HOW TO UPGRADE THE CISCO IPS MODULE AIP-SSM

HOW TO UPGRADE THE CISCO IPS MODULE AIP-SSM

I have recently upgraded a few Intrusion Prevention System (IPS) modules which are embedded in ASA firewalls. The IPS models are AIP-SSM-20 which were upgraded from version 5.1 to 6.0

The AIP-SSM module can be accessed either through the ASA CLI (using “session 1” ) command, or via its dedicated management interface using SSH. I have already assigned an IP address to the IPS management interface, so I did all the upgrade via the management interface. You need also an FTP server to host the upgrade image files.
Lets see how to upgrade the AIP-SSM IPS module below:
FTP server address: 172.20.1.8
Upgrade file used: IPS-K9-6.0-1-E1.pkg (major upgrade from 5.1 to 6.0)
Signature upgrade file: IPS-sig-S338-req-E1.pkg
Note about signature files: the keyword “req-E1” in the signature filename means that it requires an E1 signature engine software installed.
After you log in to the sensor, use the “show ver” command to verify your current image version:

IPS# sh ver
Application Partition:

Cisco Intrusion Prevention System, Version 5.1(5)E1

Then upgrade using the “upgrade” command:

IPS# conf t

IPS(config)# upgrade ftp://test@172.20.1.8/IPS-K9-6.0-1-E1.pkg
Password: **********
Warning: Executing this command will apply a software update to the application partition. The system may be rebooted to complete the upgrade.
Continue with upgrade? []: yes

Broadcast Message from root@IPS
(somewhere) at 15:26 …

Applying update IPS-K9-6.0-1-E1.pkg. IPS applications will be stopped and system will be rebooted after upgrade completes .

Broadcast Message from root@IPS
(somewhere) at 15:26 …

Shutting down IPS applications. Applications will be restarted when update is complete..

IPS(config)#
***
***
*** Termination request from cids
***
Sensor is shutting down.This CLI session will be terminated

The sensor reboots by itself. Wait a few minutes and then log in again.

IPS# sh ver
Application Partition:

Cisco Intrusion Prevention System, Version 6.0(1)E1

As you can see the image is upgraded successfully. Now we need to upgrade the signature file as well.

IPS# conf t
IPS(config)# upgrade ftp://test@172.20.1.8/IPS-sig-S338-req-E1.pkg
Password: **********
Warning: Executing this command will apply a signature update to the application partition.
Continue with upgrade? []: yes

Broadcast Message from root@IPS
(somewhere) at 16:40 …

Applying update IPS-sig-S338-req-E1

Broadcast Message from root@IPS
(somewhere) at 16:42 …

Update complete

IPS(config)#

Initializing the Sensor

Initializing the Sensor

The setup command at the CLI walks you through initialization. You can do the following:

■ Assign a hostname to the sensor. This is case sensitive. It defaults to sensor.

■ Assign an IP address to the command and control interface. The default is 10.1.9.201/24.

■ Assign a default gateway. The default is 10.1.9.1.

■ Enable or disable the Telnet server. Telnet is disabled by default.

■ Specify the web server port. The default is 443.

■ Create network access control lists (ACL) that can access the sensor for management.

■ Configure the date and time.

■ Configure the sensor interfaces.

■ Configure virtual sensors. This enables the configuration of promiscuous and inline interface pairs.

■ Configure threat prevention. An event action override denies high-risk network traffic with a risk rating of 90 to 100. This option lets you disable this feature.

IPS Management Options

IPS Management Options

For a single device (element management), options include the following:

■ Command-line interface (CLI)

■ Cisco IPS Device Manager (IDM)

■ Cisco IPS Manager Express (IME)

For multiple-device management, options include the following:

■ Cisco IPS Manager Express (IME), for one to ten sensors

■ Cisco Security Manager (CSM), for one or many sensors

■ Cisco Security Monitoring, Analysis, and Response System (MARS)

Approaches to Intrusion Prevention

Approaches to Intrusion Prevention

Signature Based :-

Although Cisco uses a blend of detection and prevention technologies, signature-based IPS is the primary tool that Cisco IPS solutions use. Cisco releases signatures that are added to the device; they identify a pattern that the most common attacks present.
This tool is much less prone to false positives and ensures that the IPS devices stop common threats. This type of approach is also called pattern matching. As different types of attacks are created, these signatures can be added, tuned, and updated to deal with the new attacks.

Anomaly Based :-

This type of intrusion prevention technology is often called profile based. It attempts to discover activity that deviates from what an engineer defines as “normal.” Because it can be so difficult to define what is normal activity for a given network, this approach tends to be prone to a high number of false positives.


The two common types of anomaly-based IPSs are statistical anomaly detection and nonstatistical. The statistical approach learns about the traffic patterns on the network itself, and the nonstatistical approach uses information coded by the vendor.

Policy Based :-

With this type of technology, the security policy is “written” into the IPS device. Alarms are triggered if activities are detected that violate the security policy coded by the organization. Notice how this differs from signature based. Signature based focuses on stopping
common attacks, and policy based is more concerned with enforcing the organization’s security policy.

Protocol Analysis Based :-

This approach is similar to signature based, but it looks deeper into packets because of a protocol-based inspection of the packet payload that can occur. Whereas most signatures examine rather common settings, protocol analysis based can do much deeper packet
inspection and is more flexible at finding some types of attacks.

Reputation Based :-

This combines any of the previous approaches with knowledge of the attacker. Cisco makes extensive use of reputation-based IPS beginning with the IPS Version 7.0 software. A cloud-based database assigns a reputation score to every IP address in the world, ranging
from a positive ten to a negative ten. Hosts that have a history of malicious activity, such as attacking or performing reconnaissance activities, receive a negative score. As the sensor identifies traffic originating from negatively scored hosts, it can take stronger action
against the traffic than it might if relying only on a signature.

Promiscuous Versus Inline Mode

Promiscuous Versus Inline Mode

Cisco IPS sensors can operate in either promiscuous or inline modes. The decision on what mode to use depends on many considerations and the location in the network. When deployed in promiscuous mode, this means that a device (often a switch) captures traffic for the sensor and forwards a copy for analysis to the sensor. Because the device works with a copy of the traffic, the device performs IDS. It can detect an attack and send an alert (and take other actions), but it does not prevent the attack from entering the network or a network segment. It cannot prevent the attack because it does not operate on traffic inline in the forwarding path.

Promiscuous Mode (IDS) :-

If a Cisco IPS device operates in inline mode , it can perform prevention as opposed to simple detection. This is because the IPS device is in the actual traffic path. This makes the device more effective against worms and atomic attacks (attacks that are carried out by a single packet).

Inline Mode :-

To deploy in inline mode, you need to configure the sensor as a transparent Layer 2 device that passes traffic between two physical or virtual interfaces. The sensor then functions as a Layer 2 bridge between the network segments, and can block malicious traffic that tries to pass.


Keep in mind that a sensor could be configured inline and set up so that it only alerts and does not drop packets. This is an example of an inline configuration where only IDS is performed.


IPS Version 7.0 software permits a device to do promiscuous mode and inline mode simultaneously, which allows some segments to be monitored for IDS only while other segments use IPS protection.

IPS/IDS Terminology

IPS/IDS Terminology

You should be aware of the many security terms that are related to intrusion detection and prevention technologies.


Vulnerability :-
A vulnerability is a weakness that compromises the security or functionality of a particular system in your network.
An example of a vulnerability is a web form on your public website that does not adequately filter inputs or guard against improper data entry. An attacker
might enter invalid characters in an attempt to corrupt the underlying database.


Exploit :-
An exploit is a mechanism designed to take advantage of vulnerabilities that exist in your systems. For example, if poor passwords are in use on your network, a password-cracking package might be the exploit aimed at this vulnerability.


Signature :-
A signature is a set of instructions the sensor uses to identify an unwanted traffic type. A signature is usually created to watch network traffic for a particular vulnerability or exploit..


False Alarms :-
False alarms are IDS/IPS events that you do not want occurring in your implementation. The two types of false alarms are false positives and false negatives. Both are undesirable.


False Positive
A false positive means that an alert has been triggered, but it was for traffic that does not constitute an actual attack. This type of traffic is often called benign traffic.


False Negative
A false negative occurs when attack traffic does not trigger an alert on the IDS/IPS device. This is often viewed as the worst type of false alarm—for obvious reasons.


True Alarms :-
The two types of true alarms in IDS/IPS terminology are true positive and true negative. Both are desirable.


True Positive
A true positive means that the IDS/IPS device recognized and responded to an attack.


True Negative
This means that nonoffending or benign traffic did not trigger an alarm.