Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Configuring the IPS Application on the AIP SSM and SSC
Downloads: This chapterpdf (PDF - 288.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring the IPS Module

Table Of Contents

Configuring the IPS Module

Information About the IPS Module

How the IPS Module Works with the Adaptive Security Appliance

Operating Modes

Using Virtual Sensors (ASA 5510 and Higher)

Differences Between the Modules

Licensing Requirements for the IPS Module

Guidelines and Limitations

Configuring the IPS Module

IPS Module Task Overview

Configuring the Security Policy on the IPS Module

Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)

Diverting Traffic to the IPS Module

Feature History for the IPS Module


Configuring the IPS Module


This chapter describes how to configure the IPS application that runs on the following module types:

Security Services Cards (SSCs)

Security Services Modules (SSMs)

Security Services Processors (SSPs)

For a list of supported IPS modules per ASA model, see the Cisco ASA 5500 Series Hardware and Software Compatibility:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

This chapter includes the following sections:

Information About the IPS Module

Licensing Requirements for the IPS Module

Guidelines and Limitations

Configuring the IPS Module

Feature History for the IPS Module

Feature History for the IPS Module

Information About the IPS Module

You can install the IPS module into an ASA 5500 series adaptive security appliance. The IPS module runs advanced IPS software that provides proactive, full-featured intrusion prevention services to stop malicious traffic, including worms and network viruses, before they can affect your network. This section includes the following topics:

How the IPS Module Works with the Adaptive Security Appliance

Operating Modes

Using Virtual Sensors (ASA 5510 and Higher)

Differences Between the Modules

How the IPS Module Works with the Adaptive Security Appliance

The IPS module runs a separate application from the adaptive security appliance. The IPS module does not contain any external interfaces itself (except for the management interface on the SSM only).

Traffic goes through the firewall checks before being forwarded to the IPS module. When you identify traffic for IPS inspection on the adaptive security appliance, traffic flows through the adaptive security appliance and the IPS module in the following way:

a. Traffic enters the adaptive security appliance.

b. Incoming VPN traffic is decrypted.

c. Firewall policies are applied.

d. Traffic is sent to the IPS module over the backplane.

See the "Operating Modes" section for information about only sending a copy of the traffic to the IPS module.

e. The IPS module applies its security policy to the traffic, and takes appropriate actions.

f. Valid traffic is sent back to the adaptive security appliance over the backplane; the IPS module might block some traffic according to its security policy, and that traffic is not passed on.

g. Outgoing VPN traffic is encrypted.

h. Traffic exits the adaptive security appliance.

Figure 55-1 shows the traffic flow when running the IPS module. In this example, the IPS module automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.

Figure 55-1 IPS Module Traffic Flow in the Adaptive Security Appliance

Operating Modes

You can send traffic to the IPS module using one of the following modes:

Inline mode—This mode places the IPS module directly in the traffic flow (see Figure 55-1). No traffic that you identified for IPS inspection can continue through the adaptive adaptive security appliance without first passing through, and being inspected by, the IPS module. This mode is the most secure because every packet that you identify for inspection is analyzed before being allowed through. Also, the IPS module can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput.

Promiscuous mode—This mode sends a duplicate stream of traffic to the IPS module. This mode is less secure, but has little impact on traffic throughput. Unlike the inline mode, in promiscuous mode the IPS module can only block traffic by instructing the adaptive adaptive security appliance to shun the traffic or by resetting a connection on the adaptive adaptive security appliance. Also, while the IPS module is analyzing the traffic, a small amount of traffic might pass through the adaptive adaptive security appliance before the IPS module can shun it. Figure 55-2 shows the IPS module in promiscuous mode. In this example, the IPS module sends a shun message to the adaptive security appliance for traffic it identified as a threat.

Figure 55-2 IPS Module Traffic Flow in the Adaptive Security Appliance: Promiscuous Mode

Using Virtual Sensors (ASA 5510 and Higher)

The IPS module running IPS software Version 6.0 and above can run multiple virtual sensors, which means you can configure multiple security policies on the IPS module. You can assign each context or single mode adaptive security appliance to one or more virtual sensors, or you can assign multiple security contexts to the same virtual sensor. See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported.

Figure 55-3 shows one security context paired with one virtual sensor (in inline mode), while two security contexts share the same virtual sensor.

Figure 55-3 Security Contexts and Virtual Sensors

Figure 55-4 shows a single mode adaptive security appliance paired with multiple virtual sensors (in inline mode); each defined traffic flow goes to a different sensor.

