Cisco Cisco IPS 4255 Sensor 백서
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
White Paper
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 6
in the processing path and is basically disabled. This means that from the AIP-SSM’s perspective,
anything that gets passed to it for analysis has been cleared by the appliance as being valid and
correct. As long as the high-availability solution is functioning correctly, all session state will be
shared to the passive Cisco ASA appliance so when a failover event occurs, the backup appliance
takes over session management and packets start flowing through it without issue. The AIP-SSM,
without any current signature state, starts performing analysis in midstream for all streams without
an issue. The only portion of data that is lost is signature state for those flows in progress. The
possible exposure is limited to an attacker being able to force a failover event. If an attacker can
do this, they can cause a complete DoS by bringing down both active and passive firewalls.
Configuration of the AIP-SSMs should be as close as possible to each other as they will perform
the same job. Things like signature config, virtual sensor setup, filters, and overrides should all be
similar, if not exactly the same. This helps to ensure that their behavior is the same.
Failover Pair in Active-Active Situation
The next scenario is much more complex, and involves a Cisco ASA failover pair deployed into an
active/active asymmetric situation (Figure 3).
Figure 3. Failover Pair in Active-Active Deployment
In this deployment, because traffic can leave the network using network A-1 and come back using
network A-2, different physical Cisco ASA appliances are involved in the primary packet path. To
solve this issue, the appliance should be configured using active-active asymmetric routing mode.
This deployment involves building two contexts on each Cisco ASA appliance, where context 1 on
Cisco ASA 1 is the active context for network A-1 and context 2 on Cisco ASA 1 is the passive