Table Of Contents
Configuring Interfaces
Understanding Interfaces
Understanding Promiscuous Mode
Understanding Inline Mode
Inline Interface Support
Configuring Interfaces
Overview
TCP Reset
Supported User Role
Field Definitions
Interfaces Panel
Edit Interface Dialog Box
Configuring Interfaces
Configuring Interface Pairs
Overview
Supported User Role
Field Definitions
Interface Pairs Panel
Add and Edit Interface Pair Dialog Boxes
Configuring Interface Pairs
Configuring Bypass Mode
Overview
Supported User Role
Field Definitions
Configuring Traffic Flow Notifications
Overview
Supported User Role
Field Definitions
Configuring Traffic Flow Notifications
Configuring Interfaces
This chapter describes how to configure interfaces on the sensor. It contains the following sections:
•
Understanding Interfaces
•Understanding Promiscuous Mode
•Understanding Inline Mode
•Inline Interface Support
•Configuring Interfaces
•Configuring Interface Pairs
•Configuring Bypass Mode
•Configuring Traffic Flow Notifications
Understanding Interfaces
The command and control interface is permanently mapped to a specific physical interface, which depends on the type of sensor you have. You can let the sensing interfaces operate in promiscuous mode, or you can pair the network sensing interfaces into logical interfaces called "inline pairs." You must enable the interfaces or inline pairs before the sensor can monitor traffic.
Note On appliances, the sensing interfaces are disabled by default. On modules, the sensing interfaces are always enabled and cannot be disabled.
The sensing interface does not have an IP address assigned to it and is therefore invisible to attackers. This lets the sensor monitor the data stream without letting attackers know they are being watched. Promiscuous mode is contrasted by inline technology where all packets entering or leaving the network must pass through the sensor. For more information, see Understanding Promiscuous Mode, and Understanding Inline Mode.
The sensor monitors traffic on interfaces or inline pairs that are assigned to the default virtual sensor. For more information, see Assigning Interfaces to the Virtual Sensor.
To configure the sensor so that traffic continues to flow through inline pairs even when SensorApp is not running, you can enable bypass mode. Bypass mode minimizes dataflow interruptions during reconfiguration, service pack installation, or software failure.
The sensor detects the interfaces of modules that have been installed while the chassis was powered off. You can configure them the next time you start the sensor. If a module is removed, the sensor detects the absence of the interfaces the next time it is started. Your interface configuration is retained, but the sensor ignores it if the interfaces are not present.
The following interface configuration events are reported as status events:
•Link up or down
•Traffic started or stopped
•Bypass mode auto activated or deactivated
•Missed packet percentage threshold exceeded
Understanding Promiscuous Mode
In promiscuous mode, packets do not flow through the IPS. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the IPS does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the IPS cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous IPS devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, for atomic attacks, however, the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router).
Understanding Inline Mode
Operating in inline mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. An inline IPS sits in the fast-path, which allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device.
In inline mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.
Note You can configure AIP-SSM to operate inline even though it has only one sensing interface.
Inline Interface Support
Table 3-1 describes the interface support for appliances and modules running IPS 5.0:
Table 3-1 Interface Support
Base Chassis
|
Added PCI Cards
|
Interfaces Supporting
Inline
|
Possible Port Combinations
|
Interfaces Not Supporting Inline
|
IDS-4210
|
—
|
None
|
N/A
|
All
|
IDS-4215
|
—
|
None
|
N/A
|
All
|
IDS-4215
|
4FE
|
FastEthernet0/1
4FE
FastEthernet1/0
FastEthernet1/1
FastEthernet1/2
FastEthernet1/3
|
1/0<->1/1
1/0<->1/2
1/0<->1/3
1/1<->1/2
1/1<->1/3
1/2<->1/3
0/1<->1/0
0/1<->1/1
0/1<->1/2
0/1<->1/3
|
FastEthernet0/0
|
IDS-4235
|
—
|
None
|
N/A
|
All
