AIP SSM and virtual devices
I just put in place a module AIP SSM in an ASA 5520 with a unique security context.
Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.
Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?
Thank you very much.
A single sensor vs0 virual is very good, especially when only a single surveillance security context.
The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.
What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.
If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.
This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.
So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.
It's just the names of politicians who cannot be changed when you use vs0.
Tags: Cisco Security
Similar Questions
-
Question of the clock of the AIP - SSM
We have configured our AIP - SSM and synchronized with our command NTP servers.show clock shows the time corrcet in the CLI
See the sensor clock #.
16:42:35 GMT + 05:30 Sunday, March 28, 2010probe # show clock detai
16:53:25 GMT + 05:30 Sunday, March 28, 2010
Time source is NTPBut the time indicated in the last TAB update shows the hour UTC. Even in my case logs are updated with the time information UTC only. I set the time zone correctly.
What do I need to configure something else to update my timestamp in the event log.
In the second version of the IPS, a new column has been added for "time sensor" in the event viewer.
-
Do I need two AIP - SSM modules if I'm failover configuration?
Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?
I would like to configure the module in the first ASA with the relief setting. Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.
Would there be problems, configure it in this way?
Would be the active / standby ASA complaining that there is that one module AIP - SSM?
Thanks in advance.
Hello
You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)
Kind regards
Julio
-
AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts
Hello guys,.
The scenario is as follows:
2 ASA 5500 with virtual contexts for failover.
The ASA elementary school has the work of the AIP-SSM20.
ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.
Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.
Now questions, documentation Cisco re-imaging view orders under ASA #.
but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).
What is the solution? Is there documentation for it (with security contexts)?
Thank you very much for reading ;) comment on possible solutions.
Yes,
Some things to keep in mind.
(1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.
(2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.
(3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.
(4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.
(5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.
-
The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)
Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?
Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.
Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)
Here is the response from Cisco itself:
Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?
A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.
Q: how is Cisco AVS Firewall application differs by a network firewall?
A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.
Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications
Concerning
Farrukh
-
New deployment with the ASA and AIP - SSM module
Hi guys and girls,
I think to deploy an ASA with IPS module AIP - SSM to my perimeter. I'm going to use / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} Cisco IPS Manager Express (IME) to monitor the IP addresses to monitor the ASA. I have no plans on deploying a device IDS.
Question: The IME is designed to send notices to the subject of threats? What are some of the configurations in your network? (Just prick with the last question.)
THX...
IME is designed only for IPS monitor (whether it be IPS appliance, module AIP - SSM on ASA or other module IPS). IME is not able on the control of ASA.
EMI can provide advice by email about events which are fires on the IPS, while the IPS itself cannot. EMI may also keep all the events triggered by the IPS, while SPI buffer is small enough, that so if you have huge demonstrations, the buffer gets replaced pretty quickly.
Here is more information about IME, if you are interested:
-
ASA5510 and AIP-SSM-10 module in promiscuous mode
Hello
I have a 5510 ASA with the AIP-SSM-10 and want to use just like an ID in promicuous mode.
ASA 5510: ASA version 7.0 (8)
AIP-SSM-10: IPS version 5,0000 E2
At this point, we would like to configure a single interface of ASA to send traffic to the agreement in principle for the inspection of IDS (and continue to use our firewalls third existing). Is this possible?
The following discussion gives to think this isn't:
https://supportforums.Cisco.com/message/957351
22.1.100.2/28 I have it configured on the interface Eth0/0 (outside) and 10.5.100.3/24 on the AIP - SSM management interface and switchports (Cisco 6509) have been configured by SPAN.
Thanks for your advice in advance.
Kind regards
Lay
You are right. Unfortunately, module AIP on ASA firewall does not listen on traffic SPAN. If you want that SPAN ports, then you can use the IPS (IPS 4200 series appliance) appliance that supports the SPAN traffic to inspect.
PIX is also a firewall, not a feature of IPS, which cannot be used as an IPS device.
-
Question on the CSC - ssm modules and aip - ssm in the ASA5500
Is it true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time?
Another issue is the site of cisco using the command keyword intra-interface involving NO IPSEC TRAFFIC, there are example of config/example
It is true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time.
It is not a sample configuration partitions on the spot yet. However, outside the control of the same security, you must the ordinary rule of translation to pass traffic. Also, because of the dynamic nature, it allows only one-way traffic. For example:
NAT (inside) 10 192.168.1.0 255.255.255.0
Global interface (10 Interior)
Global (ouotside) 10 interface (is not required however)
Sincerely,
~ AJ
-
What are different between the IPS and AIP - SSC and AIP - SSM?
Dear all,
I'm not clear about the IPS, AIP - SSC and AIP - SSM module which are different?
Then, when we can use IP addresses?
When we use the AIP - SSC?
When we can use AIP - SSM?
Thus, a different IPS and AIP - SSC and AIP - SSM material or the same material?
Best regards
Rechard
AIP - SSM is an IPS Firewall ASA module.
IPS is available in different flavors:
-Device of the IPS 4200 series
AIP - SSM - module IPS Firewall ASA
-IDSM2 - IPS module on 6500 series switch
AIM - IPS - map IPS on router IOS
Please rate and mark post useful.
-
NTP Windows Server and AIP - SSM
We use a server based on Windows as the NTP server. But I need the NTP key to configure NTP on the AIP - SSM, key to the ID value and the NTP. How do you find this information or bypass? Or is it possible to set the clock without using an NTP server. I disabled the NTP service, hoping that it will use the firewall clock, but it didn't.