Figure 55-4 Single Mode Security Appliance with Multiple Virtual Sensors

Differences Between the Modules

The IPS module for the ASA 5510 and higher supports higher performance requirements, while the IPS module for the ASA 5505 is designed for a small office installation. The following features are supported for the ASA 5510 and higher, and not for the ASA 5505:

Virtual sensors

Anomaly detection

Unretirement of default retired signatures

Licensing Requirements for the IPS Module

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


The IPS application on the IPS module requires a separate Cisco Services for IPS license in order to support signature updates. All other updates are available without a license.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

The ASA 5505 adaptive security appliance does not support multiple context mode, so multiple context features, such as virtual sensors, are not supported on the AIP SSC.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

Model Guidelines

The SSC is supported on the ASA 5505 only. See the "Module Support" section for more information about which models support SSMs.

The ASA 5505 adaptive security appliance does not support multiple context mode, so multiple context features, such as virtual sensors, are not supported on the AIP SSC.

Configuring the IPS Module

This section describes how to configure IPS for the IPS module and includes the following topics:

IPS Module Task Overview

Configuring the Security Policy on the IPS Module

Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)

Diverting Traffic to the IPS Module

IPS Module Task Overview

Configuring the IPS module is a process that includes configuration of the IPS software on the IPS module and then configuration of the adaptive security appliance. To configure the IPS module, perform the following steps:


Step 1 On the IPS module, configure the inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected. (ASA 5510 and higher) Configure the inspection and protection policy for each virtual sensor if you want to run the IPS module in multiple sensor mode. See the "Configuring the Security Policy on the IPS Module" section.

Step 2 (ASA 5510 and higher) On the adaptive security appliance in multiple context mode, specify which IPS virtual sensors are available for each context (if you configured virtual sensors). See the "Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)" section.

Step 3 On the adaptive security appliance, identify traffic to divert to the IPS module. See the "Diverting Traffic to the IPS Module" section.


Configuring the Security Policy on the IPS Module

This section describes how to access the IPS application in the IPS module.


Note See also the "Configuring the SSC Management Interface" section to configure the SSC management interface for ASDM access and other uses.


Detailed Steps


Step 1 To access IDM from ASDM, click Configuration > IPS.

Step 2 You are asked for the IP address or hostname of the IPS module.

If the IPS module is running IPS Version 6.0 or later, ASDM retrieves IDM from the IPS module and displays it as part of the ASDM interface. Enter the IPS module password and click OK.

The IDM panes appear in the ASDM window.

If the IPS module is running an earlier version of IPS software, ASDM displays a link to IDM. Click the link to launch IDM in a new browser window. You need to provide a username and password to access IDM.

If the password to access IDM is lost, you can reset the password using ASDM. See the "Password Troubleshooting" section, for more information.

Step 3 Configure the IPS security policy.

(ASA 5510 and higher) If you configure virtual sensors in IPS Version 6.0 or above, you identify one of the sensors as the default. If the ASA 5500 series adaptive adaptive security appliance does not specify a virtual sensor name in its configuration, the default sensor is used.

Because the IPS software that runs on the IPS module is beyond the scope of this document, detailed configuration information is available in the IPS documents at the following location:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html


What to Do Next

For the adaptive security appliance in multiple context mode, see the "Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)" section.

For the adaptive security appliance in single context mode, see the "Diverting Traffic to the IPS Module" section.

Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)

If the adaptive security appliance is in multiple context mode, then you can assign one or more IPS virtual sensors to each context. Then, when you configure the context to send traffic to the IPS module, you can specify a sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context. If you do not assign any sensors to a context, then the default sensor configured on the IPS module is used. You can assign the same sensor to multiple contexts.


Note You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use different sensors for different traffic flows.


Prerequisites

For more information about configuring contexts, see the "Configuring a Security Context" section.

Detailed Steps


Step 1 In the ASDM Device List pane, double-click System under the active device IP address.

Step 2 On the Context Management > Security Contexts pane, choose a context that you want to configure, and click Edit.

The Edit Context dialog box appears. For more information about configuring contexts, see the "Configuring a Security Context" section.

Step 3 In the IPS Sensor Allocation area, click Add.

The IPS Sensor Selection dialog box appears.

Step 4 From the Sensor Name drop-down list, choose a sensor name from those configured on the IPS module.

