13-3
Cisco ASA 5500 Series Getting Started Guide
78-19186-01
Chapter 13 Configuring the AIP SSM
Understanding the AIP SSM
Figure 13-1 AIP SSM Traffic Flow in the Adaptive Security Appliance: Inline
Mode
Operating Modes
You can send traffic to the AIP SSM using one of the following modes:
• Inline mode—This mode places the AIP SSM directly in the traffic flow (see
Figure 13-1). No traffic that you identified for IPS inspection can continue
through the adaptive adaptive security appliance without first passing
through, and being inspected by, the AIP SSM. This mode is the most secure
because every packet that you identify for inspection is analyzed before being
allowed through. Also, the AIP SSM can implement a blocking policy on a
packet-by-packet basis. This mode, however, can affect throughput.
• Promiscuous mode—This mode sends a duplicate stream of traffic to the AIP
SSM. This mode is less secure, but has little impact on traffic throughput.
Unlike the inline mode, in promiscuous mode the AIP SSM can only block
traffic by instructing the adaptive adaptive security appliance to shun the
traffic or by resetting a connection on the adaptive adaptive security
appliance. Also, while the AIP SSM is analyzing the traffic, a small amount
of traffic might pass through the adaptive adaptive security appliance before
the AIP SSM can shun it.
Figure 13-2 shows the AIP SSM in promiscuous
mode. In this example, the AIP SSM sends a shun message to the adaptive
security appliance for traffic it identified as a threat.
Security Appliance
Main System
inside
AIP SSM
Diverted Traffic
IPS inspection
outside
Backplane
VPN
Policy
Firewall
Policy
Block
191313
To Next Page
Loading...
Need help?
General
