Tải bản đầy đủ - 0 (trang)
Chapter 13. Intrusion Prevention System Integration

Chapter 13. Intrusion Prevention System Integration

Tải bản đầy đủ - 0trang

AdaptiveInspectionPreventionSecurity

ServicesModuleOverview(AIP-SSM)

CiscoASAsupportstheAdaptiveInspectionPreventionSecurityService

Module(AIP-SSM)runningCiscoIntrusionPreventionSystem(CIPS)software

version5.0orlater.OneofthemajorfeaturesofCIPS5.xisitsabilitytoprocess

andanalyzetrafficinline.ThisqualifiesCiscoASAtobeclassifiedasanIPS.

ThesystemimagefileissimilartotheonesthatrunontheCiscoIPS4200

Seriessensors,CiscoIDSServicesModule-2(IDSM-2)forCiscoCatalyst6500,

andCiscoIDSNetworkModuleforCiscoIOSrouters.

CiscoASAalsoprovidesbasicIPSsupportifanAIP-SSMmoduleisnot

present.ThiscapabilityisachievedwiththecuseoftheIPauditfeature,whichis

thetraditionalIPauditfeaturesupportedbytheCiscoSecurePIXFirewall.The

IPauditfeaturesupportsabasiclistofsignatures.Itallowstheapplianceto

performoneormoreactionsontrafficthatmatchessuchsignatures.Thisfeature

isdiscussedlaterinthechapter,inthesection"IPAudit."

TwodifferentAIP-SSMmodulesexist:

AIP-SSM-10

AIP-SSM-20

Note

CiscoASA5510supportstheAIP-SSM-10only.CiscoASA5520

supportboththeAIP-SSM10andAIP-SSM-20.TheCiscoASA

5540supportstheAIP-SSM-20.



TheAIP-SSMisadiskless(Flash-based)module.TheCIPSsoftwarerunsinthe

Flashofthemoduletoprovidemoreflexibilityandreliability.Themodule

includesanFastEthernetportdesignedforout-of-bandmanagement.Figure13-



1illustratesthefrontoftheAIP-SSMmodule.

Figure13-1.AIP-SSMModuleFrontView



TheAIP-SSMhasfourLEDindicatorsthatarevisibletotheenduser.Table131describesthefunctionofeachindicator.

Table13-1.AIP-SSMLEDs

LED

Indicator



Color



Description



Power



Green



IndicatesthattheAIP-SSMcardison.



Status



Green/yellow Greenindicatesthatsoftware-driventests

havepassedandthecardisoperational.

Yellowindicatesthattheunitisundertestor

indicatesthepropertimetoremovetheAIPSSMfromtheASAchassis.



Link/Activity Green



Indicates10/100/1000Ethernetlinkand

activity.



Speed



Green/orange Greenindicatesthatitisoperatingat100

Mbps.

Orangeindicatesthatitisoperatingat1000

Mbps.



AIP-SSMManagement

TheAIP-SSMcanbemanagedfromthemanagementinterfaceport,whichis

illustratedinFigure13-1,byusingTelnet,SSH,orCiscoAdaptiveSecurity

DeviceManager(ASDM).ItcanalsobemanagedfromtheASA'sbackplaneby

usingthesessioncommand:

sessionmodule-number



wheremodule-numberistheslotnumberintheCiscoASA.Becausethereis

onlyoneavailableslot,themodulenumberisalways1.Example13-1

demonstrateshowtoopenacommandsessiontotheAIP-SSMmodule.The

AIP-SSMmodulepromptstheuserforauthenticationcredentials.

Example13-1.sessionCommand

Chicago#session1

Openingcommandsessionwithslot1.

Connectedtoslot1.Escapecharactersequenceis'CTRL-^X'.

login:cisco

Password:



OncetheusersessionisconnectedtotheAIP-SSM,theconfigurationstepsare

thesameasforanyothersystemrunningCIPS5.xorlatersoftware.

Note

Chapter14,"ConfiguringandTroubleshootingCiscoIPSSoftware

viaCLI,"coversCIPSsoftwareconfiguration.



Toviewthemodulestatistics,usetheshowmodulecommandfromtheASA

CLI,asdemonstratedinExample13-2.

Example13-2.OutputofshowmoduleCommand

Chicago#showmodule



ModCardTypeModel



-------------------------------------------------------------



0ASA5540AdaptiveSecurityApplianceASA5540



1ASA5500SeriesSecurityServicesModule-20ASA-SSM-20



ModMACAddressRangeHwVersionFwVersion



------------------------------------------------------------



0000b.fcf8.c6d2to000b.fcf8.c6d61.01.0(6)5



1000b.fcf8.012cto000b.fcf8.012c1.01.0(7)2

ModStatus



--------------------0UpSys

1Up



Thefirsthighlightedlineshowsthecardtype.Inthiscase,theChicagoASA

5540isrunninganAIP-SSM-20withserialnumber01234567890.Thesecond

highlightedlineshowstheMACaddressofthecardandthesoftwareversionit

isrunning.Thethirdhighlightedlineshowsthestatusofthemodule,Up,

meaningitisoperational.



InlineVersusPromiscuousMode

CiscoASAsupportsbothinlineandpromiscuousIPSmodes.Whenconfigured

asaninlineIPS,theAIP-SSMmodulecandropmaliciouspackets,generate

alarms,orresetaconnection,allowingtheASAtorespondimmediatelyto

securitythreatsandprotectthenetwork.InlineIPSconfigurationforcesall

traffictobedirectedtotheAIP-SSM.TheASAwillnotforwardanytrafficout

tothenetworkwithouttheAIP-SSMfirstinspectingit.

Figure13-2showsthetrafficflowwhentheCiscoASAisconfiguredininline

IPSmode.

Figure13-2.InlineIPSTrafficFlow



ThefollowingisthesequenceofeventsillustratedinFigure13-2:

1. TheCiscoASAreceivesanIPpacketfromtheInternet.

2. BecausetheCiscoASAisconfiguredininlineIPSmode,itforwardsthe

packettotheAIP-SSMforanalysis.

3. TheAIP-SSManalyzesthepacketand,ifitdeterminesthatthepacketis

notmalicious,forwardsthepacketbacktotheCiscoASA.

4. TheCiscoASAforwardsthepackettoitsfinaldestination(theprotected

host).

Note



InlineIPSmodeisthemostsecureconfigurationbecauseevery

packetisinspectedbytheAIP-SSM;however,thismayaffectthe

overallthroughput.Theimpactdependsonthetypeofattack,

signaturesenabledonthesystem,andamountoftrafficpassing

throughtheappliance.



WhentheCiscoASAissetuptousetheAIP-SSMinpromiscuousmode,the

ASAsendsaduplicatestreamoftraffictotheAIP-SSM.Thismodehasless

impactontheoverallthroughput.Promiscuousmodeisconsideredtobeless

securethaninlinemodebecausetheIPSmodulecanonlyblocktrafficby

forcingtheASAtoshunthemalicioustrafficorsendingaTCP-RST(reset)

messagetoterminateaTCPconnection.

Note

PromiscuousmodehaslessimpactonperformancebecausetheAIPSSMisnotinthetrafficpath.AcopyofthepacketissenttotheAIPSSM.Ifapacketisdropped,thereisnoeffectontheASA.



Figure13-3illustratesanexampleofhowtrafficflowswhentheAIP-SSMis

configuredinpromiscuousmode.

Figure13-3.PromiscuousModeTrafficFlow



ThefollowingisthesequenceofeventsillustratedinFigure13-3:

1. TheCiscoASAreceivesanIPpacketfromtheInternet.

2. BecausetheCiscoASAisconfiguredinpromiscuousIPSmode,theAIPSSMsilentlysnoopsthepacket.

3. TheASAforwardsthepackettoitsfinaldestination(protectedhost)ifthe

packetconformstosecuritypolicies(i.e.,itdoesnotmatchanyofthe

configuredsignatures).

Note

IftheASAfirewallpoliciesdenyanyinboundpacketattheinterface,

thepacketwillnotbeinspectedbytheAIP-SSM.Thisappliestoboth



inlineandpromiscuousIPSmodes.



IntheexampleillustratedinFigure13-4,SecureMe'sChicagoheadquartershas

tworedundantCiscoASAsasInternetfirewallsconfiguredinpromiscuousIPS

mode.ItalsohasanASAconfiguredwithasite-to-siteIPSectunneltoapartner

company.Inthiscase,theASAisconfiguredininlineIPSmode.Thetrafficthat

thisASAinspectsdependsonSecureMe'ssecuritypolicy'ssite-to-siteVPNs.

Figure13-4.SecureMeIPSExample

[Viewfullsizeimage]



DirectingTraffictotheAIP-SSM

ThissectioncovershowtoconfiguretheCiscoASAtodirecttraffictotheAIPSSMforinlineandpromiscuousmodes.Thefollowingstepsspecifyhowtraffic

willbeforwardedtotheAIP-SSM:



Step1. ToclassifyhowandwhattrafficwillbeforwardedtotheAIP-SSM,configureaclass

usingtheclass-mapcommand.AclassmapnamedIPSclassisconfiguredinthisexam

matchalltrafficpassingthroughthesecurityappliance:

Chicago#configureterminal

Chicago(config)#class-mapIPSclass

Chicago(config-cmap)#matchany



Step2. Addapolicymapwiththepolicy-mapcommand.ApolicymapnamedIPSpolicy

configuredinthisexample:

Chicago(config)#policy-mapIPSpolicy

Chicago(config-pmap)#



Step3. Associatethepreviouslyconfiguredclassmaptothenewpolicymapasfollows:

Chicago(config-pmap)#classIPSclass



Step4. UsetheipssubcommandtospecifytheIPSmodeofoperation(inlinevs.promiscuous

thefailovermechanismwillbe.Thecommandsyntaxisasfollows:



ips{inline|promiscuous}{fail-close|fail-open



Inthisexample,theASAisconfiguredwiththeinlinekeywordplacingtheAIP-SSM

thetrafficflow.

Chicago(config-pmap-c)#ipsinlinefail-close



Thefail-closekeywordisusedinthisexample.ThisforcestheASAtoblockalltraffi

AIP-SSMfails.

Note



TheAIP-SSMisnothot-swappable.Youcanshutdownthemodulebyusingthe

modulemodule1shutdowncommand.

Step5. Activatethepolicymapgloballyorononeormoreinterfaceswiththeservice-policy

Thecommandsyntaxisasfollows:

service-policypolicymap_name{global|interface



Theglobalkeywordappliesthepolicytoallinterfaces.Theinterfacekeywordapplie

toaspecificinterface.Inthisexample,thepolicyisappliedtotheoutsideanddmz1in



Chicago(config)#service-policyIPSpolicyinterfaceoutsid

Chicago(config)#service-policyIPSpolicyinterfacedmz1



Note

Onlyonepolicymapcanbeappliedtoaspecificinterface.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 13. Intrusion Prevention System Integration

Tải bản đầy đủ ngay(0 tr)

×