?
Solved

Selective bypass Cisco IPS

Posted on 2014-08-19
5
Medium Priority
?
429 Views
Last Modified: 2014-09-04
Hello,

We're having a pentest exercise done. The team outside is unable to assess our web servers as the Cisco IPS is thwarting their attempts.

Is there a way to keep the IPS running and inspecting traffic, all the while allowing the pentest attempts from a particular IP?

Thank you.
0
Comment
Question by:netcmh
  • 3
  • 2
5 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40272358
You can make an exception, however, for the pentest to be accurate I don't believe you should turn off the IPS... As a pentester I would never ask my clients to take down a defense unless that is the scenario they wanted to test, meaning an IDS failure. They likely have a static IP, you can make the exception to ignore any traffic from certain IP's and or ports.
http://www.cisco.com/c/en/us/support/docs/security/ips-4200-series-sensors/13876-f-pos.html#topic3
-rich
0
 
LVL 21

Author Comment

by:netcmh
ID: 40272421
Thank you richrumble. I agree. However, the outside team says that they're wasting time trying to evade the IPS, and are not able to spend time actually finding vulnerabilities in the apps.

In order for that exception to work, meaning to allow that IP to bypass the IPS, what should my "Actions to Subtract" be? I would just like an alert come through, but not actually stop the "attack".

Thanks again.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40272468
Then this is not a penetration test, this is a vulnerability scan (they are night and day), a patch management assessment. A pentester has to avoid an IPS if it's in his/her way it they want to get through :) I'm not sure about Cisco's IPS, never used it, I only found the document using my first search terms: https://www.google.com/search?q=cisco+ids+ignore+ip+address
Simillary I searched for "actions to subtract" and found you can use event action overrides too...
Looks like this section: http://www.cisco.com/c/en/us/support/docs/security/intrusion-prevention-system/113575-tune-ips-eaf-00.html#eafs
It looks like you'd uncheck the Produce Alert, but check most everything else... I think, if your supposed to check the actions you don't want it to do.
-rich
0
 
LVL 21

Author Comment

by:netcmh
ID: 40276441
I did that, but the team's efforts were still being blocked. I have all the options except "produce alert" and "log attacker packets" in the "Actions to subtract".
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 40276521
Then I'd try the opposite  for their IP range, I don't know what Cisco was thinking with that interface, it's counter intuitive I think.If that doesn't work, then Cisco needs to tell you themselves what to do I think. There was another way to make traffic flow, "action overrides:
http://www.cisco.com/c/en/us/support/docs/security-vpn/alarm-notification/116100-trouble-event-action-00.html#anc1
-rich
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 20 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question