Sunteți pe pagina 1din 78

C C N P S e c u r i t y

I mp l e me n t i n g C i s c o T h r e a t C o n t r o l S o l u t i o n s

( 3 0 0 - 2 0 7 S I T C S )
I r o n P o r t W S A O v e r v i e w
IronPort WSA Overview
Advanced web content-filtering solution
Provides Web Proxy service
Protects networks against malware & spyware programs
! Accomplished by combines several technologies into a single unit

Key features
Fast Web Proxy service
URL Filtering (IronPort URL Filtering or Web Usage Controls)
Application Visibility & Control
Anti-Malware Scanning
L4 Traffic Monitor
I r o n P o r t W S A O v e r v i e w
Deployment Modes
Web Proxy
1. Explicit Forward
WSA can be placed pretty much anywhere in the network
All clients must configure their browser to point to the WSA
! IP Spoofing is DISABLED by default
Good for testing
2. Transparent
Client applications are unaware of the Web Proxy
Requires a L4 switch or WCCPv2 router/ASA
In this mode, if IP Spoofing is enabled, two WCCP services must be configured
I r o n P o r t W S A O v e r v i e w
Deployment Modes
L4 Traffic Monitor
Enables WSA to passively listen for packets (traffic is redirected to the WSA)
Can be used to detect malware over non-HTTP ports
Three ways of configuring redirection :
1. Network Tap
2. Hub
Make sure packets are mirrored before any NAT takes place
WSA can be configured for multiple modes in the same time :
Explicit Forward + optional L4 Traffic Monitor
Explicit Forward + Transparent + optional L4 Traffic Monitor
I r o n P o r t W S A O v e r v i e w
WSA Interfaces
Management (M1)
Provides remote access to the appliance (HTTP, HTTPs & SSH)
It is possible to use it for both, management and Web Proxy
! Simply dont check Restrict M1 port to appliance management services only

Data Ports - Web Proxy (P1, P2)
Single interface can be used for both, incoming & outgoing traffic (P1)
If both ports are used one will be connected toward users, the other one toward the Internet
Data Ports - L4 Monitor Ports (T1, T2)
Single interface can receive both, incoming and outgoing traffic (T1)
If both are used, T1 connects to the internal network, T2 to the Internet

I r o n P o r t W S A O v e r v i e w
WCCP enables transparent redirection of traffic to the content/caching appliances
Helps reduce bandwidth utilization
WSA only supports WCCP version 2 (control plane packets are exchanged over UDP 2048)
If configured on Catalyst Switches (3560s) make sure SDM Tempate is set to routing
WCCP Service Group
Defines what traffic should be intercepted and how the packets should be handled
Service Group Types :
1. Standard (ip wccp web-cache) - well-known group; only redirects packets -> port 80
2. Dynamic (ip wccp group_id) - WSA tells router/switch/ASA what traffic to redirect
Forwarding Method
Layer 2 (destination MAC of the frame is changed)
GRE (original packet is encapsulated in GRE)
I r o n P o r t W S A O v e r v i e w
WCCP Examples
Standard Service Group
ip wccp version 2
ip wccp web-cache [redirect-list acl] [group-list acl]
interface g0/0
ip wccp web-cache redirect in
Dynamic Service Group
ip wccp version 2
ip wccp 90 [redirect-list acl] [group-list acl]
interface g0/0
ip wccp 90 redirect in
I r o n P o r t W S A O v e r v i e w
WSA Initialization
Management interface (M1) is preconfigured with

The default HTTP[s] port numbers are 8080 and 8443
Login as admin with the password ironport (first-time login activates the Setup Wizard)
To change the default IP address & HTTP[s] ports use interfaceconfig
To change the default gateway IP use the setgateway command
After any configuration change is done through CLI submit it (commit)
All settings can be verified with showconfig
To revert back to factory defaults use resetconfig
W S A P o l i c i e s & R e l a t e d T o p i c s
Identity Policy serves as an authentication mechanism
1. Allows to differentiate connections/transactions based on their characteristics
Client IP address/subnet, Protocol, Proxy Port, User Agent & URL Category
2. Determines whether authentication is required for a session or not

