Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
0
Helpful
2
Replies

pix & IDS, applicationwise

himulalax
Level 1
Level 1

‎10-10-2006 09:01 AM - edited ‎03-10-2019 03:16 AM

I just wanted to know - where is the basic difference in applicability of PIX and IDS? can I replace IDS with a PIX? my question is simple, where specifically we need PIX and where IDS?

Labels:
0 Helpful
2 Replies 2

mmorris11
Level 4
Level 4

‎10-10-2006 09:42 AM

I recommend checking out the safe blueprint:

http://www.cisco.com/go/safe

An IDS is traditionally known as a "sensor" indicating a basically passive device other than its shunning features, etc. The PIX is a firewall that sits in the packet stream and forwards/denys packets according to configured policies.

HTH pls rate!

0 Helpful

marcabal
Cisco Employee
Cisco Employee

‎10-10-2006 12:02 PM

The Pix Firewall Appliance, and a Cisco IPS Appliance are complimentary products.

The Firewall prevents and allows traffic based on policy. Such as allowing outbound HTTP connections, but not allowing inbound HTTP connections.

The IPS, on the other hand, looks for attacks. When run in inline mode it can specifically deny those attacks. When run in promiscuous mode it will generate an alert warning the user of the attacks.

In general the Firewall and the IPS are deployed together. The Firewall does the majority of the standard policy enforcement of only allowing in/out traffic that the user specifically wants to allow. the IPS is then used to analyze that traffic being allowed by the firewall looking for attacks within that traffic being allowed.

This has become such a common deployment method that Cisco developed the Adaptive Security Appliance (ASA).

The ASA Appliance is in effect the next generation of the PIX. But unlike the Pix that is specifically a firewall, the ASA can be expanded for other security services such as VPN. Because Firewall and IPS technologies are so complimentary the ASA was built to support a Security Service Module (SSM) that runs IPS software. The AIP-SSM is the SSM hardware module running IPS software within the ASA chassis. This combination of an ASA chassis with AIP-SSM has become a top selling combination. The ASA main card does the firewalling and VPN and is able to pass the packets through the chassis backplane to the AIP-SSM module for IPS analysis. So both firewalling and IPS get done within the same box.

It is getting to the point now where the only reason not to deploy both a firewall and IPS (either as 2 appliances, or together in the ASA) is cost.

If cost is the issue, then the question becomes the location on the network.

If it is your external connection to the internet, then the firewall would probably be your first choice. You can configure the firewall to completely block all connections originating from the Internet.

If it is your internal network (like between the desktop network and your data center), then many users tend to choose an IPS rather than a firewall. The concern is more on attacks against the servers over connections that a firewall would have been configured to allow anyway.

If you want a comparison then think about the security line at the airport.

The firewall is like the guy checking to make sure you have a ticket before letting you go through.

The IPS is like the guy behind the X-Ray machine looking for suspicious items being carried in by the people who do have tickets.

Both jobs need to be done to ensure the best security.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card