Selective bypass Cisco IPS

Hello,

We're having a pentest exercise done. The team outside is unable to assess our web servers as the Cisco IPS is thwarting their attempts.

Is there a way to keep the IPS running and inspecting traffic, all the while allowing the pentest attempts from a particular IP?

Thank you.
LVL 21
netcmhAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
You can make an exception, however, for the pentest to be accurate I don't believe you should turn off the IPS... As a pentester I would never ask my clients to take down a defense unless that is the scenario they wanted to test, meaning an IDS failure. They likely have a static IP, you can make the exception to ignore any traffic from certain IP's and or ports.
http://www.cisco.com/c/en/us/support/docs/security/ips-4200-series-sensors/13876-f-pos.html#topic3
-rich
0
netcmhAuthor Commented:
Thank you richrumble. I agree. However, the outside team says that they're wasting time trying to evade the IPS, and are not able to spend time actually finding vulnerabilities in the apps.

In order for that exception to work, meaning to allow that IP to bypass the IPS, what should my "Actions to Subtract" be? I would just like an alert come through, but not actually stop the "attack".

Thanks again.
0
Rich RumbleSecurity SamuraiCommented:
Then this is not a penetration test, this is a vulnerability scan (they are night and day), a patch management assessment. A pentester has to avoid an IPS if it's in his/her way it they want to get through :) I'm not sure about Cisco's IPS, never used it, I only found the document using my first search terms: https://www.google.com/search?q=cisco+ids+ignore+ip+address
Simillary I searched for "actions to subtract" and found you can use event action overrides too...
Looks like this section: http://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-system/113575-tune-ips-eaf-00.html#eafs
It looks like you'd uncheck the Produce Alert, but check most everything else... I think, if your supposed to check the actions you don't want it to do.
-rich
0
netcmhAuthor Commented:
I did that, but the team's efforts were still being blocked. I have all the options except "produce alert" and "log attacker packets" in the "Actions to subtract".
0
Rich RumbleSecurity SamuraiCommented:
Then I'd try the opposite  for their IP range, I don't know what Cisco was thinking with that interface, it's counter intuitive I think.If that doesn't work, then Cisco needs to tell you themselves what to do I think. There was another way to make traffic flow, "action overrides:
http://www.cisco.com/c/en/us/support/docs/security-vpn/alarm-notification/116100-trouble-event-action-00.html#anc1
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.