37-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 37 Configuring Virtual Sensors
Understanding the Virtual Sensor
the IPS. A further complication in this situation is the necessity of allowing asymmetric traffic to merge
for proper tracking of streams when the traffic for either direction is received from different VLANs or
interfaces.
To deal with this situation, you can set the mode so that streams are perceived as unique if they are
received on separate interfaces or VLANs (or the subinterface for VLAN pairs).
The following inline TCP session tracking modes apply:
Interface and VLAN—All packets with the same session key (AaBb) in the same VLAN (or inline
VLAN pair) and on the same interface belong to the same session. Packets with the same key but on
different VLANs are tracked separately.
VLAN Only—All packets with the same session key (AaBb) in the same VLAN (or inline VLAN
pair) regardless of the interface belong to the same session. Packets with the same key but on
different VLANs are tracked separately.
Virtual Sensor—All packets with the same session key (AaBb) within a virtual sensor belong to the
same session. This is the default and almost always the best option to choose.
You configure the inline TCP session tracking mode as a property of the virtual sensor as described in
Defining A Virtual Sensor, page 37-5.
Understanding Normalizer Mode
Normalizer mode applies only when the sensor is operating in inline mode. The default is strict evasion
protection, which is full enforcement of TCP state and sequence tracking. The Normalizer enforces
duplicate packets, changed packets, out-of-order packets, and so forth, which helps prevent attackers
from evading the IPS.
Asymmetric mode disables most of the Normalizer checks. Use Asymmetric mode only when the entire
stream cannot be inspected, because in this situation, attackers can now evade the IPS.
You configure the Normalizer mode as a property of the virtual sensor as described in Defining A Virtual
Sensor, page 37-5.
Assigning Interfaces to Virtual Sensors
An IPS sensor monitors traffic that traverses interfaces, interface pairs, or VLAN pairs assigned to a
virtual sensor.
You can assign one or more of the following types of interfaces to a virtual sensor:
Promiscuous interface—A physical interface that does not have VLAN groups and which is not part
of an inline interface pair.
Inline interface pair—A logical interface composed of two physical interfaces.
Inline VLAN pair—A logical interface composed of two VLANs.
Promiscuous VLAN group—A VLAN group that is assigned to a subinterface on a physical
interface.
The physical interface cannot already be used for an inline interface or VLAN pair. There can be
many promiscuous VLAN groups on the same promiscuous interface, but the VLANs assigned
cannot overlap. Once a VLAN group is assigned to a promiscuous interface, it is no longer a plain
promiscuous interface and can only be used for promiscuous VLAN groups.
Inline VLAN group—A VLAN group that is assigned to a subinterface of an inline interface pair.