Virtualization – ASA vs. IPS

Many of the students I teach for the Cisco Intrusion Prevention Systems (IPS 6.0) class attend because they have procured an ASA Security appliance with the AIP-SSM, or the Advanced Intrusion Prevention Security Services Module. These students also may have recently attended the Securing Networks with ASA Fundamentals (SNAF) class as well.

While each class discusses the topic of virtualization, yet neither offers a comparison of implementation between the ASA and IPS platforms, I have been offering the “chalk talk” table shown below:

Let’s look at the features in this table one by one. First, for the ASA virtualization is a feature that is licensed; the base license allows for only two of them, the upper end models can support up to 50. With the IPS sensor, however, the virtualization is bundled; consequently, no additional procurement expense is required for additional virtual “instances”. The downside to this, however, is that the IPS sensor only supports four virtual sensors.

A feature on the ASA which some administrators find attractive is the ability of segregating the appliance into separate administrative domains. In this manner, a member of an IT staff could establish a ssh session to the ASA and only see a subset of the available physical or logical interfaces. By contrast, anyone logging into either the CLI or the GUI interface of the IPS sensor with administrator privilege would have access to ALL virtual sensors.

With the ASA appliance, each virtual firewall (or security context) is maintained through a distinctly separate configuration file; with the IPS sensor a single configuration file is used for all virtual sensors. For the ASA, these context configuration files can be kept on an external server and retrieved using the config-url location specified in the system configuration area. For the IPS sensor, however, only the default current-config file is used.

Finally, a common characteristic of both virtualization implementations is the allocation of interfaces between the virtual instances. Both the ASA and the IPS allow for the use of logical subinterfaces with 802.1q VLANs although the IPS sensor does not allow for an interface to be shared between virtual sensors as it can be with virtual firewalls.

Author: Doug McKillip


In this article

Join the Conversation