Cisco IPS Question

Hi

Does anybody know how Cisco IPS security policy work? My understanding is you can set a global policy which inspects traffic that passes all interfaces on the ASA. Alternatively you can have a policy set up on one particular interface to only scan traffic that passes that interface. I'm currently reviewing our IPS sensors and working on an effective way to manage them so that all alerts are responded to and investigated.

We have an IPS in the Outer and Inner ASA. If I set up the policy on the Outer ASA to only scan traffic that passes the inside interface will this inspect inbound and outbound traffic? and reduce some of the alerts we get. Currently we get a lot of alerts from the Outer IPS so my thinking is that if I set the policy to only inspect on the inside interface then this could reduce some of the noise. It is a datacentre though that hosts lots of customer websites so its important that the traffic is inspected in an inbound and outbound direction.

If anyone has any advice it would be much appreciated

Find more posts tagged with

Comments

wintermute000

Check the documentation (I have not done IPS yet) but say for global inspect and ACL policies its inbound only so good chance same for IPS. If you're integrating IPS into an ASA then you're likely to have the same limitation since you call the IPS within the inspect policy.

FOr best practice you really should be monitoring the outside for attacks, just because they did not penetrate does not mean you should not be recording and possibly responding pre-emptively

cjthedj45

wintermute000 wrote: »

Check the documentation (I have not done IPS yet) but say for global inspect and ACL policies its inbound only so good chance same for IPS. If you're integrating IPS into an ASA then you're likely to have the same limitation since you call the IPS within the inspect policy.

FOr best practice you really should be monitoring the outside for attacks, just because they did not penetrate does not mean you should not be recording and possibly responding pre-emptively

Yeah I have not found any documentation that stipulates whether a policy set on the inside interface is does inbound and outbound inspection. If the outside interface is inspecting traffic before any access lists are applied to the traffic then potentially this traffic will be dropped. If this is correct then there will be a lot of alerts from hosts on the internet attempting to attack internal hosts. The IPS will see this traffic entering the Outside interface pass for inspection and alert. However once inspected it could be dropped by the access list on the outside firewall. I would imagine that the Outside interface and public IP in the DMZ addresses are constantly hammered with different attack types but are consequently dropped. I can understand the value of say symantec or Cisco looking at this type of traffic as they can see who and what attack types are being tried and then develop there anti virus or IPS signatures to defend against them. I do not want to know hear all the that noise if its being dropped on the outside interface. However if I create a policy on the inside interface that can look at traffic inbound from the external world this would seem better. We would not be getting alerts for traffic that has been dropped on the Outside and looking at genuine attacks.