Cisco ASA 5500 Getting Started Guide, 8.0
Configuring the AIP SSM
Download this chapter
Configuring the AIP SSMConfiguring the AIP SSM
Download the complete book
Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0Full Book PDF--Cisco ASA 5500 Getting Started Guide, 8.0 (PDF - 5 MB)
give_us_feedback

Table Of Contents

Configuring the AIP SSM

Understanding the AIP SSM

How the AIP SSM Works with the Adaptive Security Appliance

Operating Modes

Using Virtual Sensors

Configuring the AIP SSM

AIP SSM Procedure Overview

Sessioning to the AIP SSM

Configuring the Security Policy on the AIP SSM

Assigning Virtual Sensors to Security Contexts

Diverting Traffic to the AIP SSM

What to Do Next


Configuring the AIP SSM

The optional AIP SSM runs advanced IPS software that provides further security inspection either in inline mode or promiscuous mode. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.

If you purchased an AIP SSM, use the procedures in this chapter to:

Configure the adaptive security appliance to identify traffic to be diverted to the AIP SSM

Session in to the AIP SSM and run setup

Note The AIP SSM is supported in ASA software versions 7.0(1) and later.

You can install the AIP SSM into an ASA 5500 series adaptive security appliance. The AIP SSM runs advanced IPS software that provides proactive, full-featured intrusion prevention services to stop malicious traffic, including worms and network viruses, before they can affect your network. This chapter includes the following sections:

How the AIP SSM Works with the Adaptive Security Appliance

Configuring the AIP SSM

What to Do Next

Understanding the AIP SSM

This section includes the following topics:

How the AIP SSM Works with the Adaptive Security Appliance

Operating Modes

Using Virtual Sensors

How the AIP SSM Works with the Adaptive Security Appliance

The AIP SSM runs a separate application from the adaptive security appliance. It is, however, integrated into the adaptive security appliance traffic flow. The AIP SSM does not contain any external interfaces itself, other than a management interface. When you identify traffic for IPS inspection on the adaptive security appliance, traffic flows through the adaptive security appliance and the AIP SSM in the following way:

1. Traffic enters the adaptive security appliance.

2. Firewall policies are applied.

3. Traffic is sent to the AIP SSM over the backplane.

See the "Operating Modes" section for information about only sending a copy of the traffic to the AIP SSM.

4. The AIP SSM applies its security policy to the traffic, and takes appropriate actions.

5. Valid traffic is sent back to the adaptive security appliance over the backplane; the AIP SSM might block some traffic according to its security policy, and that traffic is not passed on.

6. VPN policies are applied (if configured).

7. Traffic exits the adaptive security appliance.

Figure 13-1 shows the traffic flow when running the AIP SSM in inline mode. In this example, the AIP SSM automatically blocks traffic that it identified as an attack. All other traffic is forwarded through the adaptive security appliance.

Figure 13-1 AIP SSM Traffic Flow in the Adaptive Security Appliance: Inline Mode

Operating Modes

You can send traffic to the AIP SSM using one of the following modes:

Inline mode—This mode places the AIP SSM directly in the traffic flow (see Figure 13-1). No traffic that you identified for IPS inspection can continue through the adaptive adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because every packet that you identify for inspection is analyzed before being allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput.

Promiscuous mode—This mode sends a duplicate stream of traffic to the AIP SSM. This mode is less secure, but has little impact on traffic throughput. Unlike the inline mode, in promiscuous mode the AIP SSM can only block traffic by instructing the adaptive adaptive security appliance to shun the traffic or by resetting a connection on the adaptive adaptive security appliance. Also, while the AIP SSM is analyzing the traffic, a small amount of traffic might pass through the adaptive adaptive security appliance before the AIP SSM can shun it. Figure 13-2 shows the AIP SSM in promiscuous mode. In this example, the AIP SSM sends a shun message to the adaptive security appliance for traffic it identified as a threat.

Figure 13-2 AIP SSM Traffic Flow in the Adaptive Security Appliance: Promiscuous Mode

Using Virtual Sensors

The AIP SSM running IPS software Version 6.0 and above can run multiple virtual sensors, which means you can configure multiple security policies on the AIP SSM. You can assign each context or single mode adaptive security appliance to one or more virtual sensors, or you can assign multiple security contexts to the same virtual sensor. See the IPS documentation for more information about virtual sensors, including the maximum number of sensors supported.

