Re: Does the ASA , with AIP-SSM-20, handle IPS within a FW zone?

jimmyc_2 · ‎04-27-2011

We are considering adding an IPS module to our ASA 5520, but that will only inspect data as it crosses the backplane, right?

So for my zone labelled "Critical-Zone", which has a number of physical Windows devices, servers, and VM's, we will still need an internal IPS for the data that never leaves that FW Zone?

If so, what works well with the Cisco appliance?

Or am I missing something?

Thanks

rhermes · ‎04-27-2011

You assign the AIP-SSM IPS module to any of the interfaces on the ASA. You are not stuck only monitoring the backplane of the ASA.

I would reccomend assigning it to interfaces on the inside of the firewall so you don't have to look at IPS alerts that would be blocked by the firewall anyway.

- Bob

Christopher Dreier · ‎04-28-2011

One point of clarification is that the ASA will not forward traffic to the service module if that traffic is denied by any of the ASAs access-lists that are in the traffic's path. This is true whether the IPS policy-map is applied to a specific interface or applied globally.

ie.

host(10.1.1.1)---(10.1.1.2, inside)ASA(8.8.8.1, outside)-----Internet

If the host forwards a SYN to 4.2.2.2, and an outbound ACL that blocks traffic destined to 4.2.2.2 is present on the outside interface, an AIP installed in the ASA will never see the SYN.

Thank you,

Blayne Dreier

Cisco TAC Escalation Team

**Please check out our Podcasts**

TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

TAC IPS Media Series: https://supportforums.cisco.com/docs/DOC-12758

jimmyc_2 · ‎05-06-2011

I just want to ensure I got this right. If I install an IPS module on my ASA, and assign it to my inside interface, it will function the same as a stand-alone IPS that is within that zone, yes? If I'm oversimplyfing, please let me know, sometimes the marketing info is hard to decipher. Thanks.

rhermes · ‎05-06-2011

Jimmy C -

You got it. Assigning the AIP-SSM to an interface is pretty much just like placing an appliance on that interface of the Firewall.

The ASA has a defined order of operations for packets arriving on each interface, so the IPS inspection might not be the FIRST thing to get hit, (I thought VPN decryption was), but it's pretty high on the list.

- Bob

west-david · ‎05-11-2011

Jimmy,

If you have an AIP-SSM-20 in your ASA it only inspects traffic that transits the ASA. So, if you have a DMZ segment attached to the ASA the IPS has no visibility into that layer 2 segment (host-to-host traffic). Traffic must transit the ASA for the IPS to inspect it.

-DW

jimmyc_2 · ‎05-11-2011

Thanks David,

That makes sense, but it kinda flies in the face of the earlier responses.

So for deep packet inspection, host to host, I need a stand alone device.

Any suggestions?

jimmyc

west-david · ‎05-12-2011

Jimmy,

You mentioned that you have VMs inside that zone, those are tricky as the traffic never leaves the VM host. There are a few options out there for IPS VM appliances that might work. For the physical servers you may want to consider segmenting them from each other where possible with private VLANs and then spanning traffic from the other hosts into an IPS/IDS device in promiscuous mode.