Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

6-6

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 6 Configuring Virtual Sensors

Adding, Editing, and Deleting Virtual Sensors

• inline-TCP-evasion-protection-mode—Lets you choose which type of normalization you need for

traffic inspection:

–

asymmetric —Specifies that the sensor can only see one direction of bidirectional traffic flow.

Asymmetric mode protection relaxes the evasion protection at the TCP layer.

Note Asymmetric mode lets the sensor synchronize state with the flow and maintain

inspection for those engines that do not require both directions. Asymmetric mode

lowers security because full protection requires both sides of traffic to be seen.

–

strict—Specifies that if a packet is missed for any reason, all packets after the missed packet

are not processed. Strict evasion protection provides full enforcement of TCP state and

sequence tracking.

Note Any out-of-order packets or missed packets can produce Normalizer engine signatures

1300 or 1330 firings, which try to correct the situation, but can result in denied

connections.

Note For the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and

ASA 5585-X IPS SSP), normalization is performed by the adaptive security appliance

and not the IPS.

• inline-TCP-session-tracking-mode—Enables an advanced method used to identify duplicate TCP

sessions in inline traffic. The default is virtual sensor, which is almost always the best choice.

–

virtual-sensor —Specifies that all packets with the same session key (AaBb) within a virtual

sensor belong to the same session.

–

interface-and-vlan—Specifies that all packets with the same session key (AaBb) in the same

VLAN (or inline VLAN pair) and on the same interface belong to the same session. Packets with

the same key but on different VLANs or interfaces are tracked independently.

–

vlan-only—Specifies that all packets with the same session key (AaBb) in the same VLAN (or

inline VLAN pair) regardless of the interface belong to the same session. Packets with the same

key but on different VLANs are tracked independently.

Note The ASA IPS modules, (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and

ASA 5585-X IPS SSP) do not support the inline TCP session tracking mode.

• signature-definition—Specifies the name of the signature definition policy.

• logical-interfaces—Specifies the name of the logical interfaces (inline interface pairs).

• physical-interfaces—Specifies the name of the physical interfaces (promiscuous, inline VLAN

pairs, and VLAN groups):

–

subinterface-number—Specifies the physical subinterface number. If the subinterface-type is

none, the value of 0 indicates the entire interface is assigned in promiscuous mode.

• no—Removes an entry or selection.

previous next