Nightmare config of SSM - AIP 7.0 (1) overall correlation.
Thank you, Cisco, for the creation of a nightmare of management with your "Overall Correlation" option in version 7.0...
Lets start with the management interface of the AIP-SSM-20...
We have an OOB management network, with a single PI in this by another device of PIX515E. Both the ASA5540 AND the AIP-SSM-20 are in this network.
The first issue was in routing, as the ASA sees the "directly attached" management network, and we ROUTE traffic via the PIX of updates on the SSM module, we had to add translation entries in the PIX515E for the SSM (management 10.x.x.x, translated of 172.x.x.x) module.
It wasn't a big deal, but this is where the nightmare begins...
First a note: we have locked network management CLOSE, only a few network management stations authorized in this network to access these devices.
I activated the overall correlation in test mode, but it was 'impossible' whenever he tried to update... Reading other posts, I created ACLs and static NAT in the PIX515E for these IP addresses:
204.15.82.17 (IP listed in the IME global correlation update server)
97.65.135.170 et.137 (from another post in these forums)
207.15.82.17 (IP found in a trace)
Still no update. Research in the papers of PIX, I found "no translation" entries for the following addresses:
198.133.219.25
209.107.213.40
208.90.57.73
I put these in, and he started to be updated! FIXED? NOT!
This morning, he wasn't yet... Looked again into the PIX logs and found these:
77.67.85.33
77.67.85.9
Registered, and the SSM is happy again. How long? Who knows?
So, now I have NINE holes in my 'secure' network, and who knows what Cisco will change or add new IP addresses to this list.
Cisco, if you listen - ALL access to the overall correlation with a single IP address? PLEASE?
(use the one listed in the IME - 204.15.82.17 for the URL "manifests.ironport.com" - updated)
Some of the addresses are owned by Cisco (initially ironport.com addresses the acquisition of ironport) and are used as clear servers to provide the sensor a list of files to download.
The sensor then downloads the files from servers Akamai. Akamai has a large number of servers around the world. Cisco sends the update of Akamai, and they reproduce on their servers. When the sensors are trying to connect to the Akamai server it is a DNS query and by controlling the DNS response, it can lead more sensors to an Akamai server located near the sensor. This allows better load balancing, response time and download speeds.
However, Akamai has a large number of global servers (in thousands I think), and you can't predict what your specific sensor server is directed to.
Sensor for connections to the servers from cisco for the manifest (list of files) is on port 443 and usually the update URL - manifests.ironport.com.
Sensor connections to Akamai servers for actual file downloads are on port 80, and usually to the updates.ironport.com URL.
The above is based on my limited knowledge of the operation between the updates. I may have gotten the details slightly wrong, but should at least give you a general idea.
I will work with development to get to this better documented in the Release Notes and the Readme with the next version of the IPS software.
Tags: Cisco Security
Similar Questions
-
Cisco ASA 5510 config with SSM
I was tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (that I never did, only routers and switches) and I have a few questions. I'm inside the ASDM and I am trying to configure my external interface... The 5510 provided with a map of the SSM, and I assumed it would be my external interface, but I guess I'm wrong because it is not an option when running through the wizard. I know what the SSM card for, I do not understand why there is not an external interface. Whence this connect (just for my LAN?)?
Currently, I have implemented the management interface to our ip and the subnet and connected through that. I see the management interface and eth0 - eth 3.
It's as simple as it can get, I just need the external interface to our public ip address, configure access rules to match my sonicwall.
Also on the version, its operation ASA 8.2.1. Should I upgrade to 8.3.1? What is the ED after the version (not familiar with it).
Thank you!
These rules on the SAA are default rules, that is to say whatever it is initiated from the inside is allowed, but anything launched from outside is allowed in. Sorry, but I'm not familiar with SonicWall at all to give you advice on the rules, you will need installation. But what if all you have is an external interface and inside then will need you a nat.pat to ensure that internal addresses can go out and access list to restrict these internal if necessary networks. If you have incoming traffic is according to mail, web server, etc, then you will again be a nat and an access list to allow traffic.
The document attached (you can ignore the router configs) should hopefully give you a better idea of how incoming transport works and how to apply access lists to the interface.
Let me know if it helps.
-
The AIP - SSM to unused ASA connection interface
Hi people,
Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:
Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)
It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.
This design is dictated by the lack of a free port on the switch.
Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.
Is there a security feature hidden I don't know that prevent communication with the sensor.
And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)
With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.
You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.
You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.
The other possibility is that the SAA itself can be deny traffic.
Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.
NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.
You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.
How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.
The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.
Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.
In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.
SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.
-
AIP - SSM, failure to update the cisco Web site
Hi all
I want to know the reason why my AIP - SSM fails to update its signatures automatically from cisco website. I put the module do cisco automatic signature update, but it doesn't matter when he tries to update, it displays an error message that reads "= error: exception Autoupdate: HTTP failed to connect (1 111) ' find the exact error message attached. The interface of my AIP - SSM is behind the proxy of the company and I put the proxy to allow Module AIP - SSM establish a connection to the internet. What could be wrong?