Kind regards
Your offset must be-360.
The offset is in minutes rather than hours. Now, you say that the CDT is only 6 MINUTES from GMT when what you want-6 HOURS-360 minutes.
offset - 360
-
I ASA5520 with AIP-SSM-10, and I want to send messages from IPS sensor to the external syslog server. I'm not able to find, how to configure it.
Thank you for any suspicion.
From now on, SSM modules cannot be configured to send events as syslogs to a syslog server. You can send these events to the spectators of the event or security monitor.
Kind regards
Maryse.
-
Automatic update AIP-SSM-10 and ASA 5510 (Beginner)
I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?
Thank you!
Jeremy
Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm
And it is also on my site, with a tar of scripts to:
http://www.LHB-consulting.com/pages/apps/index.html
Good luck.
-Lisa
-
Support for hardware and signature to the AIP SSM-10
We have a 5510 which we bought a map AIP SSM-10 for the SAA, which is already the subject of a support contract. We now want to add the hardware maintenance for the new card AIP SSM-10 as signature updates. Our Cisco provider is confirmed we will receive that updates of signature with hardware support (we tried to get a response from them since June or July now).
Could someone let us know what is the correct part number, and so we can ask the specific option that will allow both the material cover and signature updates.
I think it is need you
CON-SU1-AS1A1PK9 IPS, NBD SVC, AR ASA5510-AIP10SP-K9 support for Cisco smartnet
-
In my lab, I have a new 5510 with AIP - SSM card.
In my view, it is configured correctly to assess traffic, but I can't be sure.
This is part of the configuration of the ASA:
Global class-card class
match any
class-map inspection_default
match default-inspection-traffic
World-Policy policy-map
class inspection_default
inspect the ftp, etc.,
Global category
IPS inline help
global service-policy global_policy
I have a PC to a switch, go to the ASA (inside interface)
The ASA outside interface goes to a VLAN separate on the switch.
Both interfaces VLANS configured.
Is there a command ping, or other traffic I can generate from PC that will throw an alert?
I tried Ping s of a bogus address, but which did not cause an event.
How will I know if the traffic actually crosses the ID?
Thank you.
Hello Jimmy
Lass-map: global-class
IPS: Status of card upward, inline mode rescue
Package of 0 Packet output 0 0 drop, discount entry to zero - drop 0
No package get the IPS module
You have told me is assigned to virtual sensor 0 on the right side of the AIP - SSM?
-
(ASA) AIP - SSM 10 Inline; Supreme events?
A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."
This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.
If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?
(ASA > sh run access-list IPS)
IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0
(ASA > sh run | b class-map)
class-map IPS
corresponds to the IP access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the waas
inspect the icmp
class IPS
IPS inline help
!
global service-policy global_policy
(sensor > sh interfaces)
...
Statistics interface GigabitEthernet0/1 MAC
Function of interface = interface detection
Description =
Support type = backplane
By default Vlan = 0
Inline = unpaired mode
Pair of status = n/a
Circumvention of Capable hardware = no.
Twin derivation material = n/a
Link status = upwards
Link speed = Auto_1000
Link Duplex = Auto_Full
Lack of Packet percentage = 0
Total packets received = 95044
Total number of bytes received = 8715230
Total multicast packets received = 0
Total of broadcast packets received = 0
Total fat packets received = 0
Total sousdimensionnés packets received = 0
Receive the total errors = 0
Receive FIFO overruns total = 0
Total packets transmitted = 95044
Total number of bytes sent = 9047702
Total multicast packets sent = 0
Total broadcast packets sent = 0
Total fat transmitted packets = 0
Total packets transmitted sousdimensionnés = 0
Total transmit errors = 0
Total transmit FIFO overruns = 0
sensor > sh events last 02:00
evStatus: eventId = 1203360411830836145 = Cisco vendor
Author:
login host: ASA2_IPS
appName: kernel
appInstanceId:
time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC
syslogMessage:
Description: device ge0_1 entered promiscuous mode
evStatus: eventId = 1203360411830836146 = Cisco vendor
Author:
login host: ASA2_IPS
appName: kernel
appInstanceId:
time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC
syslogMessage:
Description: the promiscuous mode device ge0_1 left
The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.
Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.
If you have inline monitoring using the probe analysis engine.
And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.
If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.
With the configuration of your ASA you are correctly configured for online tracking.
So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.
Maybe you are looking for
-
What to do when your Apple TV movie rental stops at Midway?
We rented a movie last night and about 13 minutes, it was freezing everything simply. We waited a long time and finally gave up and watched something that the Apple TV would actually deliver. We went back tonight to try to watch the rest of the film
-
Satellite P300-1GK cannot find the display driver for ATI Radeon HD 4650 Win XP
Hello I can't find the driver for my ATI Radeon mobility HD 4650. There is an error on the toshiba Web site download page.My laptop is a P300-1GK (PSPCCE). The drivers are for the 3650 etc... not for the 4650. Where can I find the right idea? ATI Mob
-
How can more wrinkles all my programs, I solve this problem
How can I solve this problem... When Windows media center on the rides all
-
underside of blackberry 6, there are no supports Ajax-based animated page transitions...
-
BlackBerry Blackberry Curve 8530 Smartphones
I have problems connecting to my account in the Blackberry App world and access to the My World feature, so I can re - install both my purchased and free apps I had on my last Blackberry Curve 8530. I purchased a new one today and I can't access my a