Pages

Sunday, January 17, 2016

Implementing IOS Based IPS



Risk Rating (RR) = Fidelity*Severity*TVR/10,000

All of the signatures used are a subset of the exact same signatures used across the cisco IPS family of IPS sensors.

AIP-SSM: Advanced inspection and prevention security Appliance
A removable module that runs IPS 5.x s/w

IPS can detect:
worms
virus
application abuse
application embedded attacks
stateful pattern recognition
protocol analysis
traffic anomaly detection
protocol anomaly detection

AIP-SSM can work in either of modes.
1. Promiscuous Mode (copies of traffic) - Intrusion detection
Can block connection
can reset a connection
can generate an alert

2. Inline Mode (actual traffic) Intrusion prevention
can block traffic

ASDM Config :
Configuration -> Security Policy -> Service Policy rules -> Add ->
Interface -> policy name -> Next -> create class map -> Next -> Add service policy -> Next
-> select Intrusion Prevention -> inline Mode -> finish -> apply -> save

asa# show module
asa# session 1
login : cisco
pass : cisco
sensor1# setup
yes
hostname : sensor1
ip address : 10.0.1.55/24, 10.0.1.2
enter web-server port 443
modify current access : yes
current access list entries
10.0.1.0/24
modify system clock settings no
sensor1 # reset
yes

On ASDM :
configuration -> IPS -> mgmt ip address -> continue -> provide IPS credentials ->

No comments:

Post a Comment