An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack. This is depicted in the diagram below.

The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim address 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:

The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:

ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1

The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.

As we mentioned in previous posts, the Cisco ASA 5500 appliance supports an Intrusion Detection/Intrusion Prevention plug-in module (AIP-SSM). However not all models support this. Specifically only the middle-range models support it. The lowest-end model (5505) and the highest-end models (5550, 5580) does not support the AIP-SSM IPS module.

ASA Models that support IPS Module:

• Cisco ASA 5510
• Cisco ASA 5520
• Cisco ASA 5540

Basically the ASA 5505 can not support the AIP-SSM because of its small size. Also, the 5550 can not support the module because its hardware is occupied with much more integrated network ports compared with other models (it has 8-10/100/1000 and 4 gigabit SFP ports). The highest-end 5580 does not support the module because an IPS inline module in the 5580 would decrease its packet forwarding performance (remember that the 5580 is usually used in high traffic environments).

The Cisco Adaptive Security Appliance (ASA) device is not just a hardware Firewall as many people think. Of course the Firewall mechanism is the main functionality of the device, but the extension hardware modules that you can add on, can transform the appliance into content security, intrusion prevention, ssl/ipsec device etc.

 Firewall

 This is the main functionality, which is based on the proven PIX appliance technology. Cisco ASA 5500 provides advanced application-aware firewall services with identity-based access control, denial of service (DoS) attack protection, and much more.

 Unified Communications Security

 The Cisco ASA 5500 delivers unified communication security services with intelligent application inspection for voice/video over IP and IP Telephony traffic protecting against denial of service (DoS), rogue phone callers, and much more.

 SSL/IPSEC VPN

 This is a built in functionality of the appliance without extra hardware modules. Cisco VPN solution on the ASA appliance offers clientless SSL VPN or IPSEC VPN (lan-to-lan and remote access)

 Intrusion Prevention

 This is a signature based full-featured Intrusion Prevention module that can be added in one of the device’s SSM slots (AIP-SSM = Advanced Inspection and Prevention – Security Services Module), thus transforming the device into an integrated firewall and IPS appliance. The IPS module incorporates powerful, high-performance zero-day protection against threats including application and operating system vulnerabilities, directed attacks, worms, and other forms of malware.

 Content Security

 Again this is an add-on module (CSC-SSM = Content Security and Control – Security Services Module) which delivers powerful content security services including URL filtering, anti-phishing, anti-spam, antivirus, anti-spyware, and content filtering.