are the content filtering & application inspection some of the IPS functions?

Unanswered Question
May 9th, 2010

dear experts,


are the content filtering & application inspection some of the IPS functions?


in other words, what are the differences between the functions of the IPS and the content filtering ?


also the differences between the functions of the IPS and application inspection?


because when i've read these topics get confused with the differences between the IPS and both of the other...

thanks for your reply


makar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 05/09/2010 - 16:06

Assuming that you are looking for the difference between the CSC module (Content Security) module, and AIP module (IPS module) on ASA, here is the difference:


CSC module:

- More or less like an Anti Virus/Anti Spyware module.

- Instead of sofware installed on your hosts, it's a anti virus network module that sits in your network.

- It only supports the inspection of the following protocols: SMTP, POP3, FTP and HTTP

- It can scan, filter, and block the above protocols as it traverses through your network.

- Here is a more detailed explaination of CSC module for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html


AIP module:

- It's just like normal IPS device - signature based with thousands of signature prebuilt into the device.

- It is not limited to the above 4 protocols. It supports detection and prevention of much more protocols.

- It protects agains worms, trojans, viruses, distributed denial of service attacks, reconnaissance, and attacks against operating system and application vulnerabilities.

- It can be configured either in promiscuous mode or inline mode.

- Here is a more detailed explaination of AIP module for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html


Hope that helps.

Jennifer Halim Sun, 05/09/2010 - 16:12

With application inspection on ASA firewall, it is more to inspect complex protocols and dynamically allow or dynamically inspect deep into the packet and modify the packet if necessary.


For example:

- FTP inspection: on access-list, you would need to allow the FTP control connection (ie: TCP/21), and FTP data will automatically be opened once the firewall inspects deep down into the FTP control session, and check which FTP data port the client and server negotiated it to be.


Here is a more detailed explaination of ASA inspection engine and its functions:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

Actions

This Discussion