10-20-2011 11:43 AM - edited 03-10-2019 05:31 AM
Does this module do everything an ASA can do? A client of mine was wondering what the better option was.
3925 + NME-IPS-K9 or 5540?
I have not been able to find enough information to clearly see the technical differences.
10-20-2011 12:51 PM
The ASA itself does not perform any IPS functions. The ASA can host an AIP-SSM module:
Both the NME and AIP-SSM do roughly the same functions, run the same OS and signature releases. You can select one over another based on price, bandwidth perfromance of the sensor, or the host capabilities (do you need a firewall or a router with your IPS?)
10-20-2011 01:55 PM
We were considering an ISR because of the need for UC a year or two from now. I had a hard time finding stats or performance information on the NME also. I wanted to compare the Deep packet inspection stats and throughput vs the ASA. I rarely see the NME deployed so I wondered if there was a reason why, people always use an ASA.
10-20-2011 02:14 PM
According to this .pdf, the NME can do up to 75Mb/s of inspection (in production we usualy cut that number in half before we start seeing interface drops - this is true for all Cisco sensors).
The NME has been on the street for much longer than the AIP-SSM modules. Although no offical end of life has been given on the product, I would expect to get a longer supported life span out of the AIP-SSM module.
10-20-2011 06:01 PM
Ok maybe you could clarify something then and thank you for helping also. Here are the 3925 and 5540 Stats from this link. Is it safe to say that when the IPS module is put into place, it blows the 3925 out of the water? Also, without the IPS, the 3925 vs the 5540, will show that the 3925 blows the 5540 out of the water. Is this a correct assumption?
Maximum IPSec Performance
3925 - 770Mbps
5540 - 325Mbps
Maximum Firewall Performance throughput
3925 - 2567Mbps
5540 - 650
3925 - 75
5540 - 500-650Mbps
10-20-2011 06:13 PM
Yes, this is a fair assumption assuming that you wish to inspect all traffic passing through your router and firewall. Please keep in mind that a router can pass much more traffic than a firewall of the same cost. This is because you are asking the firewall to enforce a security policy and a router has more limited functions (ACLs QoS, etc). Adding IPS to both of these devices reduces the processing throughput even more.
Obviously some devices are better suited (throughput and cost) than other devices for particular functions. You show that in your IPSec perfomance conparison above.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: