An IPS has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they're sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.
In addition, an IPS can respond to a detected threat in two other ways. It can reconfigure other security controls, such as a firewall or router, to block an attack. Some IPS devices can even apply patches if the host has particular vulnerabilities. In addition, some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.
The Cisco ASA 5500 series adaptive security appliance supports a variety of Security Service Modules (SSMs).
This documentation provides information on how to configure the Advanced Inspection and Prevention Security Services Module (AIP SSM) in the Inline and Promiscuous modes.
The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides further security inspection.
The AIP SSM can operate in one of two modes, such as:
Inline mode This mode places the AIP SSM directly in the traffic flow. You must first pass through and be inspected by the AIP SSM before you can continue through the adaptive security appliance.
This mode is the most secure because every packet is analyzed before it is allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. But, this mode can affect throughput. Use the Inline keyword of the ips command in order to specify this mode.
Promiscuous mode In this mode, a duplicate stream of traffic is sent to the AIP SSM. This mode is less secure. The SSM that operates in promiscuous mode instructs the adaptive security appliance to shun the traffic or resets a connection on the adaptive security appliance in order to block traffic.
Also, while the AIP SSM analyzes the traffic, a small amount of traffic possibly passes through the adaptive security appliance before the AIP SSM can block it. Use the Promiscuous keyword of the ips command in order to specify this mode.