Identity Membership is the first thing thats being evaluated for the request
Identity Groups are compared sequentially until first match is found
If there is no match the default Global Identity Policy will be associated with the transaction
It is also possible to create an Identity for users who failed authentication (Guests)
Once the Identity is determined it can be then used as a condition in other Policies (e.g.
Access or Decryption)
W S A P o l i c i e s & R e l a t e d T o p i c s
Access Policy
Defines how web traffic should be processed by WSA
Access Policy Groups/Rules are checked sequentially up to the first match
There are multiple conditions that can be configured for a Rule
! Identity, Subnet, Protocol, Proxy Port, User Agent, URL Category & Time Range
If no specific Group/Rule was found, Global Policy Rule will be processed

Each Access Policy Group/Rule consists of the following Security Components :
Protocols & User Agents
URL Categories
Applications (AVC)
Web Reputation & Anti-Malware
W S A P o l i c i e s & R e l a t e d T o p i c s
Access Policy Actions
Three final actions are defined :
! Allow, Drop, Redirect
The Monitor action is intermediary it means evaluate next control setting
Access Policy Order of Operations (Requests)
2. User Agent
3. Protocol
4. URL Categories
5. Safe Search, then Site Content Rating
6. Web Reputation
7. AVC (only if scan was returned by Web Reputation and was OK)
W S A P o l i c i e s & R e l a t e d T o p i c s
Access Policy Order of Operations (Responses)
2. File size
3. AVC
4. Web Reputation
W S A P o l i c i e s & R e l a t e d T o p i c s
URL Filtering (URL Categories)
Used to control web access based on URL Categories
Two URL Filtering engines available on WSA are :
1. Web Usage Controls
2. IronPort URL Filters

Web Usage Controls
Filters URLs based on pre-defined prefixes and keywords
Dynamic Content Analysis (DLC) allows to dynamically categorize unknown URLs
IronPort URL Filters
Filters URLs based on pre-defined list of domains
W S A P o l i c i e s & R e l a t e d T o p i c s
Web Reputation
Calculates the likelihood that a particular URL being accessed contains malware
This probability is expressed as a score (-10 to 10)
The less reputable the site is, the lower the value (-10 means least trusted)
This feature can be enabled in Access & Decryption Policies

Default score ranges & actions for Access & Decryption Policies
Access (-10 to -6), Decryption (-10 to -9) drop the packet without scanning/decryption
Access (-5.9 to 5.9), Decryption (-8.9 to 5.9) scan/decrypt
Access (6 to 10), Decryption (6 to 10) allow the packet without scanning/decryption
W S A P o l i c i e s & R e l a t e d T o p i c s
Application Visibility & Control (AVC)
Deep content inspection at the application layer
Allows to drop traffic on a per-application basis
Some applications can be controlled with a per-function/feature (e.g. chat vs file transfer)

AVC database is constantly updated
New applications are added
Existing ones are updated
Some applications can be controlled using bandwidth limits
Either as an aggregate or per-user
W S A P o l i c i e s & R e l a t e d T o p i c s
Decryption Policy
Defines how WSA should handle HTTPs connections
Decryption Policy Groups/Rules are processed in the same way as Access Policy
Global Policy applies to connections that did not match any specific Rule

Decryption Policy Actions
Drop, Allow drop/allow without decrypting the packet
Decrypt decrypt the content and proceed to Access Policy
Monitor evaluate next control setting
HTTPs Proxy must be enabled to activate the feature (Security Services -> HTTPs Proxy)
Once enabled some HTTPs-related settings previously available in Access Policy can be no
longer defined (in the Access Policy)
W S A P o l i c i e s & R e l a t e d T o p i c s
Web Proxy Bypass
Allows certain connection requests bypass the WSA
Source or destination IP address/subnet can be used as a matching criteria
! Hostnames & Domain names are also supported
Only works for Transparent Web Proxy

