Configuring the AIP SSM
Note All IPS platforms allow ten concurrent CLI sessions.
This chapter contains procedures that are specific to configuring the AIP SSM. It contains the following sections:
•AIP SSM Configuration Sequence
•Verifying AIP SSM Initialization
•Creating Virtual Sensors for the AIP SSM
•Sending Traffic to the AIP SSM
•The Adaptive Security Appliance, the AIP SSM, and Bypass Mode
•The AIP SSM and the Normalizer Engine
•Reloading, Shutting Down, Resetting, and Recovering the AIP SSM
•New and Modified Commands
AIP SSM Configuration Sequence
You configure both the adaptive security appliance and IPS software on AIP SSM.
Perform the following tasks to configure the AIP SSM:
1. Log (session) in to the AIP SSM.
2. Initialize the AIP SSM. Run the setup command to initialize the AIP SSM.
3. Verify AIP SSM initialization.
4. (Optional) If you have Cisco Adaptive Security Appliance Software 7.2.3 or later, configure multiple virtual sensors.
5. Configure the adaptive security appliance to send IPS traffic to th e AIP SSM.
6. Perform other initial tasks, such as adding users, trusted hosts, and so forth.
7. Configure intrusion prevention.
8. Configure global correlation.
9. Perform miscellaneous tasks to keep your AIP SSM running smoothly.
10. Upgrade the IPS software with new signature updates and service packs.
11. Reimage the AIP SSM when needed.
For More Information
•For the procedure for logging in to the AIP SSM, see Chapter 2 "Logging In to the Sensor."
•For the procedure for running the setup command, see Advanced Setup for the AIP SSM.
•For the procedure for verifying the AIP SSM initialization, see Verifying AIP SSM Initialization.
•For the procedure for creating virtual sensors, see Creating Virtual Sensors for the AIP SSM.
•For the procedure for configuring the ASA to send traffic to the AIP SSM, see Sending Traffic to the AIP SSM.
•For the procedures for setting up the sensor, see Chapter 4 "Setting Up the Sensor."
•For the procedures for configuring intrusion prevention, see Chapter 7 "Configuring Event Action Rules," Chapter 8 "Defining Signatures," Chapter 9 "Configuring Anomaly Detection,"and Chapter 14 "Configuring Attack Response Controller for Blocking and Rate Limiting."
•For the procedures for configuring global correlation, see Chapter 10 "Configuring Global Correlation."
•For the procedures for keeping your AIP SSM running smoothly, see Chapter 17 "Administrative Tasks for the Sensor."
•For more information on how to obtain Cisco IPS software, see Chapter 22 "Obtaining Software."
•For the procedure for reimaging the AIP SSM, see Installing the AIP SSM System Image.
Verifying AIP SSM Initialization
You can use the show module slot details command to verify that you have initialized AIP SSM and to verify that you have the correct software version.
To verify initialization, follow these steps:
Step 1 Log in to the adaptive security appliance.
Step 2 Obtain the details about AIP SSM.
asa# show module 1 details
ASA 5500 Series Security Services Module-10
Serial Number: JAB09370212
Firmware version: 1.0(10)0
Software version: 7.0(4)E4
MAC Address Range: 0012.d948.fe73 to 0012.d948.fe73
Mgmt IP addr: 171.69.36.171
Step 3 Confirm the information.
Creating Virtual Sensors for the AIP SSM
Caution
Cisco Adaptive Security Appliance Software 7.2.3 or later supports virtualization.
This section describes how to create virtual sensors on the AIP SSM, and contains the following topics:
•AIM-SSM Virtual Sensor Configuration Sequence
•Creating Virtual Sensors on the AIP SSM
•Assigning Virtual Sensors to Adaptive Security Appliance Contexts
The AIP SSM and Virtualization
The AIP SSM has one interface, GigabitEthernet0/1. When you create multiple virtual sensors, you must assign this interface to only one virtual sensor. For the other virtual sensors you do not need to designate an interface.
After you create virtual sensors, you must map them to a security context on the adaptive security appliance using the allocate-ips command. You can map many security contexts to many virtual sensors.
