ASA IPS Module Operation
The basic operation of the ASA IPS module is rather simple: Traffic comes into the ASA and goes through the initial ASA processes (e.g., VPN decryption, firewall policy). Traffic that is matched is then sent to the IPS module; traffic that is allowed to pass is returned from the IPS module and can be sent back out another ASA interface.
The ASA IPS module does offer two different operating modes that can be specified within the traffic-matching configuration; these include inline mode and promiscuous mode. While in inline mode, all matched traffic will be sent to the ASA IPS module and will not continue on through the ASA until it is returned from the module.
While in promiscuous mode, a copy of the matched traffic is sent to the ASA IPS module with the initial copy of the traffic continuing through the ASA; if the ASA IPS module finds that specific traffic matches one of the attack signatures, it will send a shun message to the ASA to block any future traffic matching the specific traffic characteristics.
The choice of which operating mode to use depends on the specific implementation. Although the inline mode is more secure, it can also have some effect on traffic throughput. The promiscuous mode is the opposite: being less secure but not affecting traffic throughput. The promiscuous mode operates in a similar way to a traditional IDS, whose alerts can retroactively be used to block future traffic.
Virtual Sensors
All the ASA models except the 5505 support virtual sensors; these sensors are used when multiple contexts are used within the ASA. Each context can be configured with a virtual sensor, and the matching IPS policy can be configured with individual ASA IPS module settings.