Cisco Cisco IPS 4255 Sensor White Paper
White Paper
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 7
Deploying IPS Using the Cisco ASA AIP-SSM
IPS TME Architecture Team
January 25, 2008
Introduction
This design guide explains the requirements of deploying a Cisco ASA Advanced Inspection and
Prevention Security Services Module (AIP-SSM) inside the Cisco ASA security appliance. The
software version used in this discussion will be Cisco ASA Software Version 8.0.x code for the
appliance, and Cisco IPS Sensor Software 6.1.x code for the AIP-SSM.
This document is broken up into three parts.
●
AIP-SSM deployment overview
●
Normalizer revisited and comparison of signature and session states
●
Typical Cisco ASA appliance installations and deployment concerns for the AIP-SSM
Part 1 AIP-SSM Deployment Overview
The Cisco ASA 5500 Series AIP-SSM is an inline, network-based solution that accurately
identifies, classifies, and stops malicious traffic before it affects business continuity. It combines
inline prevention services with innovative technologies, resulting in total confidence in the provided
protection of the deployed IPS solution, without the fear of legitimate traffic being dropped. The
AIP-SSM also offers comprehensive network protection through its unique ability to collaborate
with other network security resources, providing a proactive approach to protecting the network. It
uses accurate inline prevention technologies that provide unparalleled confidence to take
preventive action on a broader range of threats without the risk of dropping legitimate traffic. These
unique technologies offer intelligent, automated, contextual analysis of data and help ensure that
businesses are getting the most out of their intrusion prevention systems (IPSs). Furthermore, the
AIP-SSM uses multivector threat identification to protect the network from policy violations,
vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2
through 7.
Deploying the AIP-SSM into an existing deployment is straightforward in most regards. Since the
AIP-SSM doesn’t actually function as a separate device in the network, there are no changes
required to network topology. All that is required is to physically insert the module, initialize it, and
then create a policy in the appliance’s configuration to define which traffic and what specific type of
traffic gets sent to the module for analysis and then how that traffic gets analyzed (IDS vs. IPS
mode).
Part 2 Comparing Signature and Session States, and Revisiting the Normalizer
Failover events are important events for network devices that track and enforce state because
sessions that are not known by a device might get dropped. There are two types of state that need
to be discussed in this context: session state and signature state.