If Domain names are used then make sure at least one T interface is connected to the network
even if L4 Traffic Monitor is not user
Required for DNS Snooping
C i s c o E S A O v e r v i e w
Cisco Email Security Appliance (ESA)
Advanced solution for email security, protection and control
ESA Key Features :
Inbound e-mail control and rate-limiting
Outbound e-mail control and high-performance delivery
Email security (SPAM, viruses, malware, fraud, phishing and more)
Data Loss Prevention (DLP) and encryption
Advanced filtering capabilities
Currently available ESA models include the C-/X- series appliances and virtual ESAV
SMTP (Simple Mail Transfer Protocol)
TCP-based clear-text protocol used for e-mail transmission (TCP destination port 25)
Originally defined in RFC 821 but finally updated in RFC 5321 (includes ESMTP additions)
Implemented using Command-Response model
Client sends commands and data
Server parses the commands and responds
SMTP server is also known as Mail Transfer Agent (MTA)
SMTP is never used to retrieve e-mails
POP3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) are used instead
These protocols pull e-mails from a SMTP server
E-mail Structure
Envelope (processed by MTAs to deliver an e-mail; not visible to the user)
Data (visible to the user)
a) Header
b) Body/Message + optional Attachments
Common Data Headers :
From (senders address) mandatory field
To (recipients address)
Date (timestamp) mandatory field
Subject (subject of the message, if any)
CC (secondary recipients)
Received (a path the message followed)
SMTP Commands
Not all commands were implemented on the ESA (e.g. VRFY)
Commonly used commands :
a. HELO/EHLO client greeting
b. MAIL FROM envelope sender address
c. RCPT TO envelope recipient
d. DATA client is ready to send a message (headers and body)
e. NOOP no operation
f. STARTTLS client wants to use TLS
g. RSET resets current conversation to a default state
h. QUIT terminates SMTP session & TCP connection
SMTP Response Codes
Returned in a 3-digit format (xyz) where usually only x is accurate :
2yz/3yz means success (3yz means server is waiting for more data)
4yz indicates a non-fatal error where 5yz describes a fatal error
Commonly seen Response Codes :
a. 250 command accepted
b. 354 response to clients DATA (OK but waiting for more data)
c. 421 temporary rejection at the connection level
d. 452 temporary rejection at the recipient level
e. 550 fatal error (typically means that the recipient does not exist)
f. 554 error shown to low-reputation or explicitly blacklisted hosts
Sample SMTP conversation :
1 220 ESMTP
3 250
5 250 sender <> ok
6 RCPT TO: <>
7 250 recipient <> ok
9 354 go ahead
10 Subject: Example Message
12 This is the text of an example message.
13 .
14 250 ok: Message 31274 accepted
16 221
E S A B a s i c C o n f i g u r a t i o n
ESA Interfaces & Initialization
The number of available interfaces depends on a platform
Ports are labeled as Data and Management but they can all be used for any purpose
Data1/Management port is preconfigured with an IP address
HTTP, HTTPS and SSH is enabled
Default username is admin, password ironport
Useful CLI commands :
CLI-equivalent of GUIs System Setup Wizard can be enabled with systemsetup
To change the default IP address & HTTP[s] ports use interfaceconfig
To change the default gateway IP use the setgateway command
Check if ESA can send e-mails with mailconfig
After any configuration change is done through CLI submit it (commit)
E S A W o r k f l o w & P o l i c i e s
ESA SMTP Listeners
SMTP Listeners handle the connection and SMTP conversation
At least one Listener must be enabled to process incoming/outgoing e-mails
There are separate HAT and RAT tables for each of the Listeners
E-mail Processing
Source IP address from the first TCP packet (SYN) is used to perform :
Reverse DNS Lookup (PTR)
DNS A lookup on the returned FQDN (if any)
Reputation Score is evaluated for that IP
(Optional) Other DNS features are checked like DNS Blacklist
This information is used to classify the connection in the HAT table
E S A W o r k f l o w & P o l i c i e s
Host Access Table (HAT)
Controls incoming connections to the Listener (senders)
Rules consist of conditions (Sender Groups) and Results (Mail Flow Policies)
Rules are processed top-down up to the first match
Order is important (WHITELIST should come first etc.)
Mail Flow Policy Actions
Accept (classifies a message as incoming)
Connection is accepted but the sender is limited to recipients defined in the RAT table
Relay (classifies a message as outgoing)
Connection is accepted and the sender is NOT limited to recipients defined in the RAT table
TCP Refuse
E S A W o r k f l o w & P o l i c i e s
Recipient Access Table (RAT)
Every HAT-accepted conversation (Mail Flow Policy Action -> ACCEPT) is evaluated against RAT
For every RCPT TO issued ESA checks the RAT to see if a recipient/domain is allowed
You have an option reject individual users within a domain
LDAP can be also used to perform a recipient lookup (if you use it)
Private Listeners dont use RAT (dual-arm design)
After HAT & RAT checks are successful, Sender is allowed to continue with the DATA command
Message is internally moved to the Work Queue for further processing
Anti-Virus & Virus Outbreak Filtering
Content Filtering
Data Loss Prevention (outgoing mails only)
E S A W o r k f l o w & P o l i c i e s
Work Queue
Policies are defined seperately for Incoming (HAT:ACCEPT) and Outgoing (HAT:RELAY) messages
Anti-SPAM Scanning
Allows you to drop/quarantine/bounce SPAM- positive/suspected messages
Anti-Virus Scanning
Message can be found to be infected, encrypted or unscannable
Content Filtering
Allows you to take certain action depending on a message content
Encrypt & deliver
Strip attachment
Quarantine, drop and more
E S A W o r k f l o w & P o l i c i e s
Virus Outbreak Filters (VOF)
Detects and stops 0-Day malware outbreaks
Data Loss Prevention (DLP)
Stops outgoing e-mails with companys sensitive information
When sensitive data is found, ESA can drop/quarantine/encrypt or just deliver a message

