Table of Contents
Advertisement
Chapter 13
Configuring the AIP SSM
Operating Modes
78-19186-01
Figure 13-1
AIP SSM Traffic Flow in the Adaptive Security Appliance: Inline
Mode
Main System
VPN
inside
Policy
AIP SSM
You can send traffic to the AIP SSM using one of the following modes:
Inline mode—This mode places the AIP SSM directly in the traffic flow (see
•
Figure
13-1). No traffic that you identified for IPS inspection can continue
through the adaptive adaptive security appliance without first passing
through, and being inspected by, the AIP SSM. This mode is the most secure
because every packet that you identify for inspection is analyzed before being
allowed through. Also, the AIP SSM can implement a blocking policy on a
packet-by-packet basis. This mode, however, can affect throughput.
Promiscuous mode—This mode sends a duplicate stream of traffic to the AIP
•
SSM. This mode is less secure, but has little impact on traffic throughput.
Unlike the inline mode, in promiscuous mode the AIP SSM can only block
traffic by instructing the adaptive adaptive security appliance to shun the
traffic or by resetting a connection on the adaptive adaptive security
appliance. Also, while the AIP SSM is analyzing the traffic, a small amount
of traffic might pass through the adaptive adaptive security appliance before
the AIP SSM can shun it.
mode. In this example, the AIP SSM sends a shun message to the adaptive
security appliance for traffic it identified as a threat.
Security Appliance
Firewall
Policy
Diverted Traffic
Block
IPS inspection
Figure 13-2
shows the AIP SSM in promiscuous
Cisco ASA 5500 Series Getting Started Guide
Understanding the AIP SSM
outside
Backplane
13-3
Hide quick links:
Advertisement
Table of Contents