|
IDS-4235
|
4FE
|
4FE
FastEthernet1/0
FastEthernet1/1
FastEthernet1/2
FastEthernet1/3
|
1/0<->1/1
1/0<->1/2
1/0<->1/3
1/1<->1/2
1/1<->1/3
1/2<->1/3
|
GigabitEthernet0/0
GigabitEthernet0/1
|
IDS-4250
|
—
|
None
|
N/A
|
All
|
IDS-4250
|
4FE
|
4FE
FastEthernet1/0
FastEthernet1/1
FastEthernet1/2
FastEthernet1/3
|
1/0<->1/1
1/0<->1/2
1/0<->1/3
1/1<->1/2
1/1<->1/3
1/2<->1/3
|
GigabitEthernet0/0
GigabitEthernet0/1
|
IDS-4250
|
SX
|
None
|
N/A
|
All
|
IDS-4250
|
XL
|
2 SX of the XL GigabitEthernet2/0
GigabitEthernet2/1
|
2/0<->2/1
|
GigabitEthernet0/0
GigabitEthernet0/1
|
IDSM-2
|
—
|
port 7 and 8
GigabitEthernet0/7
GigabitEthernet0/8
|
0/7<->0/8
|
GigabitEthernet0/2
|
IPS-4240
|
—
|
4 onboard GE
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
|
0/0<->0/1
0/0<->0/2
0/0<->0/3
0/1<->0/2
0/1<->0/3
0/2<->0/3
|
Management0/0
|
IPS-4255
|
—
|
4 onboard GE
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
|
0/0<->0/1
0/0<->0/2
0/0<->0/3
0/1<->0/2
0/1<->0/3
0/2<->0/3
|
Management0/0
|
NM-CIDS
|
—
|
None
|
N/A
|
All
|
ASA-SSM-10
|
—
|
GigabitEthernet0/1
|
By security context
|
GigabitEthernet0/0
|
ASA-SSM-20
|
—
|
GigabitEthernet0/1
|
By security context
|
GigabitEthernet0/0
|
Configuring Interfaces
This section describes how to configure interfaces on the sensor, and contains the following topics:
•Overview
•TCP Reset
•Supported User Role
•Field Definitions
•Configuring Interfaces
Overview
The Interfaces panel lists the existing physical interfaces on your sensor and their associated settings. The sensor detects the interfaces and populates the interfaces list on the Interfaces panel.
To configure the sensor to monitor traffic, you must enable the interface. When you initialized the sensor using the setup command, you assigned the interface or the inline pair to the default virtual sensor, vs0, and enabled the interface or inline pair. If you need to change your interfaces settings, you can do so on the Interfaces panel.You can assign the interface or inline pair to the virtual sensor, vs0, in the Edit Virtual Sensor dialog box: Configuration > Analysis Engine > Virtual Sensor > Edit.
TCP Reset
You need to designate an alternate TCP reset interface in the following situations:
•When a switch is being monitored with either SPAN or VACL capture and the switch does not accept incoming packets on the SPAN or VACL capture port.
•When a switch is being monitored with either SPAN or VACL capture for multiple VLANs, and the switch does not accept incoming packets with 802.1q headers.
Note The TCP resets need 802.1q headers to tell which VLAN the resets should be sent on.
•When a network tap is used for monitoring a connection.
Note Taps do not allow incoming traffic from the sensor.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator to configure interfaces on the sensor.
Field Definitions
This section lists the field definitions for interfaces, and contains the following topics:
•Interfaces Panel
•Edit Interface Dialog Box
Interfaces Panel
The following fields and buttons are found on the Interfaces panel.
Field Descriptions:
•Interface Name—Name of the interface.
The values are FastEthernet or GigabitEthernet for all interfaces.
•Enabled—Whether or not the interface is enabled.
•Media Type—Indicates the media type.
The media type options are the following:
–TX—Copper media
–SX—Fiber media
–XL—Network accelerator card
–Backplane interface—An internal interface that connects the module to the parent chassis' backplane.
•Duplex—Indicates the duplex setting of the interface.
The duplex type options are the following:
–Auto—Sets the interface to auto negotiate duplex.
–Full—Sets the interface to full duplex.
–Half—Sets the interface to half duplex.
•Speed—Indicates the speed setting of the interface.
The speed type options are the following:
–Auto—Sets the interface to auto negotiate speed.
–10 MB—Sets the interface to 10 MB (for TX interfaces only).
–100 MB—Sets the interface to 100 MB (for TX interfaces only).
–1000—Sets the interface to 1 GB (for gigabit interfaces only).
•Alternate TCP Reset Interface—If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.
•Description—Lets you provide a description of the interface.
Button Functions:
•Select All—Lets you select all entries in the list.
•Edit—Opens the Edit Interface dialog box.
From this dialog box, you can change some of the values associated with this interface.
