I have had many people ask about Intrusion Detection / Prevention (IPS / IDS) options you can add to the next generation Cisco Adaptive Security Appliance (ASA) also known as the ASA X Series. The confusion comes from the option to go with a dedicated IDS / IPS vs Application Visibility, Reputation Security and IPS all in the Next Generation Security package part of the ASA CX solution. Here is a overview of how both solutions work.
The core of both offerings is the 2nd generation ASA appliance or ASA X series (more info found HERE). The current latest ASA code release is 9.13. The ASA appliance can be configured using Command line, ASDM or Cisco Security Manager. The appliance should have a IP address so for example sake, lets say its 192.168.1.10. You can access that IP using a standard web browser and the ASA will prompt you for options to manage the ASA using ASDM.
The 2nd generation ASA series offers additional features by either leveraging a SSD hard drive or built directly into the code (as for the IDS/IPS feature). This is done by accessing a virtual space within the ASA so essentially having a virtual service enabled. This is different from previous versions of hardware meaning in the past, adding something like IDS/IPS would require a external hardware module that is inserted into the ASA appliance. The next generation ASA can virtually enable a feature like IDS/IPS inside the virtual space on the ASA and use policy maps to route traffic through that feature.
1st Generation ASA with IDS/IPS module
2nd Generation ASA with SSD
Today there are two options for adding IDS/IPS to an ASA. Option one is installing a dedicated IDS/IPS. This means going with a specific ASA code that includes the IPS/IDS build, giving the IDS/IPS a separate IP address from the core ASA and managing the IDS/IPS separately. So for example, we could give the ASA the IP address 192.168.1.10 and IPS/IDS the IP address 192.168.1.20. Once configured, you can access the IDS/IPS management using a standard web browser that will launch Cisco IPS Manager Express (IME). You could also use Cisco Security Manager (CSM) to managed both the ASA and IPS/IDS along with other security solutions. You do NOT need the SSD drive for this option as all virtual features happen within the ASA appliance. You just need a next gen ASA, proper software code and associated licenses for IDS/IPS.
Cisco IME managing IDS/IPS Dashboard
Option two for IPS/IDS is installing Cisco’s next generation security package known as ASA CX. Again, you would install the software and provide a new IP address for te CX features. So lets say you configure ASA CX part to be IP 192.168.1.20. Once you configure ASA CX, you could access the management at 192.168.1.120 using a web browser to bring up local Cisco Prime Security Manager GUI. You could also use an external version of Cisco Prime Security Manager for managing multiple ASAs and CX SSD drives. The current version for ASA CX is 9.2 meaning your ASA would run ASA code 9.13 while the SSD would run ASA CX 9.2 code. The ASA CX features leverage some space on the SSD drive meaning you would need the SSD drive along with ASA CX software and licenses to go this route.
Cisco ASA CX Dashboard
The ASA with IDS/IPS and ASA with CX route both have separate systems running independently in the virtual space on the ASA appliance. For example, you can access the core ASA using command line however you would have to terminal from the ASA to the ASA CX to hit the CX CLI. So for example, here is a image of the ASA CLI and ASA CX CLI. You can find more about configuring ASA CX via CLI HERE.
ASA Command Line
ASA CX Command Line (on older 9.1.2 code)
Regarding migration, you can NOT run ASA CX and dedicated IPS on the same ASA appliances. The ASA CX IDS/IPS aka Next Gen IPS/IDS is part of CX and managed using PRSM while the dedicated IDS/IPS software is managed with Cisco IME. If you want to migrate from one option to another, it will require configuring the core ASA to specify which service you want to use for the virtual space aka run dedicated IPS/IDS or CX along with associated licensing and support. So for example, if you have dedicated IDS/IPS running on the ASA, you would need to issue “sw-module module ips shutdown” followed by “sw-module module ips uninstall” prior to installing the ASA CX SSD drive and going forward with the ASA CX install as explained HERE.
Regarding Cisco Prime Security Manager (PRSM), there is a local version that is free and accessed when you go to the IP address of the ASA CX (similar to accessing ASDM when going to the IP address of the ASA). There is also a PRSM external offering used for managing multiple ASAs and ASA CX installations. The local version of PRSM can configure and manage application layer features, reputation security and IDS / IPS. The external version of PRSM has ASA firewall configuration and management capabilities along with the local PRSM features. An example is pushing an ACL to multiple ASA appliances (ASA feature) along with blocking NetFlix using a CX Policy (CX feature). More feature parity between Cisco Security Manager (CSM) and external PRSM is scheduled for this year with the upcoming PRSM releases.
The million dollar question * Which ASA SSD option is right for you ? *
The answer depends on a few things however a major question is your requirement for IDS/IPS capabilities. The ASA CX with IPS/IDS option has approximately 80% of the signatures expected from a dedicated appliance. The ASA CX also doesn’t have as many customization / tuning features as a dedicated IDS/IPS. The cost however could be outweighed by having visibility and enforcement of policy for all traffic layers (IE control things like Facebook gaming, block adult websites, Identify iPads / Android tablets, know if a user is using Firefox, etc.) as well as the value using the new PRSM interface. For those desiring a very feature rich IDS/IPS, you probably would want a ASA with dedicated IPS or check out the SourceFire Firepower solution. For those looking for one appliance to provide Stateful firewall, Remote Access VPN, Site-to-site VPN, Application Visibility, Reputation Security and IDS/IPS … the ASA with CX would be ideal for you.
Hopefully this helps clear some of the confusion.