An IDS is traditionally known as a "sensor" indicating a basically passive device other than its shunning features, etc. The PIX is a firewall that sits in the packet stream and forwards/denys packets according to configured policies.
The Pix Firewall Appliance, and a Cisco IPS Appliance are complimentary products.
The Firewall prevents and allows traffic based on policy. Such as allowing outbound HTTP connections, but not allowing inbound HTTP connections.
The IPS, on the other hand, looks for attacks. When run in inline mode it can specifically deny those attacks. When run in promiscuous mode it will generate an alert warning the user of the attacks.
In general the Firewall and the IPS are deployed together. The Firewall does the majority of the standard policy enforcement of only allowing in/out traffic that the user specifically wants to allow. the IPS is then used to analyze that traffic being allowed by the firewall looking for attacks within that traffic being allowed.
This has become such a common deployment method that Cisco developed the Adaptive Security Appliance (ASA).
The ASA Appliance is in effect the next generation of the PIX. But unlike the Pix that is specifically a firewall, the ASA can be expanded for other security services such as VPN. Because Firewall and IPS technologies are so complimentary the ASA was built to support a Security Service Module (SSM) that runs IPS software. The AIP-SSM is the SSM hardware module running IPS software within the ASA chassis. This combination of an ASA chassis with AIP-SSM has become a top selling combination. The ASA main card does the firewalling and VPN and is able to pass the packets through the chassis backplane to the AIP-SSM module for IPS analysis. So both firewalling and IPS get done within the same box.
It is getting to the point now where the only reason not to deploy both a firewall and IPS (either as 2 appliances, or together in the ASA) is cost.
If cost is the issue, then the question becomes the location on the network.
If it is your external connection to the internet, then the firewall would probably be your first choice. You can configure the firewall to completely block all connections originating from the Internet.
If it is your internal network (like between the desktop network and your data center), then many users tend to choose an IPS rather than a firewall. The concern is more on attacks against the servers over connections that a firewall would have been configured to allow anyway.
If you want a comparison then think about the security line at the airport.
The firewall is like the guy checking to make sure you have a ticket before letting you go through.
The IPS is like the guy behind the X-Ray machine looking for suspicious items being carried in by the people who do have tickets.
Both jobs need to be done to ensure the best security.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...