O t h e r E S A F e a t u r e s
Address Mappings (change envelopes recipient addresses)
Default Domain
Domain Map (1-1 mappings for the domain, e.g. ->
User portion is not changed
Occurs before the RAT check
Configure via listenerconfig
Aliases (1-1, 1-many, many-many mappings)
Processed after Domain Maps
Configure with aliasconfig
Masquerading (changes senders address)
Typically peformed on envelope address but can also modify addresses seen in the Headers
Useful to hide internal domains or flatten domain hierarchies (e.g. ->

O t h e r E S A F e a t u r e s
SMTP Routes
Used to find a destination IP address for an envelopes recipient[s]
Processed top-down but the most specific entry always wins regardless of the order
Accepts entries for domains or sub-domains, but not individual recipients
Route Destination can be defined as :
Domain (first MX lookup is performed, then A for returned hosts)
Hostname (first tries MX and only if it fails A is performed)
Hostname/Domain in brackets (e.g. [] means only use Alookup)
IP address
Providing multiple destinations allows for load balancing and/or failover
When priorities are different, only the highest-priority host (lowest number) is used
With equal priorities messages are load-balanced in a round-robin fashion

O t h e r E S A F e a t u r e s
Encryption on the ESA can be performed using two methods :
1. Envelope Encryption
2. TLS

Envelope Encryption
Triggered by Content Filters or DLP
Requires a Key Server and Encryption Profile defined

O t h e r E S A F e a t u r e s
TLS Encryption
ESMTP supports TLS encryption (STARTTLS)
Destination Controls table controls if TLS should be used or not if ESA acts as a SMTP client
Preferred/Required Verify (includes cert validation)
a. Expiration Dates
b. Signature
c. CNs hostname must match MTUs DNS FQDN or domain of envelopes recipient
HAT controls TLS settings when ESA acts as a SMTP server

O t h e r E S A F e a t u r e s
LDAP Integration
Not required but useful for a variety of reasons :
Recipient validation
Reduced administration overhead
Increased security

Verification & Troubleshooting Tools
Packet Capture
Remote Access (Reverse SSH)
C o n t e n t S e c u r i t y A r c h i t e c t u r e
Explicit Forward Mode
WSA can be placed anywhere
Firewall should block web access from devices other than WSA
Transparent Mode
WSA is typically deployed in the Internet Edge (inside of the ASA)
No reconfiguration needed on the client stations. WCCPv2 handles redirection

High Availability
External Load-Balancer (e.g. ACE)
WCCP is not used, original client IP address can be preserved
C o n t e n t S e c u r i t y A r c h i t e c t u r e
In a typical design ESA is placed in the DMZ of the Internet Edge
Single-Arm Design
Firewall configuration may include NAT and must allow SMTP, LDAP, DNS, HTTP and HTTPs
Two-Arm Design
One Data port connects to the inside (private Listener), other to the DMZ (public Listener)
If you add an OOB port it is known as Three-Arm design

