I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
In promiscuous mode you can use one 4240 and span the output of each switch into two sensing interfaces of the 4240 (it has four available). A single 4240 should even be able to put together TCP sessions that span both rails, like in the instance of a failover.