Note The allocate-ips command does not apply to single mode. In this mode, the security appliance accepts any virtual sensor named in a policy-map command.
The allocate-ips command adds a new entry to the security context database. A warning is issued if the specified virtual sensor does not exist; however, the configuration is allowed. The configuration is checked again when the service-policy command is processed. If the virtual sensor is not valid, and the fail-open policy is enforced.
AIM-SSM Virtual Sensor Configuration Sequence
Follow this sequence to create virtual sensors on the AIP SSM and to assign them to adaptive security device contexts:
1. Configure up to four virtual sensors on the AIP SSM.
2. Assign the AIP SSM interface, GigabitEthernet0/1, to one of the virtual sensors.
3. Assign virtual sensors to different contexts on the adaptive security device.
4. Use MPF to direct traffic to the targeted virtual sensor.
Creating Virtual Sensors on the AIP SSM
Note You can create four virtual sensors.
Use the virtual-sensor name command in service analysis engine submode to create virtual sensors on the AIP SSM. You assign policies (anomaly detection, event action rules, and signature definition) to the virtual sensor. You can use the default policies, ad0, rules0, or sig0, or you can create new policies. Then you assign the interface GigabitEthernet0/1 to one virtual sensor.
The following options apply:
•anomaly-detection—Specifies the anomaly detection parameters:
–anomaly-detection-name name—Specifies the name of the anomaly detection policy.
–operational-mode {inactive | learn | detect}—Specifies the anomaly detection mode.
•description—Description of the virtual sensor.
•event-action-rules—Specifies the name of the event action rules policy.
•signature-definition—Specifies the name of the signature definition policy.
•physical-interfaces—Specifies the name of the physical interface.
•no—Removes an entry or selection.
To create a virtual sensor on the AIP SSM, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter service analysis mode.
sensor# configure terminal
sensor(config)# service analysis-engine
Step 3 Add a virtual sensor.
sensor(config-ana)# virtual-sensor vs1
Step 4 Add a description for this virtual sensor.
sensor(config-ana-vir)# description virtual sensor 1
Step 5 Assign an anomaly detection policy and operational mode to this virtual sensor.
sensor(config-ana-vir)# anomaly-detection
sensor(config-ana-vir-ano)# anomaly-detection-name ad1
sensor(config-ana-vir-ano)# operational-mode learn
Step 6 Assign an event action rules policy to this virtual sensor.
sensor(config-ana-vir-ano)# exit
sensor(config-ana-vir)# event-action-rules rules1
Step 7 Assign a signature definition policy to this virtual sensor.
sensor(config-ana-vir)# signature-definition sig1
Step 8 Assign the interface to one virtual sensor.
sensor(config-ana-vir)# physical-interface GigabitEthernet0/1
Step 9 Verify the virtual sensor settings.
sensor(config-ana-vir)# show settings
-----------------------------------------------
description: virtual sensor 1 default:
signature-definition: sig1 default: sig0
event-action-rules: rules1 default: rules0
-----------------------------------------------
anomaly-detection-name: ad1 default: ad0
operational-mode: learn default: detect
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 2)
-----------------------------------------------
subinterface-number: 0 <defaulted>
-----------------------------------------------
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
Step 10 Exit analysis engine mode.
sensor(config-ana-vir)# exit
Step 11 Press Enter to apply the changes or enter no to discard them.
For More Information
•For the procedures for creating and configuring anomaly detection policies, see Working With Anomaly Detection Policies.
•For the procedure for creating and configuring event action rules policies, see Working With Event Action Rules Policies.
•For the procedure for creating and configuring signature definitions, see Working With Signature Definition Policies.
Assigning Virtual Sensors to Adaptive Security Appliance Contexts
After you create virtual sensors on the AIP SSM, you must assign them to a security context on the adaptive security appliance.
The following options apply:
•[no] allocate-ips sensor_name [mapped_name] [default]—Allocates a virtual sensor to a security context. Supported mode are multiple mode, system context, and context submode:
Note You cannot allocate the same AIP SSM twice in a context.