High Availability
Multiple ESAs (reconfigure DNS multiple MX records)
External Load-Balancer (e.g. ACE)
Especially useful for outgoing e-mails
C i s c o C l o u d W e b S e c u r i t y
Cloud Web Security (CWS)
Software-as-a-Service (SaaS) solution
Previously known as ScanSafe
Redirected web traffic (no FTP support) is inspected by multiple SIO engines
Traffic redirection can be performed :
Explicitly (Proxy AutoConfiguration PAC file)
Transparently with Connectors (ISR G2 routers, ASA firewalls)
Transparently with AnyConnect Secure Mobility Client (remote access and mobile)

C i s c o C l o u d W e b S e c u r i t y
Web Usage Controls
Application Visibility & Control (AVC)
Zero-Day Threat Protection
Cognitive Threat Analytics
Advanced Malware Protection (AMP)
File Reputation
File Sandboxing
File Retrospection
HTTPS Decryption (Secure Traffic Inspection)
C i s c o C l o u d W e b S e c u r i t y
Web Security Essentials
Web Content Filtering
Secure Mobility Integration (AnyConnect)
Anti-Malware Protection
Advanced Malware Protection (AMP)
Web Security Premium
Web Security Essentials + AMP

CWS Licenses are term-based subscriptions (1/3/5 years)
C W S C o n n e c t o r s
CWS Connectors
Cloud Connector is an embedded software used to redirect web traffic to the Cloud
To start make sure at least one Authentication Key (license) was generated (ScanCenter)
Company/Group Key is used authenticate your traffic in the Cloud
Multiple Group Keys can be generated (simple way to to apply different policies, e.g. per ASA)
ASA Connector Configuration
Configure Proxy (aka Tower) addresses and license (Authentication Key) :
scansafe general-options
server primary ip primary_ip_addr port 8080
server backup ip bckp_ip_addr port 8080
license license_number
In multiple mode also add scansafe under a context config
C W S C o n n e c t o r s
Configure a Whitelist (Optional)
class-map type inspect scansafe whitelist_class_name
match [user|group] name

Configure Redirection Options
policy-map type inspect scansafe sf_policy_name
default [user|group] name
class whitelist_class_name
C W S C o n n e c t o r s
Configure L3/L4 class & policy maps (ensure no overlap exists with CX)
class-map class_name
match access-list acl_name

policy-map policy_name
class class_name
inspect scansafe sf_policy_name [fail-open|fail-close]

service-policy policy_name interface if_name

C W S C o n n e c t o r s
CWS IOS Connector
Works similarly to the ASA
User/user-group can be used to find a policy (e.g. via AD/LDAP, Authentication Proxy)
Whitelists can be configured for :
IP addresses
HTTP Header fields (e.g Host or User-Agent)
parameter-map type regex AllowedWebSites
pattern cisco