Step 5 (Optional) To assign a mapped name to the sensor, enter a value in the Mapped Sensor Name field.

This sensor name can be used within the context instead of the actual sensor name. If you do not specify a mapped name, the sensor name is used within the context. For security purposes, you might not want the context administrator to know which sensors are being used by the context. Or you might want to genericize the context configuration. For example, if you want all contexts to use sensors called "sensor1" and "sensor2," then you can map the "highsec" and "lowsec" sensors to sensor1 and sensor2 in context A, but map the "medsec" and "lowsec" sensors to sensor1 and sensor2 in context B.

Step 6 Click OK to return to the Edit Context dialog box.

Step 7 (Optional) To set one sensor as the default sensor for this context, from the Default Sensor drop-down list, choose a sensor name.

If you do not specify a sensor name when you configure IPS within the context configuration, the context uses this default sensor. You can only configure one default sensor per context. If you do not specify a sensor as the default, and the context configuration does not include a sensor name, then traffic uses the default sensor on the IPS module.

Step 8 Repeat this procedure for each security context.

Step 9 Change to each context to configure the IPS security policy as described in "Diverting Traffic to the IPS Module" section.


What to Do Next

Change to each context to configure the IPS security policy as described in "Diverting Traffic to the IPS Module" section.

Diverting Traffic to the IPS Module

This section identifies traffic to divert from the adaptive adaptive security appliance to the IPS module.

Prerequisites

In multiple context mode, perform these steps in each context execution space.

Detailed Steps


Step 1 In the ASDM Device List pane, double-click the context name under the active device IP address > Contexts.

Step 2 Click Configuration > Firewall > Service Policy Rules.

Step 3 You can edit an existing rule or create a new one:

For an existing rule, choose the rule and click Edit.

The Edit Service Policy Rule dialog box appears.

For a new rule, choose Add > Add Service Policy Rule.

The Add Service Policy Rule Wizard - Service Policy dialog box appears. Complete the Service Policy and Traffic Classification Criteria dialog boxes. See the "Adding a Service Policy Rule for Through Traffic" section for more information. Click Next to show the Add Service Policy Rule Wizard - Rule Actions dialog box.

Step 4 Click the Intrusion Prevention tab.

You can also set other feature actions for the same traffic using the other tabs.

Step 5 Check the Enable IPS for this traffic flow check box.

Step 6 In the Mode area, click Inline Mode or Promiscuous Mode.

See the "Operating Modes" section for more details.

Step 7 In the If IPS Card Fails area, click Permit traffic or Close traffic.

The Close traffic option sets the adaptive security appliance to block all traffic if the IPS module is unavailable.

The Permit traffic option sets the adaptive security appliance to allow all traffic through, uninspected, if the IPS module is unavailable.

Step 8 (ASA 5510 and higher) From the IPS Sensor to use drop-down list, choose a virtual sensor name.

If you use virtual sensors, you can specify a sensor name using this option. If you use multiple context mode on the adaptive security appliance, you can only specify sensors that you assigned to the context (see the "Assigning Virtual Sensors to a Security Context (ASA 5510 and Higher)" section). If you do not specify a sensor name, then the traffic uses the default sensor. In multiple context mode, you can specify a default sensor for the context. In single mode or if you do not specify a default sensor in multiple mode, the traffic uses the default sensor that is set on the IPS module.

Step 9 Click OK.


Feature History for the IPS Module

Table 55-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 55-1 Feature History for the IPS Module 

Feature Name
Platform Releases
Feature Information

AIP SSM

7.0(1)

We introduced support for the AIP SSM for the ASA 5510, 5520, and 5540.

The following screen was introduced: Configuration > Firewall > Service Policy Rules > Add/Edit Service Policy Rule > Intrusion Prevention.

Virtual sensors (ASA 5510 and higher)

8.0(2)

Virtual sensor support was introduced. Virtual sensors let you configure multiple security policies on the IPS module.

The following screen was modified: Context Management > Security Contexts > Edit Context.

AIP SSC for the ASA 5505

8.2(1)

We introduced support for the AIP SSC for the ASA 5505.

The following screen was introduced: Configuration > Device Setup > SSC Setup.

Support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X

8.2(4.4)

We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X. You can only install the IPS SSP with a matching-level SSP; for example, SSP-10 and IPS SSP-10.

Note The ASA 5585-X is not supported in Version 8.3.

   

The following screen was modified: Configuration > Device Setup > Interfaces > Edit Interface.