–sensor_name—Name of the AIP SSM. You receive a warning message if the name is not valid.
–mapped_name—Name by which the security context knows the AIP SSM.
Note The mapped name is used the hide the real name of the AIP SSM from the context, usually done for reasons of security or convenience to make the context configuration more generic. If no mapped name is used, the real AIP SSM name is used. You cannot reuse a mapped name for two different AIP SSMs in a context.
–no—De-allocates the sensor, looks through the policy map configurations, and deletes any IPS subcommand that refers to it.
–default—Specifies this AIP SSM as the default. All legacy IPS configurations that do not specify a virtual sensor are mapped to this AIP SSM.
Caution
You can only configure one default AIP SSM per context. You must turn off the default flag of an existing default AIP SSM before you can designate another AIP SSM as the default.
–clear configure allocate-ips—Removes the configuration.
–allocate-ips?—Displays the list of configured AIP SSMs.
•show ips [detail]—Displays all available virtual sensors. Supported modes are EXEC mode, single or multiple, system or user modes:
–detail—Adds the virtual sensor ID number.
Note In single mode, the command shows the names of all available virtual sensors. In multiple mode user context, the command shows the mapped names of all virtual sensors that have been allocated to this context. In multiple mode system context, the command shows the names of all virtual sensors and with the detail keyword, the sensor ID number, allocated context, and mapped name are displayed.
•show context [detail]—Updated to display information about virtual sensors. In user context mode, a new line is added to show the mapped names of all virtual sensors that have been allocated to this context. In system, two new lines are added to show the real and mapped names of virtual sensors allocated to this context.
The following procedure demonstrates how to add three security contexts in multiple mode and how to assign virtual sensors to these security contexts.
Note You can assign multiple virtual sensors to a context. Multiple contexts can share one virtual sensor, and when sharing, the contexts can have different mapped names (aliases) for the same virtual sensor.
To assign the AIP SSM virtual sensors to adaptive security appliance contexts in multiple mode, follow these steps:
Step 1 Log in to the adaptive security appliance.
Step 2 Display the list of available virtual sensors.
Step 3 Enter configuration mode.
Step 4 Enter multiple mode.
asa(config)# mode multiple
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm] yes
Step 5 Add three context modes to multiple mode.
asa(config)# admin-context admin
Creating context 'admin'... Done. (13)
asa(config)# context admin
asa(config-ctx)# allocate-interface GigabitEthernet0/0.101
asa(config-ctx)# allocate-interface GigabitEthernet0/1.102
asa(config-ctx)# allocate-interface Management0/0
asa(config-ctx)# config-url disk0:/admin.cfg
Cryptochecksum (changed): 0c34dc67 f413ad74 e297464a db211681
INFO: Context admin was created with URL disk0:/admin.cfg
INFO: Admin context will take some time to come up .... please wait.
asa(config-ctx)# context c2
Creating context 'c2'... Done. (14)
asa(config-ctx)# allocate-interface GigabitEthernet0/0.103
asa(config-ctx)# allocate-interface GigabitEthernet0/1.104
asa(config-ctx)# config-url disk0:/c2.cfg
WARNING: Could not fetch the URL disk0:/c2.cfg
INFO: Creating context with default config
asa(config-ctx)# context c3
Creating context 'c3'... Done. (15)
asa(config-ctx)# allocate-in
asa(config-ctx)# allocate-interface g0/2
asa(config-ctx)# allocate-interface g0/3
asa(config-ctx)# config-url disk0:/c3.cfg
WARNING: Could not fetch the URL disk0:/c3.cfg
INFO: Creating context with default config
Step 6 Assign virtual sensors to the security contexts.
asa(config)# context admin
asa(config-ctx)# allocate-ips vs0 adminvs0
asa(config-ctx)# allocate-ips vs1 c2vs1
asa(config-ctx)# allocate-ips vs0 c3vs0
asa(config-ctx)# allocate-ips vs1 c3vs1
Step 7 Configure MPF for each context.
