https://community.cisco.com/t5/network-security/ips-design/m-p/981951#M79588 <P>Hi,</P><P></P><P>We are desinging a new network. In this network we placed 2 cisco asa 5510 as first line of defense firewalls. </P><P></P><P>My question is, i received a request to place an ips in this design. Is it advisable to place an AIM in the cisco 5510 or do i need an new asa 5510 with aim and configure it as an ips device?</P><P></P><P>How do it connect it?</P><P></P><P>Best regards</P><P></P><P>Jorg</P> Sun, 10 Mar 2019 11:10:35 GMT jorg.ramakers 2019-03-10T11:10:35Z https://community.cisco.com/t5/network-security/ips-design/m-p/981951#M79588 <P>Hi,</P><P></P><P>We are desinging a new network. In this network we placed 2 cisco asa 5510 as first line of defense firewalls. </P><P></P><P>My question is, i received a request to place an ips in this design. Is it advisable to place an AIM in the cisco 5510 or do i need an new asa 5510 with aim and configure it as an ips device?</P><P></P><P>How do it connect it?</P><P></P><P>Best regards</P><P></P><P>Jorg</P> Sun, 10 Mar 2019 11:10:35 GMT https://community.cisco.com/t5/network-security/ips-design/m-p/981951#M79588 jorg.ramakers 2019-03-10T11:10:35Z https://community.cisco.com/t5/network-security/ips-design/m-p/981952#M79589 <HTML><HEAD></HEAD><BODY><P>I don't see a need to get a third asa with the module. If I am correct, the modules for ASA give you a choice of what kind of extra functionality you want out of that device. Just like a router.</P><P></P><P>You will connect to the ASA as you normally would and manage the IPS within it. If you are using ADM it should show up as another configuration optioin.</P></BODY></HTML> Wed, 02 Jul 2008 13:15:30 GMT https://community.cisco.com/t5/network-security/ips-design/m-p/981952#M79589 ben.gordon 2008-07-02T13:15:30Z https://community.cisco.com/t5/network-security/ips-design/m-p/981953#M79590 <HTML><HEAD></HEAD><BODY><P>That is correct. If i'm using the modules for the ASA it is impossible to configure it as an inband device only out of band, or not?</P><P></P><P>What are the major (dis)advantages for inband or out of band?</P><P></P><P>Best regards</P><P></P><P>Jorg</P></BODY></HTML> Wed, 02 Jul 2008 13:25:22 GMT https://community.cisco.com/t5/network-security/ips-design/m-p/981953#M79590 jorg.ramakers 2008-07-02T13:25:22Z https://community.cisco.com/t5/network-security/ips-design/m-p/981954#M79591 <HTML><HEAD></HEAD><BODY><P>Jorg -</P><P></P><P>The AIP-SSM module can be either placed in-line (all the ASA traffic has to pass thought it) or in promiscuous mode (when it only sniffs the traffic and can perfrom shuns not drops). The disadvantage of placing your AIP-SSM module in line is that any sensor issue becomes service effecting. The disadvantage of placing it in promiscuous mode is that you can't drop single packet attacks.</P></BODY></HTML> Wed, 02 Jul 2008 14:50:37 GMT https://community.cisco.com/t5/network-security/ips-design/m-p/981954#M79591 rhermes 2008-07-02T14:50:37Z https://community.cisco.com/t5/network-security/ips-design/m-p/981955#M79592 <HTML><HEAD></HEAD><BODY><P>Hi Jorg,</P><P></P><P>I would advise to use another vendor for the IPS piece. Depending on environment you might want to put the NIP's in front of or in back of your firewalls.</P><P></P><P>Cisco rules the switch and router world.</P><P>They do an okay job with their firewalls.</P><P>But need some work in the IPS world.</P><P></P><P>My environment has 3-5 firewall vendors and 2-3 IPS vendors. Strength in layers</P></BODY></HTML> Fri, 11 Jul 2008 14:17:10 GMT https://community.cisco.com/t5/network-security/ips-design/m-p/981955#M79592 TradeSecrets 2008-07-11T14:17:10Z