Home > Articles > Cisco Network Technology > General Networking > Configuring the Cisco ASA IPS Module

Configuring the Cisco ASA IPS Module


  1. ASA IPS Module Details
  2. ASA IPS Module Operation / Virtual Sensors
  3. ASA IPS Module Configuration

Article Description

With the ongoing threat of network attacks existing for almost all companies that are connected to the Internet, there is often a need to set up some type of intrusion detection system (IDS) or intrusion protection system (IPS).

The main differences between an IDS and an IPS is in what happens when the device detects an attack. An IDS will detect the attack and alert the network administrators/engineers; an IPS has the ability to directly block the attack traffic once it has been detected. This can proactively prevent a good amount of damage to the internal network.

Cisco's Adaptive Security Appliance (ASA) line adds this ability with an additional piece of hardware of software, depending on the base ASA model. Sean Wilkins takes a look at this additional capability, what it offers, and how it can be configured to monitor traffic through an ASA.

ASA IPS Module Operation

ASA IPS Module Operation

The basic operation of the ASA IPS module is rather simple: Traffic comes into the ASA and goes through the initial ASA processes (e.g., VPN decryption, firewall policy). Traffic that is matched is then sent to the IPS module; traffic that is allowed to pass is returned from the IPS module and can be sent back out another ASA interface.

The ASA IPS module does offer two different operating modes that can be specified within the traffic-matching configuration; these include inline mode and promiscuous mode. While in inline mode, all matched traffic will be sent to the ASA IPS module and will not continue on through the ASA until it is returned from the module.

While in promiscuous mode, a copy of the matched traffic is sent to the ASA IPS module with the initial copy of the traffic continuing through the ASA; if the ASA IPS module finds that specific traffic matches one of the attack signatures, it will send a shun message to the ASA to block any future traffic matching the specific traffic characteristics.

The choice of which operating mode to use depends on the specific implementation. Although the inline mode is more secure, it can also have some effect on traffic throughput. The promiscuous mode is the opposite: being less secure but not affecting traffic throughput. The promiscuous mode operates in a similar way to a traditional IDS, whose alerts can retroactively be used to block future traffic.

Virtual Sensors

All the ASA models except the 5505 support virtual sensors; these sensors are used when multiple contexts are used within the ASA. Each context can be configured with a virtual sensor, and the matching IPS policy can be configured with individual ASA IPS module settings.

3. ASA IPS Module Configuration | Next Section Previous Section