•Enable—Enables this interface.
•Disable—Disables this interface.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Edit Interface Dialog Box
The following fields and buttons are found in the Edit Interface dialog box.
Field Descriptions:
•Interface Name—Name of the interface.
The values are FastEthernet or GigabitEthernet for all interfaces.
•Description—Lets you provide a description of the interface.
•Media Type—Indicates the media type.
The media types are the following:
–TX—Copper media
–SX—Fiber media
–XL—Network accelerator card
–Backplane interface—An internal interface that connects the module to the parent chassis' backplane.
•Enabled—Whether or not the interface is enabled.
•Duplex—Indicates the duplex setting of the interface.
The duplex types are the following:
–Auto—Sets the interface to auto negotiate duplex.
–Full—Sets the interface to full duplex.
–Half—Sets the interface to half duplex.
•Speed—Indicates the speed setting of the interface.
The speed types are the following:
–Auto—Sets the interface to auto negotiate speed.
–10 MB—Sets the interface to 10 MB (for TX interfaces only).
–100 MB—Sets the interface to 100 MB (for TX interfaces only).
–1000—Sets the interface to 1 GB (for gigabit interfaces only).
•Alternate TCP Reset Interface—If selected, sends TCP resets on an alternate interface when this interface is used for promiscuous monitoring and the reset action is triggered by a signature firing.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Interfaces
To enable or disable the interface or edit its settings, follow these steps:
Step 1 Click Configuration > Interface Configuration > Interfaces.
The Interfaces panel appears.
Step 2 Select the row or double-click it and then click Enable.
The interface is enabled. To have the interface monitor traffic, it must also be assigned to a virtual sensor. For the procedure, see Assigning Interfaces to the Virtual Sensor.
Step 3 To edit some of the values associated with the interface, select the interface, and then click Edit.
The Edit Interface dialog box appears.
Step 4 You can change the description in the Description field, or change the state from enabled to disabled by selecting the No or Yes check box. You can have the interface use the alternate TCP reset interface by selecting Use Alternative TCP Reset Interface.
Step 5 Click OK.
The changes appear in the list on the Interfaces panel.
Tip To discard your changes, click Reset.
Step 6 Click Apply to apply your changes and save the revised configuration.
Configuring Interface Pairs
This section describes how to set up interface pairs, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
•Configuring Interface Pairs
Overview
You can pair interfaces on your sensor if your sensor is capable of inline monitoring.
Note SSM does not need an inline pair for monitoring. You only need to add the physical interface to the virtual sensor.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator to configure interface pairs.
Field Definitions
This sections lists field definitions for interface pairs, and contains the following topics:
•Interface Pairs Panel
•Add and Edit Interface Pair Dialog Boxes
Interface Pairs Panel
The following fields and buttons are found on the Interface Pairs panel.
Field Descriptions:
•Interface Pair Name—The name you give the interface pair.
•Paired Interfaces—The two interfaces that you have paired (for example, GigabitEthernet0/0<->GigabitEthernet0/1).
•Description—Lets you add a description of this interface pair.
Button Functions:
•Select All—Selects all interface pairs.
•Add—Opens the Add Interface Pair dialog box.
From this dialog box, you can add an interface pair.
•Edit—Opens the Edit Interface Pair dialog box.
From this dialog box, you can edit the values of the interface pair.
•Delete—Deletes the selected interface pair.
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Add and Edit Interface Pair Dialog Boxes
The following fields and buttons are found in the Add and Edit Interface Pair dialog boxes.
Field Descriptions:
•Interface Pair Name—The name you give the interface pair.
•Select two interfaces—Select two interfaces from the list to pair (for example, GigabitEthernet0/0<->GigabitEthernet0/1).
•Description—Lets you add a description of this interface pair.
Button Functions:
•OK—Accepts your changes and closes the dialog box.
•Cancel—Discards your changes and closes the dialog box.
•Help—Displays the help topic for this feature.
Configuring Interface Pairs
To configure interface pairs, follow these steps:
Step 1 Click Configuration > Interface Configuration > Interface Pairs.
The Interface Pairs panel appears.
Step 2 Click Add to add interface pairs.
The Add Interface Pair dialog box appears.
Step 3 Type a name in the Interface Pair Name field.
The interface name is a name that you create.
Step 4 Select two interfaces to form a pair in the Select two interfaces field.
For example, GigabitEthernet0/0 and GigabitEthernet0/1.
