ASA using only for IPS?

Answered Question
Jan 31st, 2008
User Badges:

Hi,


it is possible to use the ASA with IPS-Module as sensor only, located with her outside-interface on one mirrored switch-port?


Regards.


Volker

Correct Answer by marcabal about 9 years 1 month ago

The outside-interface is for command and control only and can not be used for monitoring.


The SSM is only able to monitor traffic passing through the ASA.

The ASA does not support connecting it's ports to mirrored switch ports either.


The closest you get is to configure the ASA is transparent mode with ACLs on each interface that permit all traffic, and then place the ASA between 2 of your existing devices. And then place a policy on the ASA to copy all packets to the SSM for promiscuous monitoring.


If you have an existing other type of firewall, then you can try placing the transparent ASA between your other firewall and your DMZ switch for example.


All traffic would be passed through the ASA, and be copied to the SSM for promiscuous monitoring.


This mode could best be described as using the ASA as a simulated Tap to send traffic to the SSM.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
marcabal Thu, 01/31/2008 - 08:13
User Badges:
  • Cisco Employee,

The outside-interface is for command and control only and can not be used for monitoring.


The SSM is only able to monitor traffic passing through the ASA.

The ASA does not support connecting it's ports to mirrored switch ports either.


The closest you get is to configure the ASA is transparent mode with ACLs on each interface that permit all traffic, and then place the ASA between 2 of your existing devices. And then place a policy on the ASA to copy all packets to the SSM for promiscuous monitoring.


If you have an existing other type of firewall, then you can try placing the transparent ASA between your other firewall and your DMZ switch for example.


All traffic would be passed through the ASA, and be copied to the SSM for promiscuous monitoring.


This mode could best be described as using the ASA as a simulated Tap to send traffic to the SSM.


rhermes Thu, 01/31/2008 - 12:34
User Badges:
  • Gold, 750 points or more

This is a very timely question, as Cisco is recommending the ASA-5510 as a replacement for EOL'ed 4215 sensor. I'm terribly disappointed that the ASA can be run in a promiscuous mode (like the 4215) and must be placed in line. Adding another single point of failure only diminishes overall availability and uptime.

There is no advantage to placing a promiscuous mode IDS device in-line.

Volker Janusch Wed, 02/06/2008 - 02:59
User Badges:

Yes, this is the big problem for SMB, because the big IPS-blade is too expansive. And our customer needs at first only the ips-function without the modification of his existing firewall-deployment.

Actions

This Discussion