Cisco Systems ASA 5500 Getting Started with the AIP SSM, Diverting Traffic to the AIP SSM, 19-2

Chapter 19 Managing the AIP SSM and CSC SSM

Managing the AIP SSM

The AIP SSM can operate in one of two modes, as follows:

•Inline mode—Places the AIP SSM directly in the traffic flow. No traffic can continue through the adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because every packet is analyzed before being allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput. You specify this mode with the inline keyword of the ips command.

•Promiscuous mode—Sends a duplicate stream of traffic to the AIP SSM. This mode is less secure, but has little impact on traffic throughput. Unlike operation in inline mode, the SSM operating in promiscuous mode can only block traffic by instructing the adaptive security appliance to shun the traffic or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance before the AIP SSM can block it. You specify this mode with the inline keyword of the ips command.

You can specify how the adaptive security appliance treats traffic when the AIP SSM is unavailable due to hardware failure or other causes. Two keywords of the ips command control this behavior. The fail-closekeyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable. The fail-openkeyword sets the adaptive security appliance to allow all traffic through, uninspected, if the AIP SSM is unavailable.

For more information about configuring the operating mode of the AIP SSM and how the adaptive security appliance treats traffic during an AIP SSM failure, see the “Diverting Traffic to the AIP SSM” section on page 19-2.

Getting Started with the AIP SSM

Configuring the AIP SSM is a two-part process that involves configuration of the ASA 5500 series adaptive security appliance first, and then configuration of the AIP SSM:

1.On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM (as described in the “Diverting Traffic to the AIP SSM” section on page 19-2).

2.On the AIP SSM, configure the inspection and protection policy, which determines how to inspect traffic and what to do when an intrusion is detected. Because the IPS software that runs on the AIP SSM is very robust and beyond the scope of this document, detailed configuration information is available in the following separate documentation:

•Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.

•Command Reference for Cisco Intrusion Prevention System

Diverting Traffic to the AIP SSM

You use MPF commands to configure the adaptive security appliance to divert traffic to the AIP SSM. Before configuring the adaptive security appliance to do so, read Chapter 18, “Using Modular Policy Framework,” which introduces MPF concepts and common commands.

To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following steps:

Step 1 Create an access list that matches all traffic:

hostname(config)# access-list acl-namepermit ip any any

Cisco Security Appliance Command Line Configuration Guide