Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)

Cisco ASA supports the Adaptive Inspection Prevention Security Service Module (AIP-SSM) running Cisco Intrusion Prevention System (CIPS) software version 5.0 or later. One of the major features of CIPS 5.x is its ability to process and analyze traffic inline. This qualifies Cisco ASA to be classified as an IPS. The system image file is similar to the ones that run on the Cisco IPS 4200 Series sensors, Cisco IDS Services Module-2 (IDSM-2) for Cisco Catalyst 6500, and Cisco IDS Network Module for Cisco IOS routers.

Cisco ASA also provides basic IPS support if an AIP-SSM module is not present. This capability is achieved with the cuse of the IP audit feature, which is the traditional IP audit feature supported by the Cisco Secure PIX Firewall. The IP audit feature supports a basic list of signatures. It allows the appliance to perform one or more actions on traffic that matches such signatures. This feature is discussed later in the chapter, in the section "IP Audit."

Two different AIP-SSM modules exist:

Note

Cisco ASA 5510 supports the AIP-SSM-10 only. Cisco ASA 5520 support both the AIP- SSM10 and AIP-SSM-20. The Cisco ASA 5540 supports the AIP-SSM-20.

The AIP-SSM is a diskless (Flash-based) module. The CIPS software runs in the Flash of the module to provide more flexibility and reliability. The module includes an Fast Ethernet port designed for out-of-band management. Figure 13-1 illustrates the front of the AIP-SSM module.

Figure 13-1. AIP-SSM Module Front View

The AIP-SSM has four LED indicators that are visible to the end user. Table 13-1 describes the function of each indicator.

Table 13-1. AIP-SSM LEDs

LED Indicator

Color

Description

Power

Green

Indicates that the AIP-SSM card is on.

Status

Green/yellow

Green indicates that software-driven tests have passed and the card is operational.

Yellow indicates that the unit is under test or indicates the proper time to remove the AIP-SSM from the ASA chassis.

Link/Activity

Green

Indicates 10/100/1000 Ethernet link and activity.

Speed

Green/orange

Green indicates that it is operating at 100 Mbps.

Orange indicates that it is operating at 1000 Mbps.

 

AIP-SSM Management

The AIP-SSM can be managed from the management interface port, which is illustrated in Figure 13-1, by using Telnet, SSH, or Cisco Adaptive Security Device Manager (ASDM). It can also be managed from the ASA's backplane by using the session command:

session module-number

where module-number is the slot number in the Cisco ASA. Because there is only one available slot, the module number is always 1. Example 13-1 demonstrates how to open a command session to the AIP-SSM module. The AIP-SSM module prompts the user for authentication credentials.

Example 13-1. session Command

Chicago# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. login: cisco Password:

Once the user session is connected to the AIP-SSM, the configuration steps are the same as for any other system running CIPS 5.x or later software.

Note

Chapter 14, "Configuring and Troubleshooting Cisco IPS Software via CLI," covers CIPS software configuration.

To view the module statistics, use the show module command from the ASA CLI, as demonstrated in Example 13-2.

Example 13-2. Output of show module Command

Chicago# show module Mod Card Type Model Serial No. --- -------------------------------------------- ------------------ ----------- 0 ASA 5540 Adaptive Security Appliance ASA5540 P0000000227 1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 01234567890 Mod MAC Address Range Hw Version Fw Version Sw Version --- --------------------------------- ------------ ------------ --------------- 0 000b.fcf8.c6d2 to 000b.fcf8.c6d6 1.0 1.0(6)5 7.0(1) 1 000b.fcf8.012c to 000b.fcf8.012c 1.0 1.0(7)2 5.0(2)S152.0 Mod Status --- ------------------ 0 Up Sys 1 Up

The first highlighted line shows the card type. In this case, the Chicago ASA 5540 is running an AIP-SSM-20 with serial number 01234567890. The second highlighted line shows the MAC address of the card and the software version it is running. The third highlighted line shows the status of the module, Up, meaning it is operational.

Inline Versus Promiscuous Mode

Cisco ASA supports both inline and promiscuous IPS modes. When configured as an inline IPS, the AIP-SSM module can drop malicious packets, generate alarms, or reset a connection, allowing the ASA to respond immediately to security threats and protect the network. Inline IPS configuration forces all traffic to be directed to the AIP-SSM. The ASA will not forward any traffic out to the network without the AIP-SSM first inspecting it.

Figure 13-2 shows the traffic flow when the Cisco ASA is configured in inline IPS mode.

Figure 13-2. Inline IPS Traffic Flow

The following is the sequence of events illustrated in Figure 13-2:

  1. The Cisco ASA receives an IP packet from the Internet.
  2. Because the Cisco ASA is configured in inline IPS mode, it forwards the packet to the AIP-SSM for analysis.
  3. The AIP-SSM analyzes the packet and, if it determines that the packet is not malicious, forwards the packet back to the Cisco ASA.
  4. The Cisco ASA forwards the packet to its final destination (the protected host).

Note

Inline IPS mode is the most secure configuration because every packet is inspected by the AIP-SSM; however, this may affect the overall throughput. The impact depends on the type of attack, signatures enabled on the system, and amount of traffic passing through the appliance.

When the Cisco ASA is set up to use the AIP-SSM in promiscuous mode, the ASA sends a duplicate stream of traffic to the AIP-SSM. This mode has less impact on the overall throughput. Promiscuous mode is considered to be less secure than inline mode because the IPS module can only block traffic by forcing the ASA to shun the malicious traffic or sending a TCP-RST (reset) message to terminate a TCP connection.

Note

Promiscuous mode has less impact on performance because the AIP-SSM is not in the traffic path. A copy of the packet is sent to the AIP-SSM. If a packet is dropped, there is no effect on the ASA.

Figure 13-3 illustrates an example of how traffic flows when the AIP-SSM is configured in promiscuous mode.

Figure 13-3. Promiscuous Mode Traffic Flow

The following is the sequence of events illustrated in Figure 13-3:

  1. The Cisco ASA receives an IP packet from the Internet.
  2. Because the Cisco ASA is configured in promiscuous IPS mode, the AIP-SSM silently snoops the packet.
  3. The ASA forwards the packet to its final destination (protected host) if the packet conforms to security policies (i.e., it does not match any of the configured signatures).

Note

If the ASA firewall policies deny any inbound packet at the interface, the packet will not be inspected by the AIP-SSM. This applies to both inline and promiscuous IPS modes.

In the example illustrated in Figure 13-4, SecureMe's Chicago headquarters has two redundant Cisco ASAs as Internet firewalls configured in promiscuous IPS mode. It also has an ASA configured with a site-to-site IPSec tunnel to a partner company. In this case, the ASA is configured in inline IPS mode. The traffic that this ASA inspects depends on SecureMe's security policy's site-to-site VPNs.

Figure 13-4. SecureMe IPS Example

Категории