Recommendations for IPS in Medium-Sized LAN?

maifadmin · ‎05-07-2009

I have two ASA-5520's in active/standby mode servicing a 500-node LAN w/ 1 outside interface, 1 inside interface, and 1 DMZ. How best to implement IPS, preferably using integrated modules, and without introducing a single point of failure? Also, what software would I need to install & manage IPS? Can it be managed thru ASDM or is something like Cisco Security Manager (CSM) necessary? TIA!

rhermes · ‎05-08-2009

You don;t mention if you want to do in-line IPS or promiscious mode IDS.

We'll assume you want in-line IPS. You'll need an AIP-SSM module in each ASA5520 chassis. they will operate independantly (unlike the firewalls that maintain state between them), and you'll suffer a little when traffic fails over between active and standby ASAs. The size of the AIP-SSM modules will depend on how much traffic you're pushing thru your firewall interfaces that require inspection, including your DMZs. Don't believe the Cisco performance numbers. Since you only have two IPS sensors I wouldn't reccomend CSM. use the CLI, build in GUI or the free up-to-5-sensor management application.

maifadmin · ‎05-08-2009

Yes, we want to do in-line IPS. Thanks for the fast response!