Cisco Cisco IPS 4360 Sensor 백서

42

Intrusion Prevention

August 2012 Series

42

80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

100

-0.5

80
81
82
83
84
85

86
87
88
89
90
91
92
93
94
95
96
97
98
99

100

-1

80
81
82
83
84
85

86
87
88
89
90
91
92
93
94
95
96
97
98
99

100

-1.5

84
84
85
85

86
87
87
88
88
89
90
91
92
93
94
95
96
97
98
99

100

-2

87
87
88
88
89
90
90
91
91
92
92
93
93
94
95
95
96
97
98
99

100

-2.5

90
90
91
91
92
92
92
93
93
94
94
95
95
96
96
96
97
97
98
99

100

-3

92
92
93
93
94
94
94
95
95
96
96
97
97
97
98
98
99
99

100
100
100

-3.5

94
94
95
95
95
96
96
96
97
97
97
98
98
99
99
99

100
100
100
100
100

-4

95
96
96
96
97
97
97
98
98
98
99
99
99

100
100
100
100
100
100
100
100

-4.5

97
97
97
98
98
98
98
99
99
99

100
100
100
100
100
100
100
100
100
100
100

-5

98
98
98
99
99
99
99

100
100
100
100
100
100
100
100
100
100
100
100
100
100

-5.5

99
99
99
99

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-6

99

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-6.5

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-7

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-7.5

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-8

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-8.5

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-9

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-9.5

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

-10

100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100
100

Reputation Effect on Risk Rating

Standard Mode

Reputation of Attacker

Initial
Risk
Rating

Blue

 Deny Packet

Red

 Deny Attacker

3012

For more information about how traffic moves through the Cisco 
ASA and IPS module combination, see the following: 

Deployment Details

In this deployment, you will deploy Cisco ASA IPS modules in inline mode in 
order to block inbound attacks to the Internet services in the DMZ. You will 
also deploy a standalone IPS appliance in promiscuous mode on the inside 
of the network. This appliance will be attached to a distribution switch and will 
watch for possible malicious activity in the traffic traversing the switch. The 
appliance is deployed on the WAN aggregation switch so that it can inspect the 
traffic going between the campus and remote sites. This could just as easily 
be deployed to watch other LAN sites, the traffic from the DMVPN connection, 
wireless traffic (after it enters the wired LAN), or possibly partner connections. 
Because it is possible to send too much traffic to an IPS device (too much for 
either the port or the hardware to handle), it is important to size the device care-
fully. The following tables give estimated performance for different models.

IPS 4345

750 Mbps

IPS 4360

1.25 Gbps

IPS 4510

3 Gbps

IPS 4520

5 Gbps

ASA 5512-X

250 Mbps

ASA 5515-X

400 Mbps

ASA 5525-X

600 Mbps

ASA 5545-X

900 Gbps

For the Cisco IPS 4345 in this deployment, we use 2 gigabit interfaces, 
where each is attached to one of the switches in the switch stack. If faster 
models are used, options include either using a ten-gigabit interface or 
using a port channel of 2 or more gigabit interfaces (these options are 
switch-dependent, as some switches and code versions do not support 
using port channels as destinations for Switched Port Analyzer sessions).