| So far in Part II, "Securing Network Infrastructures with ASDM" (the deployment section of this book), the following has been covered: Chapter 5 , "Deploying Secure Internet Connectivity" The initial configuration of your security appliance and connection of the security appliance to the Internet Chapter 6 , "Deploying Web and Mail Services" The addition of a web and a mail server Chapter 7 , "Deploying Authentication" The deployment of authentication to the device and the how to deploy authentication to web services Chapter 8 , "Deploying Perimeter Protection" The deployment of perimeter prevention
In this chapter, you deployed intrusion prevention (IPS and IP Audit) on your ASA/PIX Security Appliance, and you examined the advanced features made available to you with the ASA Security Appliance in conjunction with the SSM module. IPS and IP Audit mitigate several attacks that are sourced from the Internet, including some, but not all, worms, viruses, and directed attacks. IP Audit on the ASA/PIX Security Appliance is signature-based. The ASA/PIX Security Appliance has 51 signatures in its default audit profile, and ASA/SSM has more than 1500 signatures. Both the ASA/PIX Security Appliance and the ASA 5500 series also provide RFC compliance checks and port-misuse checks. The signatures deployed in the ASA/PIX stop many attacks; however, if attackers are determined enough, they might eventually circumvent signature prevention either by finding an attack not included in the signature database or by changing a string in their attack so it no longer triggers the signature. For this reason, host intrusion prevention, described in Chapter 10, "Deploying Host Intrusion Prevention," is important. The following has been covered in this chapter: Intrusion detection versus intrusion prevention Intrusion prevention drops and reports packets that are identified as attack packets. Intrusion detection lets the packets pass but logs the alarm to a syslog server. The importance of IPS and IP Audit In the first few deployment chapters, you authenticated your data, filtered it, and then ran protocol checks on it. As a final step, IPS looks into the packet to ensure that the data in the packet doesn't match that of an attack string. If it does match, IPS drops the packet, thus protecting the resource for which the packet was destined. ASA/PIX IP Audit and IPS signatures A list of all ASA/PIX default signatures has been provided. For an explanation of these signatures, check the Cisco website at http://www.cisco.com/go/pix. IPS signatures have been referenced in this chapter only as a quantity of more than 1500; listing all signatures in this book would not add any value. For a complete description of the IPS signatures, navigate to the ASDM panel Configuration > IPS > Signature Configuration. From that panel, highlight a signature and click the NSDB button. That button takes you to a web location that has a detailed description of the signature. You then deployed intrusion prevention on the ASA/PIX. In doing so, you learned how to use ASDM to do the following: - View and modify the IP Audit signatures. - Build an IP Audit policy. - Enable IP Audit policy on an interface. - Monitor the triggering of IP Audit policies.
The remaining steps to fully deploy defense in depth in your network are covered in the following chapters: - Chapter 10, "Deploying Host Intrusion Prevention"
- Chapter 11, "Deploying VPNs"
|