content-scan whitelisting
whitelist header host regex AllowedWebSites
C W S C o n n e c t o r s
IOS Connector Configuration
Configure the Towers, Authentication Key, possibly a default user/group & optional parameters
parameter-map type content-scan global
server scansafe primary ipv4 ip1 port http 8080 https 8080
server scansafe secondary ipv4 ip2 port http 8080 https 8080
user-group groupname username username
server scansafe on-failure [allow-all|block-all]
Enable transparent redirection on the egress interface
interface g0/1
content-scan out
C W S - A n y C o n n e c t
AnyConnect CWS
AnyConnect uses Trusted Network Detection (TND) to determine if a connection is trusted or not
Internet web traffic from untrusted connections (remote access) is split-tunneled to the Cloud
Web Security Module acts as a CWS Connector
Web Security Service AnyConnect Profile :
Up-to-date list of CWS Proxy Servers and a Proxy Exception List
TND & Authentication
VPN Group Policy :
VPN Filter should block HTTPS to the TND server (permit everything else)
Split Tunneling must exclude traffic to the CWS Proxy Servers
Local LAN Access must be enabled
C o n t e x t - A w a r e A S A
Context-Aware (CX) ASA
Next-Generation ASA family (5500-X Series) includes the following models :
5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X
Next-Generation Security Services (powered by SIO) :
WSE and AVC (starting in ASA software 9.1.1; requires a CX module 9.1.1+)
NG IPS (IPS software needed is 7.1.4; requires CX)
CWS (starting in ASA software 9.0.1)
Context-Aware (CX) Module
Software/hardware solution configured with Prime Security Manager (PRSM)
First initialize the module via ASDM or CLI
To access CX CLI session directly from the ASA or SSH to the ASAs interface
Traffic must be still redirected to the module using MPF (CLI/ASDM)
C o n t e x t - A w a r e A S A
Traffic Redirection
Configure it with ASDM (ASA CX Inspection tab under Service Policy) or CLI :
cxsc [fail-open|fail-close] [auth-proxy|monitor-only]
Monitor Mode can be used to test module functionality without affecting the traffic (CLI only)
Enable it in the Policy-Map (cxsc monitor-only)
Or use a Traffic-Forwarding interface (traffic-forward cxsc monitor-only)
Dont enable CWS or regular HTTP inspection on traffic redirected to the CX module
CX Workflow
a) Incoming VPN traffic is decrypted
b) Firewall policies are applied
c) Traffic is redirected to the CX module where policies are applied
d) Allowed traffic is sent back to the ASA for further processing (e.g. encryption)
I P S B a s i c s
IPS Sensor Interfaces
Management (Command & Control)
Used to remotely access IPS for configuration
Initiates blocking connections
Should be part of management VLAN
Used to monitor and analyze traffic
Can be configured for various IPS Deployment Modes
Alternate TCP Reset
Used when switch does not support ingress traffic on SPAN/RSPAN port
Should be part of monitored VLAN so TCP Resets can make their work
I P S B a s i c s
IPS User Roles
Highest privilege level -> unrestricted access
Full read-only access and ability to modify own passwords, tune signatures, and manage
blocking devices
Can view configuration, event data and modify their own password
This is for support and troubleshooting only. It bypasses the CLI and gains shell access to
the underlying Linux OS using the su command
I P S B a s i c s
Somewhat similar to IOS
You can use ? and complete commands with Tab
Not case sensitive
IPS CLI Command Modes
Privileged EXEC
Global Config (accessible via configure terminal)
Multi Instance (signature definition,event rules, anomaly detection)
I P S B a s i c s
Useful CLI Commands
Initialize IPS (Admin Role required) setup
Check interface types show interfaces brief
Show running configuration show configuration
Check if traffic is received by IPS packet display
Show real-time alerts show events alerts
Show denied attackers show statistics denied-attackers
Verify what signatures fired show statistics virtual-sensor
I P S B a s i c s
IPS Initialization Steps (setup)
Hostname in the <ipv4_addr>/<mask_bits>,<default_gw_ip_addr> format
Management Access-List as <subnet>/<mask_bits>
Specifies who can manage the sensor (PING, HTTP[s], SSH and Telnet
DNS Server or HTTP Proxy IP addresses (Global Correlation)
System Clock Settings
SensorBase Network Participation
Off (no participation)
Partial (no sensitive information is sent to SensorBase)
Full (all data is contributed to the SensorBase)
S P A N a n d R S P A N
A method of copying network traffic passing through ports or VLANs
Useful for IDS/IPS or Call Recording
Mirrors only received traffic for a VLAN
For an interface it can be sent, received or both
SwitchPort Analyzer (SPAN) vs Remote SPAN (RSPAN)
Session Source and Destination must be on the same switch (SPAN)
Session Destination port is on another switch (RSPAN)

monitor session 1 source interface Fa0/8 both
monitor session 1 destination interface Fa0/9 [options]
ingress vlan (TCP Resets)
encapsulation replicate (VLAN Groups)

S P A N a n d R S P A N
RSPAN Configuration
Remote SPAN VLAN must be configured and end-to-end
Switch 1
vlan 555

monitor session 1 source interface Fa0/2 both
monitor session 1 destination remote vlan 555
Switch 2
vlan 555

monitor session 2 source remote vlan 555
monitor session 2 destination interface Fa0/15 [options]

