Using Virtual Sensors - Cisco PIX 500 Series Configuration Manual

Chapter 22 Managing the AIP SSM and CSC SSM
•
Figure 22-2

Using Virtual Sensors

The AIP SSM running IPS software Version 6.0 and above can run multiple virtual sensors, which means
you can configure multiple security policies on the AIP SSM. You can assign each context or single
mode security appliance to one or more virtual sensors, or you can assign multiple security contexts to
the same virtual sensor. See the IPS documentation for more information about virtual sensors, including
the maximum number of sensors supported.
Figure 22-3
security contexts share the same virtual sensor.
OL-12172-03
every packet that you identify for inspection is analyzed before being allowed through. Also, the AIP
SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect
throughput.
Promiscuous mode—This mode sends a duplicate stream of traffic to the AIP SSM. This mode is
less secure, but has little impact on traffic throughput. Unlike the inline mode, in promiscuous mode
the AIP SSM can only block traffic by instructing the adaptive security appliance to shun the traffic
or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is
analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance
before the AIP SSM can shun it.
example, the AIP SSM sends a shun message to the security appliance for traffic it identified as a
threat.
AIP SSM Traffic Flow in the Adaptive Security Appliance: Promiscuous Mode
Security Appliance
Main System
VPN
inside
Policy
Shun
message
IPS inspection
AIP SSM
shows one security context paired with one virtual sensor (in inline mode), while two
Figure 22-2 shows the AIP SSM in promiscuous mode. In this
Firewall
Policy outside
Copied Traffic
Backplane
Cisco Security Appliance Command Line Configuration Guide
Managing the AIP SSM
22-3