topic ASA using only for IPS? in Network Security

ASA using only for IPS?

Volker Janusch — Sun, 10 Mar 2019 10:57:56 GMT

Hi,

it is possible to use the ASA with IPS-Module as sensor only, located with her outside-interface on one mirrored switch-port?

Regards.

Volker

Re: ASA using only for IPS?

marcabal — Thu, 31 Jan 2008 16:13:08 GMT

The outside-interface is for command and control only and can not be used for monitoring.

The SSM is only able to monitor traffic passing through the ASA.

The ASA does not support connecting it's ports to mirrored switch ports either.

The closest you get is to configure the ASA is transparent mode with ACLs on each interface that permit all traffic, and then place the ASA between 2 of your existing devices. And then place a policy on the ASA to copy all packets to the SSM for promiscuous monitoring.

If you have an existing other type of firewall, then you can try placing the transparent ASA between your other firewall and your DMZ switch for example.

All traffic would be passed through the ASA, and be copied to the SSM for promiscuous monitoring.

This mode could best be described as using the ASA as a simulated Tap to send traffic to the SSM.

Re: ASA using only for IPS?

rhermes — Thu, 31 Jan 2008 20:34:02 GMT

This is a very timely question, as Cisco is recommending the ASA-5510 as a replacement for EOL'ed 4215 sensor. I'm terribly disappointed that the ASA can be run in a promiscuous mode (like the 4215) and must be placed in line. Adding another single point of failure only diminishes overall availability and uptime.

There is no advantage to placing a promiscuous mode IDS device in-line.

Re: ASA using only for IPS?

Volker Janusch — Wed, 06 Feb 2008 10:59:41 GMT

Yes, this is the big problem for SMB, because the big IPS-blade is too expansive. And our customer needs at first only the ips-function without the modification of his existing firewall-deployment.