I P S D e p l o y m e n t M o d e s
IPS Deployment Modes
1. Promiscuous (IDS)
Monitoring a single VLAN (default on each sensing interface)
Technically more than one VLAN can be SPANed/RSPANed
VLAN Group
Monitoring a trunk
2. Inline (IPS)
Inline Interface Pair (two physical interfaces)
Inline VLAN Pair (single physical interface)
VLAN Group
IPS placed between two switches (in the middle of the trunk)
I P S V i r t u a l S e n s o r
IPS Virtual Sensor
Main IPS element connecting Policy and Data Traffic with the Analysis Engine
Default vs0 cannot be deleted
Up to four different Virtual Sensors can be defined (virtualization)
Each VS can be configured with a different policy
Virtual Sensor Components
IPS Policy
Signature Definition
Event Action Rules
Anomaly Detection

I P S S i g n a t u r e s
IPS Signatures and Signatures Engines
Signature is a set of rules describing characteristics of an offending packet
Signature Engines
Application Inspection and Control (AIC)
Advanced control of HTTP and FTP
Disabled by default
Atomic (ARP, IPv4 and IPv6)
Detects attacks on a per-packet basis
IPv6 atomic sub-engine inspects IPv6 ND packets; not configurable
Detects ICMP or UDP floods

I P S S i g n a t u r e s
Detects attacks based on existing signatures, not data packets
Searches for a single regex (per signature)
Provides protocol-specific inspections (e.g. HTTP, DNS, etc.)
Detects network reconnaissance scans from a single host
Performs anti-evasive techniques
Deals with IPv4/IPv6 fragmentation and TCP Stream Reassembly (normalizes packets when
in inline mode)
Only allows to tune existing signatures (no new can be added)

I P S S i g n a t u r e s
Signature Actions
Per Signature
Based on Risk Rating
Common signature actions
Log Attacker Packets - Capture packets (attacker address)
Log Pair Packets - Capture packets (attacker-victim address pair)
Log Victim Packets - Capture packets (victim address)
Produce Alert - Generate an alert
Produce Verbose Alert - Include dump of an offending packet in the alert
Request SNMP Trap - Send SNMP Notification
I P S S i g n a t u r e s
Inline Signature Actions

Deny Attacker Inline - Block all traffic from the attacker
Deny Attacker Service Pair Inline - Deny all traffic to the destination port
Deny Attacker Victim Pair Inline - Deny all traffic between the attacker and victim
Deny Connection Inline - Drop current TCP flow from the attacker
Deny Packet Inline - Drop the offending packet
Modify Packet Inline - Modify the packets content, e.g. clear IP Options
Reset TCP Connection - Send TCP Reset to terminate the flow
I P S S i g n a t u r e s
Promiscuous Signature Actions

Request Block Connection - Initiate connection block (no shunning here)
Request Block Host - Block/shun the attacker
Request Rate Limit - Rate-limit packets from the attacker
Reset TCP Connection - Send TCP Reset. Initial packet made it to the victim
I P S S i g n a t u r e s
Signature Tuning
Signature/Engine specific
Regular Expression
Header fields (flags, ports, type/code)
Common Settings
Action (Produce Alert, Deny Packet Inline)
Alert Message
Alert Severity
Event/Alert Summarization

Event/Alert Summarization
Event Counter
Alert Summarization Mode (e.g. Fire All, Fire Once, Summary)
I P S E v e n t A c t i o n s
Risk and Threat Rating
Risk Rating is a number describing a risk associated with a signature. Calculated as :
RR = [(ASR * TVR * SFR) + ARR PD + WLR] / 10000
Threat Rating is RR lowered by the numerical value of the taken Signature Action
Sample Action Values
Deny Attacker Inline (45)
Deny Packet Inline (35)
TCP Reset (20)
I P S E v e n t A c t i o n s
Event Actions
Another method of tuning signatures
1. Event Action Overrides
Add an action to a signature based on its calculated Risk Rating
By default Deny Packet Inline action will be taken for all signatures with Risk Rating
higher than 90 (in addition to signature-specific actions)
2. Event Action Filters
Remove an action from a signature based on :
Signature and sub-signature ID
Attacker/Victim IPv4/IPv6 address or port
Risk Rating value
Processed after Event Action Overrides
I P S B l o c k i n g
IPS Blocking
Temporary attack mitigation tool available in Promiscuous Deployment
Allows IPS to connect to a router/firewall to apply an ACL or shunning configuration
Connections are always initiated from the Management Interface
Rate Limiting is also supported. Then Service Policy is applied
IPS Blocking on the ASA is implemented using shunning (shun)
Rate Limiting and Blocking is NOT supported for IPv6
I P S B l o c k i n g
IPS Blocking Access-List Logic :
1. Allow IP address of IPS itself
2. Pre Access-List (pre-ACL)
3. Actual blocking configuration
4. Post Access-list (post-ACL)
Pre and Post Access-lists are defined locally on the router
Watch out for NAT (between IPS Management Interface and the blocking device)
Use Sensors NAT address to fix
Configure Never Block Addresses if needed
I P S B l o c k i n g
IPS Blocking Configuration

