Cisco IPS 4240 vs ASA 5510 with AIP-SSM-10

Unanswered Question
May 31st, 2010

Hi

I'm looking at implementing an IPS for our Internet Edge networks and have been doing some reading up on the Cisco IPS and ASA ranges. I'm a bit confused about the capabilities of the various units and would appreciate some guidance. Our network infrastructure comprises of a 10Mbit Internet link and a 4Mbit WAN (MPLS) link.

The lowest specification IPS appears to be the IPS4240 (ignoring the 4215 which is now marked end-of-life). The 4240 documention states it can process 250Mbps of traffic and supports 4 interfaces. Am I right in thinking that this one device can therefore be simultaneously connected to multiple subnets (e.g., the DMZ and internal LAN at the same time)?

Is the ASA with an AIP-SSM-10 module able to monitor several interfaces in the same way? I'm aware the AIP-SSM-10 can only handle 150Mbps, but given my requirements, I'm assuming this can do the job. If so, can I use the ASA as an external firewall with interfaces to the WAN, DMZ and LAN and have the AIP-SSM-10 provide intrusion protection for all three interfaces?

The IPS 4240 is significantly more expensive than an ASA5510 with AIP-SSM-10 module. Apart from the higher throughput, does it have additional functionality beyond that provided with the ASA/AIP-SSM-10?

Thanks for any advice!

JR

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
terrygwazdosky Mon, 05/31/2010 - 04:35

The AIP-SSM can monitor some or all traffic that enters the ASA via use of modular policy framework.  If you aren't sure if 150Mbps is enough the 5510 also supports the AIP-SSM20 which is rated at 300 Mbps and would give you some room to grow (see http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html).

The software and signatures that run on the AIP-SSM is the same that is used on the IDS/IPS 4000 series.  The 4240 is more versatile in that it has more interfaces and can monitor traffic that isn't going through the ASA.  If that isn't a concern than I'd save the money and go with the AIP-SSM module.

Actions

This Discussion

Related Content