Networks Training

Cisco IDS/IPS module for Cisco ASA Firewalls (AIP-SSM)

The Cisco ASA 5500 security appliance is not just a plain firewall. With an add-on security module (AIP-SSM), you can transform the ASA 5500 into an IDS/IPS sensor as well. The AIP-SSM (Advanced Inspection and Prevention – Security Services Module) is a full-blown IDS/IPS sensor with the same software and functionality like the external standalone IPS-4200 series appliance.
 
The Sensor operates in either “Promiscuous Mode” (IDS functionality) or “Inline Mode” (IPS functionality). In Promiscuous Mode, the sensor does not intervene in traffic flow, but just “sniffs” the traffic that passes through the firewall and takes appropriate actions in the event of an attack. The actions can vary from alert, TCP reset, drop the session or the whole IP communication. The IDS sensor can not take actions by itself since it is not involved inside the traffic flow. Rather, it instructs the ASA firewall to take action to the malicious traffic using the “shun” command. The advantage of using the sensor in promiscuous mode is that it does not affect the forwarding performance of the firewall. The disadvantage is that the promiscuous sensor can not block some types of attacks (e.g single-packet attacks) and is a little bit slow to react to attacks.

MORE READING:  How to Recover a preshared key of IPSEC VPN on Cisco ASA

In Inline Mode, all traffic flows through the IPS sensor before or after passing through the ASA firewall. In this configuration, the IPS sensor can take action to attacking traffic by itself. Since the inline mode operation puts the sensor directly into the traffic flow, it affects the general forwarding performance of the ASA appliance. The advantage however of inline operation is that the sensor can stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a proactive service.

The AIP-SSM plug-in module has two models:
 

  • ASA-SSM-AIP-K9-10 (approx. 100Mbps throughput)
  • ASA-SSM-AIP-K9-20 (approx. 200Mbps throughput)

 
The figure below shows how the AIP-SSM module can be installed inside a Cisco ASA appliance:

aip-ssm ids ips module in cisco asa firewall

After inserting the module in the appliance, you can verify that is properly installed with the ASA# show module 1 command. If the status reads UP, AIP-SSM is properly installed.
 
To remove the module while it operates, you have to shut it down first using:
ASA# hw-module module 1 shutdown.

MORE READING:  Adding more Interfaces to Cisco ASA Firewalls with 4GE SSM

After that, you have to power off the ASA and then remove the AIP-SSM module.
 
Similarly, to reboot the module for any reason use:
ASA# hw-module module 1 reset

Filed Under: Cisco ASA General Tagged With: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING