Network IPS Buyer's Guide: Cisco - Page 2
Cisco battles threats by embedding IPS in switches, routers, firewalls, and appliances.
Cisco stretches performance beyond this in other portions of its NIPS portfolio, reaching up to 10 Gbps. "Until recently, hardware was not quite where we felt we could provide IPS in the firewall at a market competitive price and deliver performance. That's why we provided IPS as add-on hardware -- a blade that slid into a shared backplane. Today, we have 7 different options for plugging IPS into an ASA 5500 firewall chassis." At the low end, Cisco sells a75 Mbps SSP-10 card that slides into 5585-X chassis. At the high end, a Cisco SSP-60 can achieve concurrent (firewall + IPS) threat mitigation throughput up to 10 Gbps.
For switching environments, Cisco offers an IDS Services Module (IDSM 2) that fits into a Cisco Catalyst 6500 -- a blade that slides into the switch chassis to integrate with the backplane. IDSM-2 performance ranges from 500 Mbps (in-line IPS) to 600 Mbps (passive IDS). Up to 8 blades per chassis can be used to inspect a total of 4 Gbps.
"In the router space, we offer both a network module that plugs into an ISR router slot and a card that can be inserted into an ISR chassis," said Carskadden. The AIM-IPS-K9 can be used with Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers to reach rates up to 45 Mbps. The newer NME-IPS-K9 can be paired with Cisco 2811, 2821, 2851, 3825, 3845, 2911, 2921, 2951, 3925 and 3945 Integrated Services Routers to reach rates up to 75 Mbps. Both run the same Cisco IPS software, delivering the same NIPS features found in other members of this product portfolio.
Choosing the right form factor
Carskadden sees NIPS deployment occurring in two major areas: at the edge and in the data center.
"We see a lot of interest at the edge, through deployment of an IPS appliance or a firewall. Use cases there are similar because you're drawing line of demarcation. There is also a mentality that goes with edge deployment: looking across broad sets of applications and protocols and the vulnerabilities associated with them," said Carskadden. "You might think of this as putting IPS at the open end of a funnel."
By comparison, IPS deployed in a data center is much more focused and narrow. "You are physically and logically closer to the assets that you want to protect, and that makes you much more specific about the signatures that you want to put into place," explained Carskadden. "That frees us to look deeper for SQL injection or database abuse -- because traffic is more specific, we can be more specific in signatures and engines deployed." Typically, data centers are appliance or switch-based IPS deployments, although Carskadden said that Cisco's new high-throughput firewall is also seeing use there.
Finally, running IPS on an ISR router tends to be more of a branch office or SMB solution -- making that one multi-services network platform do more, without requiring yet another box to provision and maintain. When used in an ISR router, IPS can be applied to any routed WAN link (e.g., T1/E1, T3/E3, Ethernet, xDSL, MPLS, 3G). Note that IPSec and SSL VPN traffic arriving from the WAN must of course be inspected after decryption.