Figure 13-3 shows one security context paired with one virtual sensor (in inline mode), while two security contexts share the same virtual sensor.

Figure 13-3 Security Contexts and Virtual Sensors

Figure 13-4 shows a single mode adaptive security appliance paired with multiple virtual sensors (in inline mode); each defined traffic flow goes to a different sensor.

Figure 13-4 Single Mode Security Appliance with Multiple Virtual Sensors

Configuring the AIP SSM

This section includes the following topics:

AIP SSM Procedure Overview

Sessioning to the AIP SSM

Configuring the Security Policy on the AIP SSM

Assigning Virtual Sensors to Security Contexts

Diverting Traffic to the AIP SSM

AIP SSM Procedure Overview

Configuring the AIP SSM is a process that includes configuration of the AIP SSM and then configuration of the ASA 5500 series adaptive security appliance:

1. Session to the AIP SSM from the adaptive security appliance. See the "Sessioning to the AIP SSM" section.

2. On the AIP SSM, configure the inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected. Configure the inspection and protection policy for each virtual sensor if you want to run the AIP SSM in multiple sensor mode. See the "Configuring the Security Policy on the AIP SSM" section.

3. On the ASA 5500 series adaptive security appliance in multiple context mode, specify which IPS virtual sensors are available for each context (if you configured virtual sensors). See the "Assigning Virtual Sensors to Security Contexts" section.

4. On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM. See the "Diverting Traffic to the AIP SSM" section.

Sessioning to the AIP SSM

To begin configuring the AIP SSM, session to the AIP SSM from the adaptive adaptive security appliance. (You can alternatively connect directly to the AIP SSM management interface using SSH or Telnet.)

To session to the AIP SSM from the adaptive adaptive security appliance, perform the following steps:

Step 1 To session from the ASA 5500 series adaptive security appliance to the AIP SSM, enter the following command: 

hostname# session 1


Opening command session with slot 1.

Connected to slot 1. Escape character sequence is 'CTRL-^X'.

Step 2 Enter the username and password. The default username and password is "cisco."

Note The first time you log in to the AIP SSM, you are prompted to change the default password. Passwords must be at least eight characters long and not a word in the dictionary. 

login: cisco

Password:

Last login: Fri Sep  2 06:21:20 from xxx.xxx.xxx.xxx

***NOTICE***

This product contains cryptographic features and is subject to United 
States

and local country laws governing import, export, transfer and use. 
Delivery

of Cisco cryptographic products does not imply third-party authority 
to import,

export, distribute or use encryption. Importers, exporters, 
distributors and

users are responsible for compliance with U.S. and local country laws. 
By using

this product you agree to comply with applicable laws and regulations. 
If you

are unable to comply with U.S. and local laws, return this product 
immediately.


A summary of U.S. laws governing Cisco cryptographic products may be 
found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email 
to

export@cisco.com.


***LICENSE NOTICE***

There is no license key installed on the system.

Please go to http://www.cisco.com/go/license

to obtain a new license or install a license.

AIP SSM#

Note If you see the preceding license notice (which displays only in some versions of software), you can ignore the message until you need to upgrade the signature files on the AIP SSM. The AIP SSM continues to operate at the current signature level until a valid license key is installed. You can install the license key at a later time. The license key does not affect the current functionality of the AIP SSM.

Configuring the Security Policy on the AIP SSM

On the AIP SSM, to configure the inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected, perform the following steps. To session from the adaptive security appliance to the AIP SSM, see the "Sessioning to the AIP SSM" section.

Step 1 To run the setup utility for initial configuration of the AIP SSM, enter the following command: 

sensor# setup

Step 2 Configure the IPS security policy. If you configure virtual sensors in IPS Version 6.0 or above, you identify one of the sensors as the default. If the ASA 5500 series adaptive adaptive security appliance does not specify a virtual sensor name in its configuration, the default sensor is used.

Because the IPS software that runs on the AIP SSM is beyond the scope of this document, detailed configuration information is available in the following documents:

Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface

Command Reference for Cisco Intrusion Prevention System

Step 3 When you are done configuring the AIP SSM, exit the IPS software by entering the following command: 

sensor# exit

If you sessioned to the AIP SSM from the adaptive security appliance, you return to the adaptive security appliance prompt.

Assigning Virtual Sensors to Security Contexts

If the adaptive security appliance is in multiple context mode, then you can assign one or more IPS virtual sensors to each context. Then, when you configure the context to send traffic to the AIP SSM, you can specify a sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context. If you do not assign any sensors to a context, then the default sensor configured on the AIP SSM is used. You can assign the same sensor to multiple contexts.