Note The following example shows context 3 (c3).
asa/c3(config)# class-map any
asa/c3(config-cmap)# match access-list any
asa/c3(config-cmap)# exit
asa/c3(config)# policy-map ips_out
asa/c3(config-pmap)# class any
asa/c3(config-pmap-c)# ips promiscuous fail-close sensor c3vs1
asa/c3(config-pmap-c)# policy-map ips_in
asa/c3(config-pmap)# class any
asa/c3(config-pmap-c)# ips inline fail-open sensor c3vs0
asa/c3(config-pmap-c)# service-policy ips_out interface outside
asa/c3(config)# service-policy ips_in interface inside
Step 8 Confirm the configuration.
asa(config)# show ips detail
Sensor Name Sensor ID Allocated To Mapped Name
----------- --------- ------------ -----------
Sending Traffic to the AIP SSM
This section describes how to configure the AIP SSM to receive IPS traffic from the adaptive security appliance (inline or promiscuous mode). This section contains the following topics:
•Adaptive Security Appliance and the AIP SSM
•Configuring the Adaptive Security Appliance to Send IPS Traffic to the AIP SSM
Adaptive Security Appliance and the AIP SSM
The adaptive security appliance diverts packets to AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to AIP SSM. You can configure AIP SSM to inspect traffic in inline or promiscuous mode and in fail-open or fail-over mode.
Perform these steps on the adaptive security appliance to identify traffic to be diverted to and inspected by AIP SSM:
1. Create or use an existing ACL.
2. Use the class-map command to define the IPS traffic class.
3. Use the policy-map command to create an IPS policy map by associating the traffic class with one or more actions.
4. Use the service-policy command to create an IPS security policy by associating the policy map with one or more interfaces.
You can use the adaptive security appliance CLI or ASDM to configure IPS traffic inspection.
Configuring the Adaptive Security Appliance to Send IPS Traffic to the AIP SSM
To send traffic from the adaptive security appliance to AIP SSM for the IPS to inspect, follow these steps:
Step 1 Log in to the adaptive security appliance.
Step 2 Enter configuration mode.
Step 3 Create an IPS access list.
asa(config)# access-list IPS permit ip any any
Step 4 Define an IPS class map to identify the traffic you want to send to AIP SSM.
asa(config)# class-map class_map_name
Example
asa(config)# class-map ips_class
Note You can create multiple traffic class maps to send multiple traffic classes to AIP SSM.
Step 5 Specify the traffic in the class map.
asa(config-cmap)# match parameter
Example
asa(config-cmap)# match [access-list | any]
Step 6 Add an IPS policy map that sets the actions to take with the class map traffic.
asa(config-cmap)# policy-map policy_map_name
Example
asa(config-cmap)# policy-map ips_policy
Step 7 Identify the class map you created in Step 4.
asa(config-pmap)# class class_map_name
Example
asa(config-pmap)# class ips_class
Step 8 Assign traffic to AIP SSM.
asa(config-pmap-c)# ips {inline | promiscuous] [fail-close | fail-open}
Example
asa(config-pmap-c)# ips promiscuous fail-close
Step 9 (Optional) If you created multiple traffic class maps for IPS traffic, you can specify another class.
asa(config-pmap)# class class_map_name_2
Example
asa(config-pmap)# class ips_class_2
Step 10 (Optional) Specify the second class of traffic to send to AIP SSM.
asa(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open}
Example
asa(config-pmap-c)# ips promiscuous fail-close
Step 11 Activate the IPS service policy map on one or more interfaces.
asa(config)# service-policy policymap_name {global | interface interface_name}
Example
asa(config)# service-policy tcp_bypass_policy outside
Step 12 Verify the settings.
Step 13 Exit and save the configuration.
For More Information
For more information on bypass mode, see The Adaptive Security Appliance, the AIP SSM, and Bypass Mode.
The Adaptive Security Appliance, the AIP SSM, and Bypass Mode
The following conditions apply to bypass mode configuration, the adaptive security appliance, and the AIP SSM.
The SensorApp Fails OR a Configuration Update is Taking Place
The following occurs when bypass is set to Auto or Off on the AIP SSM:
•Bypass Auto—Traffic passes without inspection.
