AIP-SSM Module
The Cisco ASA Security Appliance series supports the Advanced Inspection and Protection
Security Service Module (AIP-SSM). The AIP-SSM comes in two modules: the AIP-SSM-10
and the AIP-SSM-20. Both modules function the same way, support the same features, and
look identical. The only difference between the two modules is the processor speed and
memory size of the AIP-SSM-20, which is faster and larger than that of the AIP-SSM-10. The
AIP-SSM uses two physical channels to communicate with the Security Appliance. All
Intrusion Protection System (IPS) packets transmit through a Gigabit Ethernet interface that
connects the AIP-SSM to the Security Appliance. A second connection that handles the
control traffic between the module and the Security Appliance transmits through an internal
10/100 Ethernet interface. The AIP-SSM module also contains an external 10/100/1000
Ethernet management port that is primarily used for software upgrades and Cisco Adaptive
Security Device Manager (ASDM) management access. The AIP-SSM can analyze the traffic
flow through the packet content by opening the packet envelope as well as the payload,
allowing it to inspect Layers 3 to 7.
The AIP-SSM can monitor the traffic flow in two ways. In promiscuous mode, the AIP-SSM
takes a copy of the traffic flow and inspects the copy of the traffic instead of the live traffic
flow. This eliminates the chance that the inspection will affect the actual flow of traffic on the
Security Appliance, as it is never actually touched. This will reduce the effectiveness of the
IPS services, since the AIP-SSM will not be able to react to the traffic flow instantly and may
allow malicious packets through before the AIP-SSM intervenes with the assigned action for
the attack. To directly prevent attacks through the AIP-SSM, the in-line mode must be
enabled.
Inline mode directly monitors and inspects the live traffic flows through the Security
Appliance. If an attack is detected, the packets that the inspection found as malicious, as well
as all other packets in that traffic flow, are “stopped” by the AIP-SSM before they enter the
network.
Like the Security Appliance, the AIP-SSM supports a failover configuration that handles how
the Security Appliance permits traffic. In a failed-open mode, the Security Appliance will
continue to transmit traffic flows without IPS inspection and possibly will allow malicious
Security Appliance Intrusion Protection Feature 611
packets through unhindered. The AIP-SSM can also fail-closed, which will drop all traffic
flows that have been configured to use the AIP-SSM IPS service. This means that all traffic
that must pass through the AIP-SSM will stop at the Security Appliance until the AIP-SSM is
enabled again.