Note You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use different sensors for different traffic flows.

To assign one or more sensors to a security context, perform the following steps:

Step 1 To enter context configuration mode, enter the following command in the system execution space: 

hostname(config)# context name

hostname(config-ctx)#

Step 2 To assign a virtual sensor to the context, enter the following command: 

hostname(config-ctx)# allocate-ips sensor_name [mapped_name] [default]

Enter this command for each sensor you want to assign to the context.

The sensor _name argument is the sensor name configured on the AIP SSM. To view the sensors that are configured on the AIP SSM, enter allocate-ips ?. All available sensors are listed. You can also enter the show ips command. In the system execution space, the show ips command lists all available sensors; if you enter it in the context, it shows the sensors you already assigned to the context. If you specify a sensor name that does not yet exist on the AIP SSM, you get an error, but the allocate-ips command is entered as is. Until you create a sensor of that name on the AIP SSM, the context assumes the sensor is down.

Use the mapped_name argument as an alias for the sensor name that can be used within the context instead of the actual sensor name. If you do not specify a mapped name, the sensor name is used within the context. For security purposes, you might not want the context administrator to know which sensors are being used by the context. Or you might want to genericize the context configuration. For example, if you want all contexts to use sensors called "sensor1" and "sensor2," then you can map the "highsec" and "lowsec" senors to sensor1 and sensor2 in context A, but map the "medsec" and "lowsec" sensors to sensor1 and sensor2 in context B.

The default keyword sets one sensor per context as the default sensor; if the context configuration does not specify a sensor name, the context uses this default sensor. You can only configure one default sensor per context. If you want to change the default sensor, enter the no allocate-ips sensor_name command to remove the current default sensor before you allocate a new default sensor. If you do not specify a sensor as the default, and the context configuration does not include a sensor name, then traffic uses the default sensor on the AIP SSM.

Step 3 Repeat Step 1 and Step 2 for each context.

Step 4 To configure the context IPS policy, change to the context execution space using the following command: 

hostname(config-ctx)# changeto context context_name

where the context_name argument is the name of the context you want to configure. Change to each context to configure the IPS security policy as described in "Diverting Traffic to the AIP SSM" section.

The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to "ips1" and "ips2." In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the AIP SSM is used. 

hostname(config-ctx)# context A

hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1

hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2

hostname(config-ctx)# allocate-interface 
gigabitethernet0/0.110-gigabitethernet0/0.115 int3-int8

hostname(config-ctx)# allocate-ips sensor1 ips1 default

hostname(config-ctx)# allocate-ips sensor2 ips2

hostname(config-ctx)# config-url 
ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg

hostname(config-ctx)# member gold


hostname(config-ctx)# context sample

hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1

hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2

hostname(config-ctx)# allocate-interface 
gigabitethernet0/1.230-gigabitethernet0/1.235 int3-int8

hostname(config-ctx)# allocate-ips sensor1 ips1

hostname(config-ctx)# allocate-ips sensor3 ips2

hostname(config-ctx)# config-url 
ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg

hostname(config-ctx)# member silver


hostname(config-ctx)# changeto context A

...

Diverting Traffic to the AIP SSM

To identify traffic to divert from the adaptive adaptive security appliance to the AIP SSM, perform the following steps. In multiple context mode, perform these steps in each context execution space.

Step 1 To identify the traffic that you want to be inspected by the AIP SSM, add one or more class maps using the class-map command.

For example, you can match all traffic using the following commands: 

hostname(config)# class-map IPS

hostname(config-cmap)# match any

To match specific traffic, you can match an access list: 

hostname(config)# access list IPS extended permit ip any 10.1.1.1 
255.255.255.255

hostname(config)# class-map IPS

hostname(config-cmap)# match access-list IPS

Step 2 To add or edit a policy map that sets the action to divert traffic to the AIP SSM, enter the following commands: 

hostname(config)# policy-map name

hostname(config-pmap)# class class_map_name

hostname(config-pmap-c)#

where the class_map_name is the class map from Step 1.

For example: 

hostname(config)# policy-map IPS

hostname(config-pmap)# class IPS

Step 3 To divert the traffic to the AIP SSM, enter the following command: 

hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | 
fail-open} [sensor {sensor_name | mapped_name}]

where the inline and promiscuous keywords control the operating mode of the AIP SSM. See the "Operating Modes" section for more details.

