Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix & IDS, applicationwise

I just wanted to know - where is the basic difference in applicability of PIX and IDS? can I replace IDS with a PIX? my question is simple, where specifically we need PIX and where IDS?


Re: pix & IDS, applicationwise

I recommend checking out the safe blueprint:

An IDS is traditionally known as a "sensor" indicating a basically passive device other than its shunning features, etc. The PIX is a firewall that sits in the packet stream and forwards/denys packets according to configured policies.

HTH pls rate!

Cisco Employee

Re: pix & IDS, applicationwise

The Pix Firewall Appliance, and a Cisco IPS Appliance are complimentary products.

The Firewall prevents and allows traffic based on policy. Such as allowing outbound HTTP connections, but not allowing inbound HTTP connections.

The IPS, on the other hand, looks for attacks. When run in inline mode it can specifically deny those attacks. When run in promiscuous mode it will generate an alert warning the user of the attacks.

In general the Firewall and the IPS are deployed together. The Firewall does the majority of the standard policy enforcement of only allowing in/out traffic that the user specifically wants to allow. the IPS is then used to analyze that traffic being allowed by the firewall looking for attacks within that traffic being allowed.

This has become such a common deployment method that Cisco developed the Adaptive Security Appliance (ASA).

The ASA Appliance is in effect the next generation of the PIX. But unlike the Pix that is specifically a firewall, the ASA can be expanded for other security services such as VPN. Because Firewall and IPS technologies are so complimentary the ASA was built to support a Security Service Module (SSM) that runs IPS software. The AIP-SSM is the SSM hardware module running IPS software within the ASA chassis. This combination of an ASA chassis with AIP-SSM has become a top selling combination. The ASA main card does the firewalling and VPN and is able to pass the packets through the chassis backplane to the AIP-SSM module for IPS analysis. So both firewalling and IPS get done within the same box.

It is getting to the point now where the only reason not to deploy both a firewall and IPS (either as 2 appliances, or together in the ASA) is cost.

If cost is the issue, then the question becomes the location on the network.

If it is your external connection to the internet, then the firewall would probably be your first choice. You can configure the firewall to completely block all connections originating from the Internet.

If it is your internal network (like between the desktop network and your data center), then many users tend to choose an IPS rather than a firewall. The concern is more on attacks against the servers over connections that a firewall would have been configured to allow anyway.

If you want a comparison then think about the security line at the airport.

The firewall is like the guy checking to make sure you have a ticket before letting you go through.

The IPS is like the guy behind the X-Ray machine looking for suspicious items being carried in by the people who do have tickets.

Both jobs need to be done to ensure the best security.