07-02-2008 02:02 AM - edited 03-10-2019 04:10 AM
Hi,
We are desinging a new network. In this network we placed 2 cisco asa 5510 as first line of defense firewalls.
My question is, i received a request to place an ips in this design. Is it advisable to place an AIM in the cisco 5510 or do i need an new asa 5510 with aim and configure it as an ips device?
How do it connect it?
Best regards
Jorg
07-02-2008 06:15 AM
I don't see a need to get a third asa with the module. If I am correct, the modules for ASA give you a choice of what kind of extra functionality you want out of that device. Just like a router.
You will connect to the ASA as you normally would and manage the IPS within it. If you are using ADM it should show up as another configuration optioin.
07-02-2008 06:25 AM
That is correct. If i'm using the modules for the ASA it is impossible to configure it as an inband device only out of band, or not?
What are the major (dis)advantages for inband or out of band?
Best regards
Jorg
07-02-2008 07:50 AM
Jorg -
The AIP-SSM module can be either placed in-line (all the ASA traffic has to pass thought it) or in promiscuous mode (when it only sniffs the traffic and can perfrom shuns not drops). The disadvantage of placing your AIP-SSM module in line is that any sensor issue becomes service effecting. The disadvantage of placing it in promiscuous mode is that you can't drop single packet attacks.
07-11-2008 07:17 AM
Hi Jorg,
I would advise to use another vendor for the IPS piece. Depending on environment you might want to put the NIP's in front of or in back of your firewalls.
Cisco rules the switch and router world.
They do an okay job with their firewalls.
But need some work in the IPS world.
My environment has 3-5 firewall vendors and 2-3 IPS vendors. Strength in layers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide