IPS Design

jorg.ramakers · ‎07-02-2008

Hi,

We are desinging a new network. In this network we placed 2 cisco asa 5510 as first line of defense firewalls.

My question is, i received a request to place an ips in this design. Is it advisable to place an AIM in the cisco 5510 or do i need an new asa 5510 with aim and configure it as an ips device?

How do it connect it?

Best regards

Jorg

ben.gordon · ‎07-02-2008

I don't see a need to get a third asa with the module. If I am correct, the modules for ASA give you a choice of what kind of extra functionality you want out of that device. Just like a router.

You will connect to the ASA as you normally would and manage the IPS within it. If you are using ADM it should show up as another configuration optioin.

jorg.ramakers · ‎07-02-2008

That is correct. If i'm using the modules for the ASA it is impossible to configure it as an inband device only out of band, or not?

What are the major (dis)advantages for inband or out of band?

Best regards

Jorg

rhermes · ‎07-02-2008

Jorg -

The AIP-SSM module can be either placed in-line (all the ASA traffic has to pass thought it) or in promiscuous mode (when it only sniffs the traffic and can perfrom shuns not drops). The disadvantage of placing your AIP-SSM module in line is that any sensor issue becomes service effecting. The disadvantage of placing it in promiscuous mode is that you can't drop single packet attacks.

TradeSecrets · ‎07-11-2008

Hi Jorg,

I would advise to use another vendor for the IPS piece. Depending on environment you might want to put the NIP's in front of or in back of your firewalls.

Cisco rules the switch and router world.

They do an okay job with their firewalls.

But need some work in the IPS world.

My environment has 3-5 firewall vendors and 2-3 IPS vendors. Strength in layers