Make sure blocking is enabled
Create Device Login Profile
Specify Blocking Device
Identify Blocking Interface and direction
For SSH add Blocking Device to SSH Known Host Keys
Prepare router/ASA for remote IPS connections
I P S A n o m a l y D e t e c t i o n
Anomaly Detection (AD)
IPS Component used to detect worm-infected hosts
Works by comparing traffic baseline to the current activity
Most worms use scanning techniques to find vulnerable hosts to propagate
This changes/increases network activity

Scanner is a single host trying to discover (scan) multiple destinations (IPs)
For TCP it would be multiple non-established sessions
For UDP and Other protocols it is traffic seen in only one direction
Histogram defines the number of tolerable concurrent scans and Scanners
E.g. 5 hosts issuing LOW scans each (LOW is between 5 and 19 scans)
If Histogram Threshold is exceeded, AD considers a worm outbreak
I P S A n o m a l y D e t e c t i o n
Anomaly Detection can be running in one of three modes
1. Learn Mode
Develops network baseline for 24 hours since first sensor Initialization
Can be set manually to force longer learning period
No scanning/worms should occur during that time
2. Detect Mode
Activates Anomaly Detection
Gradual changes to the Knowledge Base are recorded that update baseline
3. Inactive Mode
Disables Anomaly Detection
A must in assymetric enviornments
I P S A n o m a l y D e t e c t i o n
Anomaly Detection Zones

1. Internal
Should contain all IP ranges used in the network
2. Illegal
Describes all unallocated ranges and bogons
3. External
Everything else
Zones are intended to help achieving lower false negative rate
Software-based solution available on IOS routers
Many features and terminology are similar to ones used by Sensor Appliances
Not all is supported, e.g. Anomaly Detection, Signature configuration options
Load Ciscos Public Key to decrypt/verify signature package
crypto key pubkey-chain rsa
named-key signature
Create a folder for IPS configuration files
ip ips config location
Retire everything you will NOT be using
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
Create IPS rule and apply it
ip ips name IPS_RULE [list acl]

int g0/0
ip ips IPS_RULE [in|out]

Compile selected signatures
copy flash:IOS-S258-CLI-kd.pkg idconf
Tune signatures
Per Category
ip ips signature-category
Per Signature
ip ips signature-definition
Special IPS module (physical or software depending on platform)
Runs the exact IPS 4200 series code
Use IPS 4200 series documentation for configuration (same as for physical 4200 appliance)
Accessing the Module
1. Session directly from the ASA (gives you CLI access)
Issue session ips console (disconnect using CTRL+SHIFT+6 X)
2. Use the GUI
IPS Management Interface is shared with ASAs Management F0/0 . You can plug-in PC
directly and access it using by default
ASDM : Configuration -> IPS
Diverting traffic to the IPS
MPF (ips inline|promiscuous [options] under a class in the policy)

1. Bypass Mode (fail-open or fail-close)
2. Virtual Sensor number (sensor nr)
Virtual Sensors can be used in both, Single and Multiple-Context Modes
First create them from within IPS GUI/CLI (service analysis-engine)
In Multiple-Context allocate one or more to the context (allocate-ips)
Then divert the traffic on the ASA (MPF)

To see the list of available sensors use show ips

IPS module configuration is NOT replicated in any failover scenario
context Cust1
allocate-ips vs0
allocate-ips VS1 default

policy-map IPS_POLICY
ips inline fail-open sensor vs0
ips inline fail-open sensor VS1
ips inline fail-open

service-policy IPS_POLICY interface outside