Your help will be very appreciated.
Concerning
Automatic update to the signature of the IPS is not supported through proxy server.
The configuration of the proxy server on the IPS is only for the overall correlation.
You must allow direct access for the automatic update of signature to IPS.
-
Choose/config help new ASA5510
I am interested in buying an ASA 5510. But I wanted to include IPS and VPN (I don't need but on a 5 VPN user). And I want to ssh features mgmt. What boots or packages do I need? Thanks in advance.
It is important to note that all devices of the SAA are firewalls, VPN devices at the same time, everything you need, but also / used or you don? t you? He pays for these features. You can not split these features.
So what about the ASA5510 + IPS feature, you have 2 choices (modules):
1-SSM-AIP-10 (performance: 150 Mbps)
2-SSM-AIP-20 (yield: 300 Mbps)
There is already a package: "ASA5510-AIP10-K9' but for the AIP-20 is required to buy it regardless of the ASA.
For more details, please refer to this URL:
http://www.Cisco.com/en/us/products/ps6120/products_data_sheet0900aecd802930c5.html
One last thing, it is important to differentiate between the ordinary VPN and SSL - VPN. For the second, you have to pay extra$ $$. Be aware that the ASA5510 includes 2 free licenses.
-Paul-
-
I want to ask you what the works of IPS on ASAs functionality.
There all the signatures, or it is limited?
Perfect me if Iam wrong if I say that I needed module AIM for ips work on the asa. If Iam right, so why AIM has only 1 ethernet interface. This means that I am not follow 1 vlan?
Thank you very much.
The ASA-SSM-AIP-10 or ASA-SSM-AIP-20 according to the ASA modules is required for full monitoring of IPS features. The IPS on the MSS software is the same as for devices and other modules IPS. It uses the same software and signature updates. (Except for the image of the main system which has a few extra things to allow installation on the SSM)
Without the ASA-SSM-AIP, the Software ASA itself has a set of very limited signatures that can be monitored. The signatures set is the same as in the previous version of the Pix Firewall.
As for the single port on the ASA - SSM. This port is not a monitoring port. The port is the port command and control and has an IP address so that you can telnet, ssh or web browse to the sensor, so you can manage. The real follow-up is done on an internal interface connected inside firewall basket. The ASA can be configured through its policy to send packets through the SSM for the analysis of the IPS. Politics on the SAA can be configured for the IPS to monitor packets histocompatibility or inline.
The SAA can be configured to send all or part of the packets through the firewall to monitor by the IPS of code that runs on the MSS.
Since the external port is not a monitoring port that DFS may not be configured to control packets that do not go through the ASA. Packets must pass through the ASA ASA copy these packages through internal backplane to the SSM for analysis.
-
global correlation does not refresh.
Hi all
I have a problem to update the overall correlation. I do get updates for signatures in the IPS but see output below about the overall correlation.
==========================================
global correlation statistics
Participation in the network:
Counters:
Total connection attempts = 0
Total connection failures = 0
Since the last success = 0 connection failures
History of connection:
Updates:
Status of the last attempt to update = failure
Time since last successful update = never
Counters:
Failures since the last successful update = 8
Total attempts to update = 8
Total failure of the update = 8
Update interval in seconds = 300
Update server = updated - manifests.ironport.com
Update server address = 204.15.82.17
Current versions:
config = 0
Drop = 0
IP = 0
rule = 0
Warnings:===========================================
Material used:
ASA-ssm-10 (version 7.0 (4) E4)
ASA - 5520 (version 8.4 (1))
I see all the traffic from the firewall and routers ISP.
I hope someone can help me with this question or tips.
Thanks in advance,
Erik Verkerk.
You allowed overall correlation?
You can check if you do under the part of the license. Without a global correlation license, you will not be able to update.
-
I have a 5510 ASA with a module of SSM - 10. I have the overall correlation to market and update. When I look at 'Overall correlation report' from the dashboard I see packages which have been refused by the overall correlation. Can someone tell me how global correlation events are saved? I would like to be able to see the raw data associated with the overall correlation.
Thank you.
Hello
Take a look at this:
As can be seen, all the times that causes of "overall correlation" no matter what kind of measures to be taken by the IPS it produces an alert if the package is refused by "reputation filtering" which produces any type of alert. In addition, "this feature applies only to the inspection of overall correlation where traffic is allowed if no specific signature is put in correspondence".
I'm not sure of all these fields on the alert then but I saw at least some of them. If you do not see an alert with these fields, then the overall correlation can be not to see all the instances where he had to change the dimensions of risk and take appropriate measures to him, in other words, you will not receive any kind of malicious hosts such packages in the first place.
In addition, if you have "reputation filtering", you can turn off to make sure that it is not this problem.
Rregards,
Assia
-
Hi all
recently, I have activated global correlation on my IPS-4240. the overall correlation worked very well for several days.
Suddenly, it's no harder, even if the config is not changed.
1 - mgt interface can resolve the address.
2-clock is not synchronized with ntp, but she is set manually on the same as ntp server (internet)
3-no proxy used.