The fail-close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable.

The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if the AIP SSM is unavailable.

If you use virtual sensors on the AIP SSM, you can specify a sensor name using the sensor sensor_name argument. To see available sensor names, enter the ips ... sensor ? command. Available sensors are listed. You can also use the show ips command. If you use multiple context mode on the adaptive security appliance, you can only specify sensors that you assigned to the context (see the "Assigning Virtual Sensors to Security Contexts" section). Use the mapped_name if configured in the context. If you do not specify a sensor name, then the traffic uses the default sensor. In multiple context mode, you can specify a default sensor for the context. In single mode or if you do not specify a default sensor in multiple mode, the traffic uses the default sensor that is set on the AIP SSM. If you enter a name that does not yet exist on the AIP SSM, you get an error, and the command is rejected.

Step 4 (Optional) To divert another class of traffic to the AIP SSM, and set the IPS policy, enter the following commands: 

hostname(config-pmap-c)# class class_map_name2

hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | 
fail-open} [sensor sensor_name]

where the class_map_name2 argument is the name of a separate class map on which you want to perform IPS inspection. See Step 3 for information about the command options.

Traffic cannot match more than one class map for the same action type; so if you want network A to go to sensorA, but want all other traffic to go to sensorB, then you need to enter the class command for network A before you enter the class command for all traffic; otherwise all traffic (including network A) will match the first class command, and will be sent to sensorB.

Step 5 To activate the policy map on one or more interfaces, enter the following command: 

hostname(config-pmap-c)# service-policy policy_map_name [global | 
interface interface_ID]

hostname

where policy_map_name is the policy map you configured in Step 2. To apply the policy map to traffic on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command.

Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic if the AIP SSM card fails for any reason: 

hostname(config)# access-list IPS permit ip any any

hostname(config)# class-map my-ips-class

hostname(config-cmap)# match access-list IPS

hostname(config-cmap)# policy-map my-ips-policy

hostname(config-pmap)# class my-ips-class

hostname(config-pmap-c)# ips promiscuous fail-close

hostname(config-pmap-c)# service-policy my-ips-policy global

The following example diverts all IP traffic destined for the 10.1.1.0 network and the 10.2.1.0 network to the AIP SSM in inline mode, and allows all traffic through if the AIP SSM card fails for any reason. For the my-ips-class traffic, sensor1 is used; for the my-ips-class2 traffic, sensor2 is used. 

hostname(config)# access-list my-ips-acl permit ip any 10.1.1.0 
255.255.255.0

hostname(config)# access-list my-ips-acl2 permit ip any 10.2.1.0 
255.255.255.0

hostname(config)# class-map my-ips-class

hostname(config-cmap)# match access-list my-ips-acl

hostname(config)# class-map my-ips-class2

hostname(config-cmap)# match access-list my-ips-acl2

hostname(config-cmap)# policy-map my-ips-policy

hostname(config-pmap)# class my-ips-class

hostname(config-pmap-c)# ips inline fail-open sensor sensor1

hostname(config-pmap)# class my-ips-class2

hostname(config-pmap-c)# ips inline fail-open sensor sensor2

hostname(config-pmap-c)# service-policy my-ips-policy interface 
outside

What to Do Next

You are now ready to configure the adaptive security appliance for intrusion prevention. Use the following documents to continue configuring the adaptive security appliance for your implementation.

To Do This ...
See ...

Configure the IPS sensor

Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface

Cisco Intrusion Prevention System Command Reference

Optimize performance by creating more efficient service policies

"Managing AIP SSM and CSC SSM" in Cisco Security Appliance Command Line Configuration Guide


After you have configured the IPS sensory and AIP SSM software, you may want to consider performing some of the following additional steps:

To Do This ...
See ...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages

Review hardware maintenance and troubleshooting information

Cisco ASA 5500 Series Hardware Installation Guide


You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This ...
See ...

Configure protection of a DMZ web server

Chapter 1, "Scenario: DMZ Configuration"

Configure a remote-access VPN

Chapter 1, "Scenario: IPsec Remote-Access VPN Configuration"

Configure remote-access SSL connection for software clients

Chapter 1, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"

Configure SSL connections for browser-based remote access

Chapter 1, "Scenario: SSL VPN Clientless Connections"

Configure a site-to-site VPN

Chapter 1, "Scenario: Site-to-Site VPN Configuration"