Cisco IDS 4210 10/100 SENSOR 规格指南
1-16
Installing Cisco Intrusion Prevention System Appliances and Modules 5.1
OL-8677-01
Chapter 1 Introducing the Sensor
Modules
There are two models of AIP-SSM: ASA-SSM-AIP-K9-10 and ASA-SSM-AIP-K9-20.
ASA-SSM-AIP-K9-10 supports approximately 100 Mbps throughput and ASA-SSM-AIP-K9-20
supports approximately 200 Mbps. Only one module can populate the slot in an ASA at a time.
ASA-SSM-AIP-K9-10 supports approximately 100 Mbps throughput and ASA-SSM-AIP-K9-20
supports approximately 200 Mbps. Only one module can populate the slot in an ASA at a time.
AIP-SSM runs advanced IPS software that provides further security inspection in either inline mode or
promiscuous mode. The ASA diverts packets to AIP-SSM just before the packet exits the egress interface
(or before VPN encryption occurs, if configured) and after other firewall policies are applied. For
example, packets that are blocked by an access list are not forwarded to AIP-SSM.
promiscuous mode. The ASA diverts packets to AIP-SSM just before the packet exits the egress interface
(or before VPN encryption occurs, if configured) and after other firewall policies are applied. For
example, packets that are blocked by an access list are not forwarded to AIP-SSM.
In promiscuous mode, the IPS receives packets over the GigabitEthernet interface, examines them for
intrusive behavior, and generates alerts based on a positive result of the examination. In inline mode,
there is the additional step of sending all packets, which did not result in an intrusion, back out the
GigabitEthernet interface.
intrusive behavior, and generates alerts based on a positive result of the examination. In inline mode,
there is the additional step of sending all packets, which did not result in an intrusion, back out the
GigabitEthernet interface.
shows ASA with AIP-SSM in a typical DMZ configuration. A DMZ is a separate network
located in the neutral zone between a private (inside) network and a public (outside) network. The web
server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access
the web server securely.
server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access
the web server securely.
In
an HTTP client (10.10.10.10) on the inside network initiates HTTP communications with
the DMZ web server (30.30.30.30). HTTP access to the DMZ web server is provided for all clients on
the Internet; all other communications are denied. The network is configured to use an IP pool (a range
of IP addresses available to the DMZ interface) of addresses between 30.30.30.50 and 30.30.30.60.
the Internet; all other communications are denied. The network is configured to use an IP pool (a range
of IP addresses available to the DMZ interface) of addresses between 30.30.30.50 and 30.30.30.60.
Figure 1-2
DMZ Configuration
Refer to Cisco ASA 5500 Quick Start Guidefor more information on setting up ASA. For more
information on installing AIP-SSM, see
information on installing AIP-SSM, see
Installing AIP-SSM, page 7-3
. For more information on
configuring AIP-SSM to receive IPS traffic, refer to “Configuring AIP-SSM,” in
Configuring the Cisco
Intrusion Prevention System Sensor Using the Command Line Interface 5.1
.
Introducing IDSM-2
The Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM-2) is a switching
module that performs intrusion prevention in the Catalyst 6500 series switch and 7600 series router. You
can use the CLI or IDSM to configure IDSM-2. You can configure IDSM-2 for promiscuous or inline
mode.
module that performs intrusion prevention in the Catalyst 6500 series switch and 7600 series router. You
can use the CLI or IDSM to configure IDSM-2. You can configure IDSM-2 for promiscuous or inline
mode.
148403
Internet
HTTP client
10.10.10.10
Web server
10.30.30.30
DMZ
10.30.30.0
Inside
10.10.10.0
HTTP client
HTTP client
Outside
209.165.200.225
ASA security
appliance