•Bypass Off—If the adaptive security appliance is configured for failover, then the adaptive security appliance fails over.
If the adaptive security appliance is not configured for failover or failover is not possible:
–If set to fail-open, the adaptive security appliance passes traffic without sending it to the AIP SSM.
–If set to fail-close, the adaptive security appliance stops passing traffic until the AIP SSM is restarted or completes reconfiguration.
Note When bypass is set to On, traffic passes without inspection regardless of the state of the SensorApp.
The AIP SSM Is Rebooted or Not Responding
The following occurs according to how the adaptive security appliance is configured for failover:
•If the adaptive security appliance is configured for failover, then the adaptive security appliance fails over.
•If the adaptive security appliance is not configured for failover or failover is not possible:
–If set to fail-open, the adaptive security appliance passes traffic without sending it to the AIP SSM.
–If set to fail-close, the adaptive security appliance stops passing traffic until the AIP SSM is restarted.
For More Information
For more information on bypass mode, see Configuring Inline Bypass Mode.
The AIP SSM and the Normalizer Engine
The majority of the features in the Normalizer engine are not used on the AIP SSM, because the ASA itself handles the normalization. Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream. The Normalizer does not do any of the normalization that is done on an inline IPS appliance, because that causes problems in the way the ASA handles the packets.
The following Normalizer engine signatures are not supported:
•1300.0
•1304.0
•1305.0
•1307.0
•1308.0
•1309.0
•1311.0
•1315.0
•1316.0
•1317.0
•1330.0
•1330.1
•1330.2
•1330.9
•1330.10
•1330.12
•1330.14
•1330.15
•1330.16
•1330.17
•1330.18
For More Information
For detailed information on the Normalizer engine, see Normalizer Engine.
Reloading, Shutting Down, Resetting, and Recovering the AIP SSM
Note You can enter the hw-module commands from privileged EXEC mode or from global configuration mode. You can enter the commands in single routed mode and single transparent mode. For adaptive security devices operating in multi-mode (routed or transparent multi-mode) you can only execute the hw-module commands from the system context (not from administrator or user contexts).
Use the following commands to reload, shut down, reset, recover the password, and recover AIP SSM directly from the adaptive security appliance:
•hw-module module slot_number reload
This command reloads the software on AIP SSM without doing a hardware reset. It is effective only when the AIP SSM is in the Up state.
•hw-module module slot_number shutdown
This command shuts down the software on AIP SSM. It is effective only when AIP SSM is in Up state.
•hw-module module slot_number reset
This command performs a hardware reset of AIP SSM. It is applicable when AIP SSM is in the Up/Down/Unresponsive/Recover states.
•hw-module module slot_number password-reset
This command restores the cisco CLI account password on AIP SSM to the default cisco.
•hw-module module slot_number recover {boot | stop | configure}
The recover command displays a set of interactive options for setting or changing the recovery parameters. To change the parameter or keep the existing setting, press Enter.
–hw-module module slot_number recover boot
This command initiates recovery of AIP SSM. It is applicable only when AIP SSM is in the Up state.
–hw-module module slot_number recover stop
This command stops recovery of AIP SSM. It is applicable only when AIP SSM is in the Recover state.
Caution
If AIP SSM recovery needs to be stopped, you must issue the
hw-module module 1 recover stop command within 30 to 45 seconds after starting AIP SSM recovery. Waiting any longer can lead to unexpected consequences. For example, AIP SSM may come up in the Unresponsive state.
–hw-module module 1 recover configure
Use this command to configure parameters for AIP SSM recovery. The essential parameters are the IP address and recovery image TFTP URL location.
Example
AIP SSM# hardware-module module 1 recover configure
Image URL [tftp://10.89.146.1/IPS-SSM-K9-sys-1.1-a-6.2-1.img]:
Port IP Address [10.89.149.226]:
Gateway IP Address [10.89.149.254]:
For More Information
For the procedure for recovering the AIP SSM system image, see Installing the AIP SSM System Image.
New and Modified Commands
Note All other Cisco ASA CLI commands are documented in the Cisco Security Appliance Command Reference on Cisco.com at http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html.
