Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
4
Replies

Does the ASA appliance run just IPS or IDS too?

ciscobloke
Level 1
Level 1

‎07-13-2006 01:51 AM - edited ‎03-10-2019 03:05 AM

Hi,

Can someone please confirm if the ASA 5500 series IPS edition appliance also runs IDS? Also does it have major limitations compared to a stand-alone 4200 series IDS?

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎07-13-2006 03:39 AM

The AIP-SSM (IPS runnning on the SSM module inside an ASA) is capable of doing both inline (IPS) and promiscuous (IDS) monitoring.

When configuring the ASA itself you will create a security policy (usually making changes to your existing policy) and can specify which class of traffic will be monitored inline using the "ips inline fail-open|fail-close" command, and which class of traffic will be monitored promiscuously using the "ips promiscuous fail-open|fail-close" command.

When traffic matches those classes, then the ASA will send the packets to the AIP-SSM with a special header to tell the AIP-SSM whether the packet should be monitored inline or promiscuous.

The IPS running on the AIP-SSM is a fully featured IPS running the same software and using the same upgrades as the IPS Appliances.

The only limitations on the AIP-SSM is that the Normalizer Engine on the AIP-SSM is not used because those features are already built into the ASA itself and so are not needed on the AIP-SSM, and the Atomic ARP engine is not used because the ASA itself handles the ARP packets and does not copy them to the AIP-SSM.

0 Helpful

ciscobloke
Level 1
Level 1
In response to marcabal

‎07-13-2006 04:29 AM

marcabal.

I just want to say thank you very much for you prompt answer. It answers my question for sure..... thanks.

One more question, how limited are the IDS network modules that plug into routers? for example are the number of signatures limited?

Thanks in advance.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to ciscobloke

‎07-13-2006 07:04 AM

The NM-CIDS (IPS module for the router) only does promiscuous (IDS) mode. It is not capable of inline (IPS) mode.

It also can not use the Atomic IP Engine because the router itself handles the ARPs.

Other than that it has the same feature set and even uses the same upgrades as the Appliances.

The Appliances, NM-CIDS, AIP-SSM, and the IDSM-2 (the Cat 6K module) all run the same software and use the same updates.

NOTE: The System Images for each will differ, but what gets installed is the same on all the sensors.

0 Helpful

hoytmann
Level 1
Level 1
In response to marcabal

‎07-13-2006 08:54 AM

You may want to look at the new Cisco ISRs, they support Inline (IPS) mode, approximately 132 signature definitions by default (attack drop), 300 via the 128mb the sdf (128mb DRAM needed), 500 via the 256mb sdf (256mb DRAM needed).

http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8028a95f.html

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card