Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Design

Hi,

We are desinging a new network. In this network we placed 2 cisco asa 5510 as first line of defense firewalls.

My question is, i received a request to place an ips in this design. Is it advisable to place an AIM in the cisco 5510 or do i need an new asa 5510 with aim and configure it as an ips device?

How do it connect it?

Best regards

Jorg

4 REPLIES
New Member

Re: IPS Design

I don't see a need to get a third asa with the module. If I am correct, the modules for ASA give you a choice of what kind of extra functionality you want out of that device. Just like a router.

You will connect to the ASA as you normally would and manage the IPS within it. If you are using ADM it should show up as another configuration optioin.

New Member

Re: IPS Design

That is correct. If i'm using the modules for the ASA it is impossible to configure it as an inband device only out of band, or not?

What are the major (dis)advantages for inband or out of band?

Best regards

Jorg

Gold

Re: IPS Design

Jorg -

The AIP-SSM module can be either placed in-line (all the ASA traffic has to pass thought it) or in promiscuous mode (when it only sniffs the traffic and can perfrom shuns not drops). The disadvantage of placing your AIP-SSM module in line is that any sensor issue becomes service effecting. The disadvantage of placing it in promiscuous mode is that you can't drop single packet attacks.

New Member

Re: IPS Design

Hi Jorg,

I would advise to use another vendor for the IPS piece. Depending on environment you might want to put the NIP's in front of or in back of your firewalls.

Cisco rules the switch and router world.

They do an okay job with their firewalls.

But need some work in the IPS world.

My environment has 3-5 firewall vendors and 2-3 IPS vendors. Strength in layers

322
Views
4
Helpful
4
Replies