the default signature enabled, and moving to review false positive based on daily traffic and user verification, you can disable those signature. Eventually you are left with the final set which is either not triggered or simply the obvious attack alert.

Catch this article drilling into the steps of tuning, one good point raised is as a best practice, you must identify critical hosts and networks that should never be blocked. Sometimes, a trusted network device's normal behavior may appear to be a specific attack, and shunning such a device will cause disruption of legitimate services. Sometimes other also term it as whitelisting or exception for the trusted traffic

http://secret-epedemiology-statistic.org.ua/1587052091/ch20lev1sec3.html

Sometimes, due to the nature of the traffic, you may have custom signature e.g. for a new security threat on a third-party web application. There can be specific field of parameter length to varied and set as threshold etc. But do note adding a custom signature can affect sensor performance, so it is advisable to monitor the effect the new signature has on the sensor.

click Configuration > Features > IPS > Interface Configuration > Traffic Flow Notifications and configure the Missed Packet Threshold and Notification Interval options. You can configure the missed packet threshold within a specific notification interval and also configure the interface idle delay before a status event is reported. The notification interval specifies how often the AIP-SSM checks for the missed packets percentage. The values depend on your environment.

Taking a step back, we are also not advocating to enable all signatures on the IPS to be at a paranoid stance. This definitely can cause performance degradation as it is not meant to be all enabled. Also your infra folks can have big concern.

One point to note is that Cisco (or any savvy) IPS team has pre-enabled signatures that are current and tweak the signatures on every signature update if it is deemed to be of high security risk. Those that have been disabled are likely to be old signatures that are no longer current at this stage unless you don't patch your end hosts.

Overall, IPS will monitor and/or block threats however, it is still the responsibility of the host administrator to patch the hosts. IPS will only prevent and provide you guidance to patch the end hosts.

Importantly,
- tuning or monitoring is not an "one off" effort or once done and it stays forever. threat landscape and user business evolved - keep the momentum to cultivate regular tuning and assessment via the central ops center getting those IPS  log piped to it.
- Give more attention at the initial stage as many FP (false positive) is inevitable, principle is secure by default and no FN (false negative).
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40095350
Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now