04-27-2011 12:35 PM - edited 03-10-2019 05:20 AM
We are considering adding an IPS module to our ASA 5520, but that will only inspect data as it crosses the backplane, right?
So for my zone labelled "Critical-Zone", which has a number of physical Windows devices, servers, and VM's, we will still need an internal IPS for the data that never leaves that FW Zone?
If so, what works well with the Cisco appliance?
Or am I missing something?
Thanks
04-27-2011 03:40 PM
You assign the AIP-SSM IPS module to any of the interfaces on the ASA. You are not stuck only monitoring the backplane of the ASA.
I would reccomend assigning it to interfaces on the inside of the firewall so you don't have to look at IPS alerts that would be blocked by the firewall anyway.
- Bob
04-28-2011 01:49 PM
One point of clarification is that the ASA will not forward traffic to the service module if that traffic is denied by any of the ASAs access-lists that are in the traffic's path. This is true whether the IPS policy-map is applied to a specific interface or applied globally.
ie.
host(10.1.1.1)---(10.1.1.2, inside)ASA(8.8.8.1, outside)-----Internet
If the host forwards a SYN to 4.2.2.2, and an outbound ACL that blocks traffic destined to 4.2.2.2 is present on the outside interface, an AIP installed in the ASA will never see the SYN.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758
05-06-2011 06:42 AM
I just want to ensure I got this right. If I install an IPS module on my ASA, and assign it to my inside interface, it will function the same as a stand-alone IPS that is within that zone, yes? If I'm oversimplyfing, please let me know, sometimes the marketing info is hard to decipher. Thanks.
05-06-2011 08:08 AM
Jimmy C -
You got it. Assigning the AIP-SSM to an interface is pretty much just like placing an appliance on that interface of the Firewall.
The ASA has a defined order of operations for packets arriving on each interface, so the IPS inspection might not be the FIRST thing to get hit, (I thought VPN decryption was), but it's pretty high on the list.
- Bob
05-11-2011 12:31 PM
Jimmy,
If you have an AIP-SSM-20 in your ASA it only inspects traffic that transits the ASA. So, if you have a DMZ segment attached to the ASA the IPS has no visibility into that layer 2 segment (host-to-host traffic). Traffic must transit the ASA for the IPS to inspect it.
-DW
05-11-2011 12:52 PM
Thanks David,
That makes sense, but it kinda flies in the face of the earlier responses.
So for deep packet inspection, host to host, I need a stand alone device.
Any suggestions?
jimmyc
05-12-2011 05:38 AM
Jimmy,
You mentioned that you have VMs inside that zone, those are tricky as the traffic never leaves the VM host. There are a few options out there for IPS VM appliances that might work. For the physical servers you may want to consider segmenting them from each other where possible with private VLANs and then spanning traffic from the other hosts into an IPS/IDS device in promiscuous mode.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide