I need to configure AIP-SSM-20 on ASA5540 with multiple interfaces – OUTSIDE, INSIDE, DMZ1, DMZ2, an

Hi!

 

I need to configure AIP-SSM-20 on ASA5540 with multiple interfaces – OUTSIDE, INSIDE, DMZ1, DMZ2, and DMZ3. I need to protect all incoming traffic from OUTSIDE to all 3 DMZs and INSIDE. According to the documentation AIP-SSM-20 supports only 4 virtual sensors.

 

1.Do I have to configure and utilize all 4 virtual sensors on AIP to protect 3 DMZ and one INSIDE interfaces?

2.Can I can use only one sensor for all DMZs and INSIDE interfaces?

3.If I have to utilize all 4 virtual sensors, what will I need to do in order to protect the future added ASA interfaces?

 

Thanks,

 Val Rodionov

Comments


  • Configuring Virtual Sensors

    http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliAnEng.html

    Just some stuff from the configuration doc that talks about virtual sensors ... seems that you can use 1 sensor for several interfaces, as long as 1 interface is not part of multiple sensors.

    Understanding Analysis Engine

    Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows through specified interfaces.

    You create virtual sensors in Analysis Engine. Each virtual sensor has a unique name with a list of interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups associated with it. To avoid definition ordering issues, no conflicts or overlaps are allowed in assignments. You assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a specific virtual sensor so that no packet is processed by more than one virtual sensor. Each virtual sensor is also associated with a specifically named signature definition, event action rules, and anomaly detection configuration. Packets from interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups that are not assigned to any virtual sensor are disposed of according to the inline bypass configuration.

    Understanding the Virtual Sensor

    The sensor can receive data inputs from one or many monitored data streams. These monitored data streams can either be physical interface ports or virtual interface ports. For example, a single sensor can monitor traffic from in front of the firewall, from behind the firewall, or from in front of and behind the firewall concurrently. And a single sensor can monitor one or more data streams. In this situation a single sensor policy or configuration is applied to all monitored data streams.

    A virtual sensor is a collection of data that is defined by a set of configuration policies. The virtual sensor is applied to a set of packets as defined by interface component.

    A virtual sensor can monitor multiple segments, and you can apply a different policy or configuration for each virtual sensor within a single physical sensor. You can set up a different policy per monitored segment under analysis. You can also apply the same policy instance, for example, sig0, rules0, or ad0, to different virtual sensors. You can assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a virtual sensor.

    HTH

Sign In or Register to comment.