This section describes the new and modified Cisco ASA commands that support the AIP SSM and are used to configure the AIP SSM. It contains the following topic:
•allocate-ips
allocate-ips
To allocate an IPS virtual sensor to a security context if you have the AIP SSM installed, use the allocate-ips command in context configuration mode. To remove a virtual sensor from a context, use the no form of this command.
allocate-ips sensor_name [mapped_name] [default]
no allocate-ips sensor_name [mapped_name] [default]
Syntax Description
default |
(Optional) Sets one sensor per context as the default sensor; if the context configuration does not specify a sensor name, the context uses this default sensor. You can only configure one default sensor per context. If you want to change the default sensor, enter the no allocate-ips sensor_name command to remove the current default sensor before you allocate a new default sensor. If you do not specify a sensor as the default, and the context configuration does not include a sensor name, then traffic uses the default sensor on the AIP SSM. |
mapped_name |
(Optional) Sets a mapped name as an alias for the sensor name that can be used within the context instead of the actual sensor name. If you do not specify a mapped name, the sensor name is used within the context. For security purposes, you might not want the context administrator to know which sensors are being used by the context. Or you might want to genericize the context configuration. For example, if you want all contexts to use sensors called "sensor1" and "sensor2," then you can map the "highsec" and "lowsec" senors to sensor1 and sensor2 in context A, but map the "medsec" and "lowsec" sensors to sensor1 and sensor2 in context B. |
sensor_name |
Sets the sensor name configured on the AIP SSM. To view the sensors that are configured on the AIP SSM, enter allocate-ips ?. All available sensors are listed. You can also enter the show ips command. In the system execution space, the show ips command lists all available sensors; if you enter it in the context, it shows the sensors you already assigned to the context. If you specify a sensor name that does not yet exist on the AIP SSM, you get an error, but the allocate-ips command is entered as is. Until you create a sensor of that name on the AIP SSM, the context assumes the sensor is down. |
Defaults
None
Command Modes
The following table shows the modes in which you can enter the command:
|
|
|
|
|
|
|
|
|
Context configuration |
• |
• |
— |
— |
• |
Command History
|
|
8.0(2) |
This command was introduced. |
Usage Guidelines
You can assign one or more IPS virtual sensors to each context. Then, when you configure the context to send traffic to the AIP SSM using the ips command, you can specify a sensor that is assigned to the context; you cannot specify a sensor that you did not assign to the context. If you do not assign any sensors to a context, then the default sensor configured on the AIP SSM is used. You can assign the same sensor to multiple contexts.
Note You do not need to be in multiple context mode to use virtual sensors; you can be in single mode and use different sensors for different traffic flows.
Examples
The following example assigns sensor1 and sensor2 to context A, and sensor1 and sensor3 to context B. Both contexts map the sensor names to "ips1" and "ips2." In context A, sensor1 is set as the default sensor, but in context B, no default is set so the default that is configured on the AIP SSM is used.
hostname(config-ctx)# context A
hostname(config-ctx)# allocate-interface gigabitethernet0/0.100 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/0.102 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/0.110-gigabitethernet0/0.115
int3-int8
hostname(config-ctx)# allocate-ips sensor1 ips1 default
hostname(config-ctx)# allocate-ips sensor2 ips2
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/test.cfg
hostname(config-ctx)# member gold
hostname(config-ctx)# context sample
hostname(config-ctx)# allocate-interface gigabitethernet0/1.200 int1
hostname(config-ctx)# allocate-interface gigabitethernet0/1.212 int2
hostname(config-ctx)# allocate-interface gigabitethernet0/1.230-gigabitethernet0/1.235
int3-int8
hostname(config-ctx)# allocate-ips sensor1 ips1
hostname(config-ctx)# allocate-ips sensor3 ips2
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
hostname(config-ctx)# member silver
Related Commands
|
|
context |
Creates a security context in the system configuration and enters context configuration mode. |
ips |
Diverts traffic to the AIP SSM for inspection. |
show context |
Shows a list of contexts (system execution space) or information about the current context. |
show ips |
Shows the virtual sensors configured on the AIP SSM. |