Intrusion prevention AND content security with ASA

captkloss · ‎08-19-2011

Hello, from what i'm reading, with ASA5520-5540 i cant have both at the same time... what is the right way of securing my network with both solutions? Do i put two 5520s "in-line" one with CSC-SSM and another one with AIP-SSM?

Thanks!

varrao · ‎08-19-2011

A few suggestion here:

On the ASA 5520, it would not be possible to use both the IPS and CSC module, since:

You do not have two slots it.

If you have two ASA 5520's, then you can achive this, you can have one firewall doing the filtering with CSC and the other with Intrusion prevention. That is very much feasible. But the two ASA should not be failover.

Another outside workaround:

If you have an IPS appliance instead of the module, then you can first filter the traffic through the IPS appliance, send it to the ASA, which would redirect the traffic to the CSC module.

Hope this helps you.

Thanks,

Varun

Thanks,
Varun Rao

captkloss · ‎08-19-2011

it's getting so convoluted - so essentially i need 4 x 5520 to get a secure/redundant internet access... pretty close cost wise to just getting 2 x 5585-x with SSP and IPS SSP...

varrao · ‎08-19-2011

Well yes, if you need complete redundancy for your network. I now its a tough situation to be in. You can contact your Accounts Team for any other viable option for it.

Thanks,

Varun

Thanks,
Varun Rao