I just installed an AIP-SSM module in our ASA 5520 firewall (protecting a school district). I successfully configured it to scan all traffic sent both directions with the following config:
access-list IPS extended permit ip any any
match access-list IPS
ips inline fail-open
no service-policy global_policy global
service-policy ips-policy global
I also configured it to Deny Attacker Inline when RR=75-100. Figured that was a simple configuration to get things started. However, we noticed that some websites were running very slowly after I implemented these settings. What is causing this?
I guess the other option would be to reconfigure to only scan incoming traffic initiated from the outside to help protect the district from incoming attacks. But I thought it would be more responsible of me to configure it to scan both ways to protect external hosts from an attack that a student could initiate from a school computer. Is this really necessary or am I creating headaches for myself?