Firewall, IPS and MARS

Unanswered Question
Kevin Redmon Tue, 07/13/2010 - 06:25


These three devices actually serve totally different functions.  The firewall is meant to block traffic due to access-lists (implicit or explicit) while also providing NAT and other policy enforcement.  With the ASA, this firewall will also open any secondary ports for relevant protocols (ie H323, FTP, SIP, SCCP, etc).  The IPS is optimized to characterize the traffic contents in attempts to detect malicious attacks.  For instance, the IPS is optimized to detect some virii, trojan horses, and other malicious traffic patterns based on packet-level inspection.  The MARS device helps to correlate the various security events across the network to glean whether or not an attack is in progress.  This can be most effective if a single host/subnet is causing security events on different devices at the same time.

All three of these tools, when used correctly, can contribute equally to the security of your network.

Let me know if this answers your question!

Best Regards,


This does help. I am new to the organization that I work for and security equipment is not my strong area, so I have alot to learn. These 3 pieces have already been configured here by someone else. I'm not sure if they are all configured correctly or not, and that person is no longer here. I see the benefit of the ASA and the IPS, however the MARS is a little more unfriendly in terms of deciphering the events.

When I first started looking at the different products, it seemed like the ASA and IPS were doing similar things, and I thought that the ASA 5510 had an IPS built into it?

My manager was just curious if all three products were needed.


Kevin Redmon Tue, 07/13/2010 - 07:02


The ASA 5510 and ASA 5520 can have an IPS module built into it.  Depending on your network topology and Security policy, you may choose to have both an IPS and/or IDS at different points in your network - giving you one more opportunity to mitigate any attacks whether they are internal to your network or external.  Also, if you are needing to process more data than is supported by the AIP (the IPS module that is available for the ASA), a standalone device may prove useful.

If you need additional assistance in configuring MARS device and understanding event correlation, please feel free to open a Service Request with our Network Management TAC team.

Best Regards,


Panos Kampanakis Tue, 07/13/2010 - 06:39

The ASA will do your basic firewalling.

The IPS will be checking for attacks, virus patterns and other signatures.

MARS is a tool that collects syslogs from all devices and puts them together and can give you reports.

If you ask me the first two are more essential than then 3rd, even though the 3rd can be very useful at times.

I hope it helps.



This Discussion