These three devices actually serve totally different functions. The firewall is meant to block traffic due to access-lists (implicit or explicit) while also providing NAT and other policy enforcement. With the ASA, this firewall will also open any secondary ports for relevant protocols (ie H323, FTP, SIP, SCCP, etc). The IPS is optimized to characterize the traffic contents in attempts to detect malicious attacks. For instance, the IPS is optimized to detect some virii, trojan horses, and other malicious traffic patterns based on packet-level inspection. The MARS device helps to correlate the various security events across the network to glean whether or not an attack is in progress. This can be most effective if a single host/subnet is causing security events on different devices at the same time.
All three of these tools, when used correctly, can contribute equally to the security of your network.
This does help. I am new to the organization that I work for and security equipment is not my strong area, so I have alot to learn. These 3 pieces have already been configured here by someone else. I'm not sure if they are all configured correctly or not, and that person is no longer here. I see the benefit of the ASA and the IPS, however the MARS is a little more unfriendly in terms of deciphering the events.
When I first started looking at the different products, it seemed like the ASA and IPS were doing similar things, and I thought that the ASA 5510 had an IPS built into it?
My manager was just curious if all three products were needed.
The ASA 5510 and ASA 5520 can have an IPS module built into it. Depending on your network topology and Security policy, you may choose to have both an IPS and/or IDS at different points in your network - giving you one more opportunity to mitigate any attacks whether they are internal to your network or external. Also, if you are needing to process more data than is supported by the AIP (the IPS module that is available for the ASA), a standalone device may prove useful.
If you need additional assistance in configuring MARS device and understanding event correlation, please feel free to open a Service Request with our Network Management TAC team.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...