CISCO ASA 5500 SERIES FIREWALL MODULES &

CARDS CONTENT SECURITY (CSC-SSM), IPS - IDS

(AIP SCC & AIP SSM) HARDWARE MODULES
WRITTEN BY ADMINISTRATOR. POSTED IN CISCO FIREWALLS - ASA & PIX FIREWALL CONFIGURATION

511111 Rating 5.00 (5 Votes)

inShare

Ciscos
Adaptive
Security
Appliance (ASA) Firewalls are one of the most popular and proven security solutions in the industry. Since
the introduction of the PIX and ASA Firewall into the market, Cisco has been continuously expanding
its firewall security features and intrusion detection/prevention capabilities to adapt to the evolving
security threats while integrating with other mission-critical technologies to protect corporate
networks and data centers.
In recent years, weve seen Cisco tightly integrate separate security technologies such as Intrusion
Prevention Systems (IPS) and Intrusion Detection Systems (IDS) within the ASA Firewall appliances in
the form of hardware module add-ons (older 5500 series & newer 5500-X series) and, recently, software
modules supported only by the newer ASA 5500-X series security appliances.
With the addition of the software or hardware module, customers are able to increase the firewalls
security and
protection capabilities
while
at the
same time
simplifing
security
management and administration by dealing with a single firewall device instead of multiple firewall, IPS
or IDS devices.
While this article covers the hardware modules available for the Cisco ASA 5500 Firewall series,
upcoming articles will cover bothsoftware and hardware modules along with Cisco
FirePOWER & FireSIGHT management services for the newer ASA 5500-X series.
Note: The Cisco ASA 5500 series hardware modules for ASA-5505, ASA 5510, ASA 5520 & ASA 5540
have been announced asEnd-of-Sale & End-of-Life. Modules below are no longer sold by Cisco,
however, they will be fully supported until 30th of September 2018.
Users interested in the newer ASA 5500-X IPS, Context-Aware and FirePOWER services can read our
article Cisco ASA 5500-X Series Firewall with IPS, ASA CX & FirePower Services. Application Visibility
and Control (AVC), Web Security, Botnet Filtering & IPS / IDS.

HARDWARE MODULES FOR ASA 5500 SERIES FIREWALLS

The ASA 5500 series Firewalls (ASA-5505, ASA 5510, ASA 5520, ASA 5540 etc) were the first security
appliances with the capability to integrate hardware modules for enhanced security and threat protection.
To help target different markets and security requirements, Cisco split its hardware module offerings into
two distinct categories:

Content Security and Control Security Services (CSC-SSM)

Advanced Inspection and Prevention Security Services (AIP-SCC & AIP-SSM)

Each hardware module card is equipped with its own CPU, RAM and Flash storage space, running a
separate operating system that integrates with the ASA Firewall via its internal network ports.
Lets take a brief look at each category.

THE CONTENT SECURITY AND CONTROL SECURITY

SERVICES MODULES
The Content Security and Control Security Services module aims to cover corporate environments
where comprehensive malware, advanced content filtering (including Web Caching, URL filtering, antiphishing), and anti-spam filtering is required. This all-in-one hardware module solution is capable of
providing a wealth of security and control capabilities essential for all size networks.
Following are the hardware modules supporting Content Security and Control Security Services:

CSC-SSM-10: For ASA 5510 & ASA 5520. Initial support for 50 users, upgradable up to 500 users

CSC-SSM-20: For ASA 5510, ASA 5520 & ASA 5540. Initial support for 500 users, upgradable up to
1000 users
The CSC-SSM-10 & CSC-SSM-20 modules look identical. Shown below is the CSC-SSM-20 module:

Figure 1. The Cisco CSC-SSM-20 hardware module for the ASA 5500 series Firewalls
Users requiring additional information on the Cisco CSC-SSM modules, including features, hardware
specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500

Series Content Security and Control Security Services datasheet from ourCisco ASA 5500 Product
Datasheets and Guides download section.

THE ADVANCED INSPECTION AND PREVENTION SECURITY

SERVICES MODULES
The Advanced Inspection and Prevention Security Services modules combine IPS and IDS threat
protection with mitigation services aiming to protect and stop malicious traffic before it can affect the
network. Updates for the modules occur up to every 5 minutes, ensuring real-time updates and effective
protection from zero-day attacks.
Cisco ASA Firewall customers can choose between the following Advanced Inspection and Prevention
Security Service modules depending on their ASA hardware platform:

AIP SCC-5:For ASA 5505. 1 Virtual sensor. 75Mbps concurrent threat mitigation throughput.

AIP SSM-10: For ASA 5510 & ASA 5520. 4 Virtual sensors. Up to 225Mbps concurrent threat mitigation
throughput depending on ASA model.

AIP SSM-20: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 500Mbps concurrent threat mitigation
throughput depending on ASA model.

AIP SSM-40: For ASA 5520 & ASA 5540. 4 Virtual sensors. Up to 650Mbps concurrent threat mitigation
throughput depending on ASA model.

Figure 2. The Cisco ASA Firewall AIP SSC-5, AIP SSM-20 and AIP SSM40 IPS hardware modules
Users requiring additional information on the Cisco AIP SSC-5 & AIP-SSM modules, including features,
hardware specifications, licenses, and support contracts (Smartnet), can download the Cisco ASA 5500
Series Advanced Inspection and Prevention Security Services module and card datasheet from
our Cisco ASA 5500 Product Datasheets and Guides download section.

CONCLUSION
The ASA 5500 Firewall series hardware modules offer a substantial number of network security
enhancements making them ideal for corporate environments with sensitive data, in-house webservers
and multiple VLANs & VPN networks. Their ability to provide advanced malware threat protection, URL

filtering and IPS / IDS services make them the ideal upgrade for any ASA 5500 series Firewall adding true
value to protecting and mitigating security threats.