[c-nsp] Cisco ASA Filtering

Jeff Kell jeff-kell at utc.edu
Thu Jul 6 12:25:28 EDT 2006


Paul Stewart wrote:

> As you may have seen in a previous email, we are looking at a campus
> deployment involving about 1000 users.  I'm considering the option of
> using a Cisco ASA 5540 and wondering about using either a CSC card or a
> AIP card and pros/cons for both?

We have 5540s with AIP-SSM20s.  The SSM is essentially a 42xx IPS appliance-on-a-stick :-)  As such, it only does lower level IPS functions in terms of analysis, and as such won't buy you much in terms of anti-X (virus, spam, spyware, etc).  That is the function of the CSC, but since I have not used one, I can't address it's suitability.  You will get some signatures for some viruses that do work but they certainly aren't comprehensive.

> Or, is a 7206VXR with inline IOS IPS just as sufficient and/or better in
> some regards??

IOS IPS is (IMHO) an extreme stretch of the term "IPS".  You get a few dozen signatures for relatively rudimentary things with boatloads of false positives.

Peder @ NetworkOblivion wrote:
> I don't like the AIP at all.  It has an ugly web interface, virtually no 
> reporting and it is very difficult to tune it. 

For the most part I agree, although the web interface isn't that bad.  The reporting issue is a big one if you haven't sent the extra truckload of cash for the Cisco Security Manager and other component$ of the overall solution (which we haven't either).  There is no syslog output from the AIP.  You can generate SNMP traps on alerts however.  And if you have support on your ASA/AIP Cisco does have a free "IPS Event Viewer" that isn't half bad.

One of the strengths of the AIP (again IMHO) is the flexibility of alert actions.  If you are running the AIP in inline mode, you can deny the packet, flow, or attacker inline.  Regardless of the mode, you can generate "blocks" which can be applied to a router ACL, switch VACL, or PIX/ASA shun, and you can send blocks to multiple devices in parallel.

One weakness is that the "deny" and "block" timing is global.  You can't, for example, block a scanning source for an hour while blocking a malicious website for a week.  You can't also be selective about block forwarding - if you are sending blocks to multiple devices, they always go to every device.

Jeff



More information about the cisco-nsp mailing list