Does this module do everything an ASA can do? A client of mine was wondering what the better option was.
3925 + NME-IPS-K9 or 5540?
I have not been able to find enough information to clearly see the technical differences.
The ASA itself does not perform any IPS functions. The ASA can host an AIP-SSM module:
Both the NME and AIP-SSM do roughly the same functions, run the same OS and signature releases. You can select one over another based on price, bandwidth perfromance of the sensor, or the host capabilities (do you need a firewall or a router with your IPS?)
We were considering an ISR because of the need for UC a year or two from now. I had a hard time finding stats or performance information on the NME also. I wanted to compare the Deep packet inspection stats and throughput vs the ASA. I rarely see the NME deployed so I wondered if there was a reason why, people always use an ASA.
According to this .pdf, the NME can do up to 75Mb/s of inspection (in production we usualy cut that number in half before we start seeing interface drops - this is true for all Cisco sensors).
The NME has been on the street for much longer than the AIP-SSM modules. Although no offical end of life has been given on the product, I would expect to get a longer supported life span out of the AIP-SSM module.
Ok maybe you could clarify something then and thank you for helping also. Here are the 3925 and 5540 Stats from this link. Is it safe to say that when the IPS module is put into place, it blows the 3925 out of the water? Also, without the IPS, the 3925 vs the 5540, will show that the 3925 blows the 5540 out of the water. Is this a correct assumption?
Maximum IPSec Performance
3925 - 770Mbps
5540 - 325Mbps
Maximum Firewall Performance throughput
3925 - 2567Mbps
5540 - 650
3925 - 75
5540 - 500-650Mbps
Yes, this is a fair assumption assuming that you wish to inspect all traffic passing through your router and firewall. Please keep in mind that a router can pass much more traffic than a firewall of the same cost. This is because you are asking the firewall to enforce a security policy and a router has more limited functions (ACLs QoS, etc). Adding IPS to both of these devices reduces the processing throughput even more.
Obviously some devices are better suited (throughput and cost) than other devices for particular functions. You show that in your IPSec perfomance conparison above.