I disabled / enabled global config always the same question.
SH-global statistical correlation
Participation in the network:
Counters:
Total connection attempts = 0
Total connection failures = 0
Since the last success = 0 connection failures
History of connection:
Updates:
Status of the last attempt to update = failure
Time since last successful update = minutes 7392
Counters:
Update failures since the last successful = 1478
Total attempts to update = 3060
Total failure of the update = 1481
Update interval in seconds = 300
Update server = updated - manifests.ironport.com
Update server address = 204.15.82.17
Current versions:
config = 0
Drop = 0
IP = 0
rule = 0
Please advice.
If there is no change in network, I suggest you reload the IPS and see if that solves the problem.
If you want to deepen the question, I would say that you open a case with TAC, then it can be more studied.
-
Redundant replication AIP SSM - 20 Config?
I have two ASA in a redundant configuration. Each of them has a PURPOSE SSM-20 in. If I make changes to the SSM-20 'live' is there a way to write the config more than the ASA which is in standby mode?
SSM-20 before need to have its own unique IP address or can she share address of the SSM "primary"?
NO.. configs are not replicated for SSM... CSCsb61072 has been filed for this
SSM-20 secondary cannot share primary IP address or vice versa
-
Updated AIP-SSM-10 on ASA 5510
Hello
I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.
- What is the version of the software on the question of the ASA?
- When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
- AFAIK redefinition to wipe the device so I just reload the config after, right?
- I guess I can apply any update after going to E4?
- Can you give me links for this upgrade?
see you soon
Let me give some clarification on a few points:
2. There is no need to recreate the image on the device using the .img file. You can improve the mechanism of maintenance of your existing configuration using the .pkg file. It is the recommended method for upgrading to Cisco IPS devices/modules. The .img file to recreate the image should only be used to restore the default device.
5 here are links for the upgrade of the probe using a .pkg file. For updates through the IDM user interface:
For upgrades via the CLI:
Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):
6.2 (3) E4
7.0 (4) E4
You can go directly to each output.
Scott
-
AIP - SSM maintenance of Configuration in Active mode Stdby
So, I'm pretty new to the AIP - SSM but not for the ASA. It seems that very few of the AIP module configuration gets copied to the AIP Stdby, nothing else that what appears in the config of the ASA (ACL, etc.). Thus, all elements of specific configuration for the module itself must be manually reproduced on Stdby module, either entered hand or config copies moved between the two?
Planned in the future.
-
I just put in place a module AIP SSM in an ASA 5520 with a unique security context.
Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.
Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?
Thank you very much.
A single sensor vs0 virual is very good, especially when only a single surveillance security context.
The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.
What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.
If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.
This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.
So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.
It's just the names of politicians who cannot be changed when you use vs0.
-
Hi all
I will implement an AIP SSM module with active failover / standby. Someone did this configuration? The ASA active will replicate the IPS config to forward ASA? I'm looking for documentation on the cisco site, but I have not found.
TKS
Unlike the ASA... SSM Modules are not replicated configs there to each other... they are treated as separate units, you must manually set time Modules
Refer... http://www.Cisco.com/en/us/docs/security/IPS/5.1/Configuration/Guide/CLI/cliSSM.html#wpxref34736
See if that helps!
-
Configuration of AIP SSM to monitor only
Hi all
We bought an AIP-SSM-20 for our ASA5520. Is there a way to enable the IPS feature, but not block anything, i.e. just record events? It's just to see if any legitimate business traffic will be blocked.
Thank you!
Jacques
Set the ASA to send traffic to IP addresses in promiscuous mode by using the following command in a sheet of policy:
IPS hostname(config-pmap-c) # {inline | promiscuity} {failure-closing |}
rescue} [sensor {sensor_name | mapped_name}]
http://www.Cisco.com/en/us/docs/security/ASA/asa80/Getting_started/asa5500/quick/guide/aipssm.html
Geroge
Maybe you are looking for
-
Firefox 4.0 is now compatible with the browser ZoneAlarm 1.5.260.0 and Windows Vista Home Premium, 64-bit Service Pack 2 system? Earlier when checking for updates it had compatibility problems. These issues have been resolved for me operation secure
-
How can I add a FB link in my email signature?
When I send an email, I want that there is a "button in the e-mail that the receiver can click on that will take him directly to my Fan Page on Facebook.
-
I have an Elite e9420t 64-bit desktop with a HP 2159 m Monitor. Product no. 00371-OEM-8992671-00008. I had no noise for a week. I've done all the troubleshooting suggested, downloaded drivers updated, try a new cable for speaker, tucked in a system
-
I have an SSD that has 140 GB of free space. I can't add it to the existing "new Volume" G on the disc. I am using computer management
-
error 'BlackBerry Tablet OS SDK 0.9.4 for Adobe AIR does not support mobile projects."
Hello I installed Adobe Flash Builder Burrito and Blackberry Tablet OS SDK 0.9.4 on Windows 7. When I start to create a new project by selecting the ' New/ActionScript Mobile Project' menu, then in the new dialog box project of Mobile of ActionScript