56-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 56 Configuring Service Policy Rules on Firewall Devices
IPS, QoS, and Connection Rules Page
About IPS Modules on ASA Devices
You can install a variety of IPS modules, such as the Advanced Inspection and Prevention Security
Services Module (AIP-SSM), in some ASA device models. The IPS modules supported by each ASA
model differ. The IPS modules run advanced IPS software that provides proactive, full-featured intrusion
prevention services to stop malicious traffic, including worms and network viruses, before they can
affect your network.
The ASA IPS module runs separately from the adaptive security appliance, and you need to add it to the
device inventory as a separate device. It is, however, integrated into the ASA traffic flow.
When you configure the ASA IPS module, you need to configure the service policy rules on the host
ASA as well as the IPS policies on the IPS module. The service policy rules determine which traffic is
inspected by the IPS module. For an overview of IPS policy configuration, see Overview of IPS
Configuration, page 35-5.
When you identify traffic for IPS inspection, the traffic flows through the ASA and the IPS module as
follows:
1. Traffic enters the ASA.
2. Firewall policies, such as interface access rules, are applied.
3. Traffic is sent to the IPS module over the backplane when you operate in inline mode. If you
configure the system to use promiscuous mode, a copy of the traffic is sent to the IPS module.
See IPS Mode in the Intrusion Prevention section of the Insert/Edit Service Policy (MPC) Rule
wizard (Step 3. Configure the MPC actions, page 56-8) for more information about Inline and
Promiscuous modes.
4. The IPS module applies its security policy to the traffic and takes appropriate actions.
5. Allowed traffic is sent back to the adaptive security appliance over the backplane. In Inline mode,
the IPS module may block some traffic according to its security policy; in other words, that traffic
is not passed back.
6. VPN policies are applied (if configured).
7. Traffic exits the ASA.
The following illustration depicts traffic flow when running the IPS module in Inline mode. In this
example, the IPS module automatically blocks traffic that it identifies as an attack. All other traffic is
returned to the ASA.
Security Appliance
Main System
inside
AIP module or card
Diverted Traffic
IPS inspection
outside
Backplane
VPN
Policy
Firewall
Policy
Block
199661