Can someone clear up this terminology for me?

Unanswered Question
Dec 21st, 2007

I have a models comparison sheet from CISCO and one of the features listed is "Intrusion Prevention" . It says it is NOT AVAILABLE on the 5505 models bu IS AVAILABLE on other models. What exactly does "Intrudion Prevention" mean. I thought all routers by nature, prevented intrusion ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Fri, 12/21/2007 - 07:46

Hi,

IPS is an additional intelligent network element, in the form of a standalone appliance or blade or module for a router, that supposedly detects attacks. The 5505 is old hardware and doesn't supports it.

Hope this helps, please rate post if it does!

Jon Marshall Fri, 12/21/2007 - 08:09

Hi

Just to add to Paolo's answer.

IPS looks into the packet contents to determine if the traffic is valid for that protocol and application. It trying to make intelligent decisiosn based on

1) Signatures - which define a particular type of data content and whether or not it is harmful

2) Application behaviour - typical behaviour of an application and whether it is following that or not.

The forerunner of IPS was IDS - Intrusion Detection System. This dis a lot of the same things as IPS but only warned of dangerous traffic.

IPS can actually step in and block the traffic. It goes without saying that this could be very dangerous in itself as you could end up blocking legitimate traffic.

HTH

Jon

JORGE RODRIGUEZ Fri, 12/21/2007 - 08:40

Well,I finished writing this text and noticed more answers, but don't want to waste my key strokes so here are my 2 cents.

There is not doubt ASA5505 firewall provides security from the outside to the inside DMZ etc.. as well as it provides basic thread detection such as DoS attacks inspection drops and other configurable features such as scanning thread dection.

Based on documentation the IPS is andditional enhanced IPS module that comes in two flavors the AIP-SSM-10 and the AIP-SSM-20 but these are not supported on the ASA5505 but only for the higher end ASA models such as the 5510, 55020 and 5540 asa firewals , and as you know IPS can also provides intrusion prevention from even your inside network as threads not only come from outside but also could come from inside your LAN.

Here is a video that provides with more info on IPS and ASA firewalls.

AIP-SSM video

http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd8061cf61.html

AIP-SSM ( Advanced inspection-prevention Security service module ) specs

http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd80404916.html

Rgds

Jorge

Richard Burts Fri, 12/21/2007 - 08:47

It seems to me that there is some confusion about the context of this question and whether it is a Catalyst question (which Paolo seems to assume), or a router question, or an ASA/firewall question. I believe that Jorge is correct in interpreting it as an ASA/firewall question.

And I believe that Jorge's answer is spot on in identifying the fact that there is a separate IPS module which is an option for the 5510, 5520, and 5540 models but which is not an option for the 5505 model.

HTH

Rick

Jon Marshall Fri, 12/21/2007 - 08:50

Hi Rick

Agree that it is a bit confusing but the questioner does seem to be asking what exactly IPS is and not what devices it runs on.

Jon

Richard Burts Fri, 12/21/2007 - 09:44

Jon

Perhaps we need Bob to provide some clarification of his original post. When the post starts by mentioning a model comparison sheet and that IPS is not supported on the 5505 I interpreted it as being oriented to what it runs on. But you make a good point that the later part of the question is a bit more open ended about what is IPS.

HTH

Rick

JORGE RODRIGUEZ Fri, 12/21/2007 - 09:58

Rick/Jon thanks for clarifying..I never thought of the ancient catalyst 5505, I could swear the original poster was refering to the asa but missed the asa and went out of context, appologies!

Rgds

Jorge

Jon Marshall Fri, 12/21/2007 - 11:18

Jorge

No need to apologise as i think you are right in that the orginal poster was talking about ASA devices and not the old catalysts.

I just interpreted the question to be about IPS rather than devices but as Rick has pointed out either could be right.

Congratulations on your gold star by the way :)

Jon

Paolo Bevilacqua Fri, 12/21/2007 - 11:52

Sorry, the confusion is because of myself. 5505 still sounds as the "ancient catalyst" to my ears.

Certainly a good discussion would be instead on the usefulness of IPS. It is really not my area of expertise, all what I know that when the hardware fails, like last week in a customer network, nothing works anymore. In exchange, it has never revealed any attack.

Actions

This Discussion