Step 5 You can add a description of the interface pair in the Description field if you want to.
Step 6 Click OK.
The new interface pair appears in the list on the Interface Pairs panel.
Step 7 To edit an interface pair, select it, and click Edit.
The Edit Interface Pair dialog box appears.
Step 8 You can change the name, choose a new interface pair, or edit the description.
Step 9 Click OK.
The edited interface pair appears in the list on the Interface Pairs panel.
Step 10 To delete an interface pair, select it, and click Delete.
The interface pair no longer appears in the list on the Interface Pairs panel.
Tip To discard your changes, click Reset.
Step 11 Click Apply to apply your changes and save the revised configuration.
Configuring Bypass Mode
This section describes how to configure bypass mode, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
Overview
You can use the bypass mode as a diagnostic tool and a failover protection mechanism. You can set the sensor in a mode where all the IPS processing subsystems are bypassed and traffic is permitted to flow between the inline pairs directly. The bypass mode ensures that packets continue to flow through the sensor when the sensor's processes are temporarily stopped for upgrades or when the sensor's monitoring processes fail. There are three modes: on, off, and automatic. By default, bypass mode is set to automatic.
Note Bypass mode was originally intended to only be applicable to inline-paired interfaces. Because of a defect, it does affect promiscuous mode. A future version may address this defect. We recommend you configure bypass mode to automatic or off for promiscuous mode and not use the on mode.
Caution There are security consequences when you put the sensor in bypass mode. When bypass mode is on, the traffic bypasses the sensor and is not inspected, therefore, the sensor cannot prevent malicious attacks.
Note Bypass mode only functions when the operating system is running. If the sensor is powered off or shut down, bypass mode does not work—traffic is not passed to the sensor.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator to configure bypass mode on the sensor.
Field Definitions
The following fields and buttons are found on the Bypass panel.
Field Descriptions:
•Auto—Traffic flows through the sensor for inspection unless the sensor's monitoring process is down.
If the sensor's monitoring process is down, traffic bypasses the sensor until the sensor is running again. The sensor then inspects the traffic. Auto mode is useful during sensor upgrades to ensure that traffic is still flowing while the sensor is being upgraded. Auto mode also helps to ensure traffic continues to pass through the sensor if the monitoring process fails.
•Off—Disables bypass mode.
Traffic flows through the sensor for inspection. If the sensor's monitoring process is down, traffic stops flowing. This means that inline traffic is always inspected.
•On—Traffic bypasses the SensorApp and is not inspected. This means that inline traffic is never inspected.
Button Functions:
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Configuring Traffic Flow Notifications
This section describes how to configure traffic flow notifications, and contains the following topics:
•Overview
•Supported User Role
•Field Definitions
•Configuring Traffic Flow Notifications
Overview
You can configure the sensor to monitor the flow of packets across an interface and send notification if that flow changes (starts/stops) during a specified interval. You can configure the missed packet threshold within a specific notification interval and also configure the interface idle delay before a status event is reported.
Supported User Role
The following user roles are supported:
•Administrator
•Operator
•Viewer
You must be Administrator to configure traffic flow notifications.
Field Definitions
The following fields and buttons are found on the Traffic Flow Notifications panel.
Field Descriptions:
•Missed Packets Threshold—The percentage of packets that must be missed during a specified time before a notification is sent.
•Notification Interval—The interval the sensor checks for the missed packets percentage.
•Interface Idle Threshold—The number of seconds an interface must be idle and not receiving packets before a notification is sent.
Button Functions:
•Apply—Applies your changes and saves the revised configuration.
•Reset—Refreshes the panel by replacing any edits you made with the previously configured value.
Configuring Traffic Flow Notifications
To configure traffic flow notification, follow these steps:
Step 12 Click Configuration > Interface Configuration > Traffic Flow Notifications.
The Traffic Flow Notifications panel appears.
Step 13 Choose the percent of missed packets that has to occur before you want to receive notification and type that amount in the Missed Packets Threshold field.
Step 14 Choose the amount of seconds that you want to check for the percentage of missed packets and type that amount in the Notification Interval field.
Step 15 Choose the amount of seconds that you will allow an interface to be idle and not receiving packets before you want to be notified and type that in the Interface Idle Threshold field.
Tip To discard your changes, click Reset.
Step 16 Click Apply to apply your changes and save the revised configuration.
Feedback
