The IPS module is often referred to as the SSM or Security Service Module. It basically occupies the network module slot on right hand side of the ASA as seen in the photo below. Depending on your ASA hardware configuration module will vary. Simply put the IPS module is an inline Linux appliance configured specifically for monitoring traffic based on signatures provided by Cisco. The IPS module comes with a out of band management port which is used for management, downloading global correlation, signature updates, and license requests. 
Signatures
The IPS or SSM module basically operates or makes decisions about traffic based on the signatures that it knows about or those signatures that have been enabled by the system administrator. The signatures basically come in three different flavors.
- High
- Medium
- Low
Cisco Signature Services For IPS
The basic ASA Configuration for the IPS module
ASA#configure terminal
ASA(config)#access-list IPS extended permit ip any any
ASA(config)#policy-map global_policy
ASA(config-pmp)#class IPS
ASA(config-pmp-c)#ips inline fail-open
ASA(config-pmp-c)#exit
ASA(config-pmp)#exit
ASA(config)#exit
ASA#
At this point were ready to session into the IPS module to complete the setup
ASA#show module | include Up
1 IPS Up 7.0(6)E4
0 Up Sys Not Applicable
1 Up Up
At the this point you have a couple of options when setting up the IPS module. After you session into the module you can simply run the setup script, or you can manually configure the IPS module. I’ll demonstrate a few on the manual configuration steps.
The Basic IPS Module Configuration
ASA#session 1
Login:cisco
Password:cisco
sensor#configure terminal
sensor(config)#service interface
sensor(config-if)#physical-interfaces gigabitEthernet0/0
sensor(config-if-phy)#speed 100
sensor(config-if-phy)#duplex full
sensor(config-if-phy)#exit
sensor(config-if)#exit
sensor(config)#
sensor(config)#
sensor(config)#service host
sensor(config-host)#network-settings
sensor(config-host-net)#host-name IPS
IPS(config-host-net)#host-ip 172.16.1.10 255.255.255.0
IPS(config-host-net)#exit
IPS(config-host)#exit
IPS(config)#
Configuring the Analysis Engine Service
IPS(config)#service analysis-engine
IPS(config-ana)#virtual-sensor vs0
IPS(config-ana-vir)#description Virtual Sensor 0
IPS(config-ana-vir)#anomaly-detection
IPS(config-ana-vir-ano)#anomaly-detection-name detect
IPS(config-ana-vir-ano)#operational-mode learn
IPS(config-ana-vir-ano)#exit
IPS(config-ana-vir)#exit
IPS(config-ana)exit
IPS(config)#exit
IPS#
Management Options
- Direct access via HTTPS
- Direct access via SSH
- IPS Manager Express
So in closing it’s vary important that the IPS management interface has the ability to download the necessary signatures from Cisco so that the virtual engine vs0 has the ability to analyze the traffic patterns and look for anomalies or patterns and take the appropriate action. If your running a Proxy or Span in your environment be sure to exclude the IPS module. If your running your IPS management such as IPS Express on a Windows Server be sure to exclude any AV scans or disable it all together. So you have ask yourself how much do I really want to know about my network or how much do you want to ignore..?
