AIP-20 Vs 4255- Recomended Solution?

Answered Question
Jul 25th, 2010
User Badges:
  • Gold, 750 points or more

Hello experts,


We have 5510 ASA pair (Active/stdby) at the perimeter. For implementing IPS solution, wondering if 4255 is is recomended or AIP-20 SSM modules in ASA5510 would be our better bet. Future internet  growth- tops 200Meg (dual 100Meg pipes)


TIA

MS

Correct Answer by rhermes about 7 years 3 days ago

I the ethernet interface on the AIP-SSM modules can only be used for management interface access.

The internal access via the ASA does not allow for the webgui access or event flows, only CLI access.


- Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rhermes Mon, 07/26/2010 - 10:03
User Badges:
  • Gold, 750 points or more

It depends on a few things.

Do you want to do in-line IPS or Promiscious mode IDS?

What is the expected traffic volume to be passing thru these sensors?


What you want to be careful about is place a single sensor in-line with dual firewalls. This thread explanes why:

https://supportforums.cisco.com/thread/2032810?tstart=0


The 4255 has twice the processing power of the AIP-SSM20, meaning it can handle twice the traffic. If you are doing promisicous mode detection, a single sensor will be easier to maintain.


- Bob

mvsheik123 Mon, 07/26/2010 - 10:43
User Badges:
  • Gold, 750 points or more

Hi Bob,


Thanks for taking my quesry again. The other thread was when I thought of adding a 4255 but later few cisco tech mentioned better to go with AIP module- hence the new thread..;-).


We want to start prmiscous mode (that way we can understand/study the traffic) , then move to in-line. Does AIPs support this way?


If I decide finally with 4255, then I may ended up in buying 2 (if place in-line).


After all the user traffic rerouted to single location, anticipated usage 50-60Meg. Also, we may have upto 200 Meg internet (2x100).


TIA

MS

rhermes Mon, 07/26/2010 - 13:26
User Badges:
  • Gold, 750 points or more

Yes the AIP-SSM modules support both in-line IPS and Promiscious mode IDS.


- Bob

mvsheik123 Mon, 07/26/2010 - 13:59
User Badges:
  • Gold, 750 points or more

Thanks again Bob. Also, the port on AIP modules, this is purely for management kind or its a gig (10/100/1000) that can be used as additional port on ASA (ex: DMZ2 etc).



Thanks

MS

Correct Answer
rhermes Mon, 07/26/2010 - 14:10
User Badges:
  • Gold, 750 points or more

I the ethernet interface on the AIP-SSM modules can only be used for management interface access.

The internal access via the ASA does not allow for the webgui access or event flows, only CLI access.


- Bob

Actions

This Discussion