Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula?

First Last
First Last used Ask the Experts™
on
Why would I buy the Cisco IPS 4240 over the Cisco ASA AIP SSM-10 Modula?

Considering I don't need the extra bandwidth of the ISP 4240 and the AIP SSM-10 requires an ASA 5510 what are the differences? They both seem to protect against the same number of threats.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ken BooneNetwork Consultant
Commented:
Ok so here is the deal.  The AIP-SSM-10 module goes right into the ASA.  It can operate in promiscous mode and inline mode.  5 years ago we always ran it in promiscious mode for a few weeks to perform tuning before we put it inline.  When it is inline it can actually block threats by blocking the packets and shutting down the session.  Nowadays Cisco has it down pretty good, so when you put it in the ASA and put it in inline mode, right off the bat you are getting protection from known attacks with high risk levels with no known false positives.  So you get protection out of the chute.  Of course it only sees traffic that is going through your firewall and no where else.

The IPS 4240 would be an appliance that you would basically set up as a sniffer on a network segment.  Now it is not necessarily seeing all the traffic going through that firewall it is seeing what you have mirrored to it from a switchport.  So it may be the port the inside interface on the firewall is connected to or it may be a vlan or it may be multiple vlans.  The IPS 4240 will more likely help you identify attacks coming from inside your network destined for other placed inside your network.  i.e. malicious employee, cleaning person at night, or teenage intern who is a wanna be hacker.   If you were just going to monitor whats going through the firewall then go with the AIP module. I haven't installed a 4200 series in a few years now, but generally they are a little more work than the AIP.

Now here is the real deal.  IPS/IDS requires a lot of work.  I have installed many of these over the years both appliances and AIP modules - more AIP as of late.  Out of all the installs I have put in for customers this is the reality.  95% of them don't use like is should be used.  Only 50% actually keep up with the signature updates once I am done. BTW.. I train them all on how to tune the sensor and I set up IME (IPS Manager Express) for them as well.  So what I am saying is that only 5% use it how its meant to be used.  Everyone else basically uses it for a check box when the auditor comes.  Check - We have IPS installed.

So for most people dropping an AIP in will actually give real protection and act as the check box with minimal work, but you can still use it like it should be used and get much more out of it.

So you really need to ask yourself do I really have the time into investing in this.  If no get the AIP put it inline and keep up with the updates.  If you do then great, but most people don't.  

Hope that helps.

Network Consultant
Commented:
And just to answer your question - one is appliance based and one installs in the ASA.  A lot of people buy the appliance module and then monitor what is going in and out of their firewall, so it makes sense to just stick a module in the firewall so all the traffic just has to cross the backplane.  AIP only can monitor what goes through the ASA, the appliance can monitor any network segment you want.  Depends on how you want to use an IPS system.

Author

Commented:
kenboonejr - This is a most excellent answer. I'm not aware of my finalized budget, but It looks like I may be leaning towards the AIP or the 4240 if the benefits are great enough.

If I may ask you two simple questions I'm sure you could answer?

1) Why does Cisco IPS 4200 series and AIM-SSM solutions only work on port 80 and 22 traffic? I see other (much more expensive) solutions from SourceFire and HP Tipping Point work on a wide range of protocols, but they urge against it. I'm assuming most exploits happen over 80 and 22 plus it is too difficult for one person to manage a multi-protocol setup if it isn't their dedicated job.

2) Because the Cisco IPS 4200 series has multiple ports and virtual interfaces then can I get double the fun by having it inline before my ASA firewall scanning multiple T1's and also place it on my core switch stack scanning my inside vlans? Would you advise against this?  Something like 4240 I could possibly get approved if these are the possible results. Then I could use my ASA 5510 module port for the CSC-SSM-20 possibly in the future! I am the dedicated security guy where I work and wouldn't mind the challenge and on going monitoring.
Ken BooneNetwork Consultant
Commented:
1)  That is incorrect information.  Both of those boxes scan EVERYTHING.  Maybe what you saw was referring to how you manage the box i.e. http or ssh    Basically when you set it up in the ASA you make a rule that says send ALL ip traffic to the sensor.  So anything IP the AIP has you covered.  The 4200 can see a little more because you are actually sniffing the wire so he can see some layer 2 inconsistencies as well, but that is typically not an attack but rather a nic card that went bad or something like that.

2) Yes with the 4240 you can do that and that is typically why you would go with this box - to scan many segments of your network.  So if you are dedicated security the 4240 might be the way to go.  

BTW..The CSC module only handles 4 types of traffic, http(s), smtp, pop3 and ftp.  So maybe that is what you were thinking of with your first question.  

Author

Commented:
The best and most exciting answer i've received on E-E to date. Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial