通信人家园

 找回密码
 注册

只需一步,快速开始

短信验证,便捷登录

搜索

军衔等级:

  新兵

注册:2009-4-21
跳转到指定楼层
1#
发表于 2011-3-31 15:43:49 |只看该作者 |倒序浏览
1.配置AIP-IPS初始化安装1,在ASA CLI 模式下,使用”session 1”进入AIP-IPS 模块.
asa# session 1
(进入AIP-IPS 模块)
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If
you require further assistance please contact us by sending email to
[email=export@cisco.com.***LICENSE]export@cisco.com.
***LICENSE[/email] NOTICE***
There is no license key installed on the SSM-IPS10.
The system will continue to operate with the currently installed
signature set.
A valid license must be obtained in order to apply
signature updates.
Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
ssm-sensor#
2,初始化AIP-IPS模块
ssm-sensor#setup
--- System Configuration Dialog ---
At any point you may enter a question mark '?' for help.
User ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Continue with configuration dialog?[yes]: yes
Enter host name[ssm_sensor]: ssm-sensor
Enter IP interface[10.1.1.10/24,10.1.1.1]: 192.168.100.100/24,192.168.1.254 (配置接口地址和网关)
Enter telnet-server status[disabled]:
Enter web-server port[443]:
Modify current access list?[no]: yes
Current access list entries:
Permit: 192.168.1.0/24
(配置用于网管PC的网段)
Modify system clock settings?[no]:
Modify virtual sensor "vs0" configuration?[no]:

[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Enter your selection[2]: 2 (存储配置)
Configuration Saved.
ssm-sensor#
reset (重新启动设备,配置才能生效)
Warning:Executing this command will stop all applications and reboot the node.
Continue with reset? [] : yes
2.将被检测数据流量引入AIP-SSM中asa(config)# access-list IPS permit ip any any
asa(config)# class-map class_map_name
asa(config-cmap)# match [access-list | any]
asa(config-cmap)# policy-map policy_map_name
asa(config-pmap)# class class_map_name
asa(config-pmap-c)# ips [inline | promiscuous] [fail-close | fail-open]
inline模式直接将数据流先经过AIP,才能够通过ASA防火墙,相当于串联在网络当中,安全性最高,但是它会造成网络堵塞,影响网络性能。如果AIP发生故障,整个网络会瘫掉。
Promiscuous模式成为混杂模式,在该模式下,ASA会复制一份流量到AIP中,在该模式下,安全性较低,但是对网络带宽影响不大,不像inline模式,在该模式下,AIP只会指示ASA去阻断危险流量或重置连接。但是一部分流量会在AIP未检测并指示阻断之前通过ASA防火墙。
fail-close模式会在AIP不起作用的时候,让ASA阻断所有流量
fail-open模式会在AIP不起作用的时候,让ASA放行一切ASA认为安全的流量
3.查看配置asa(config-pmap-c)# show running-config
!
class-map my_ips_class
class-map my-ips-class
match access-list IPS
class-map all_traffic
match access-list all_traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map my-ids-policy
class my-ips-class
ips promiscuous fail-close
!
service-policy my-ids-policy global
下面的这个例子是将流量映入模式设置成混杂模式的情况
asa(config)# access-list IPS permit ip any any
asa(config)# class-map my-ips-class
asa(config-cmap)# match access-list IPS
asa(config-cmap)# policy-map my-ids-policy
asa(config-pmap)# class my-ips-class
asa(config-pmap-c)# ips promiscuous fail-close
asa(config-pmap-c)# service-policy my-ids-policy global
4.系统恢复asa# hw-module module 1 recover configure
Image URL [tftp://1.1.1.1/IPS-SSM-K9-sys-1.1-a-5.0-0.15-S91-0.15.img]:
Port IP Address [1.1.1.23]:
VLAN ID [0]:
Gateway IP Address [0.0.0.0]:1.1.1.2
hostname#
asa# show module 1 recover
Module 1 recover parameters...
Boot Recovery Image: No
Image URL:
tftp://1.1.1.1/IPS-SSM-K9-sys-1.1-a-5.0-0.15-S91-0.15.img
Port IP Address:
1.1.1.23
Gateway IP Address:
1.1.1.2
VLAN ID:
0
接下来你可以再ASDM中微调你策略了。
在浏览器里面输入https://x.x.x.x

举报本楼

您需要登录后才可以回帖 登录 | 注册 |

手机版|C114 ( 沪ICP备12002291号-1 )|联系我们 |网站地图  

GMT+8, 2024-11-17 02:25 , Processed in 0.149055 second(s), 15 queries , Gzip On.

Copyright © 1999-2023 C114 All Rights Reserved

Discuz Licensed

回顶部