Newbie Qustions

Answered Question
Apr 4th, 2008

I have just been given a project which includes installing and configuring some IPS 4240 devices. I have used the IPS modules in ASA devices in the past, but the dedicated devices are new to me. Therefore I have a couple of realy basic questions

1 - Are these devices purely IPS, or do they perform IDS tasks as well if correctly configured?

2 - Where in the data path should they be placed, my solution is web hosting with a firewall, load ballancer and IPS?

3 - Do the IPS devices operate at L2 or L3?

I have this problem too.
0 votes
Correct Answer by marcabal about 8 years 9 months ago

The IPS-4240 can be used in conjunction with a ByPass Switch from either NetOptics or ShoreMicro.

The ByPass Switch would be plugged inbetween 2 networking devices (typically between a firewall or router and a switch).

There are then 2 additional ports on the ByPass Switch that are then connected to 2 ports of the sensor.

The 2 sensors ports need to be configured as an InLine Interface Pair.

If the sensor is passing traffic, then traffic coming in from the firewall into the ByPass Switch will be sent to the sensor on the 1st port. The sensor analyzes the packets and forwards back on the 2nd port to the ByPass Switch. The ByPass Switch then forwards on to the main Switch.

Similarly for traffic from the main switch.

The ByPass Switch passes the packets to 2nd port of the sensor. Packet is analyzed and passed back through the 1st port. Then the ByPass switch passes the packet onto the firewall.

However, if the sensor stops passing traffic (sensor loses link, sensor is powered down, or sensor just stops processing for some reason), then the ByPass Switch will detect that traffic to/from the sensor has stopped.

The ByPass Switch will then link the Firewall and Switch directly to each other and as you say it acts as a pass-through cable.

The same also happens if power to the ByPass Switch itself is lost.

So for the IPS-4215, IPS-4235, IPS-4250, IPS-4240, and IPS-4255 it requires a ByPass Switch from either NetOptics or ShoreMicro for this functionality.

The IPS-4260 and IPS-4270, however, have this functionality built directly into their 4 GE port Copper TX NICs so a ByPass Switch it not needed when using those NICs. (ByPass Switch still needed for the 2 port GE Fiber NICs)

We refer to the feature above as Hardware ByPass where the ByPass can happen even with power loss on the sensor.

The sensor also supports a feature we call SOFTWARE ByPass. With Software ByPass the NIC driver itself will pass traffic through even should the analysis engine stop analyzing for some reason.

In Most situations the sensor still has power and the Software ByPass takes care of passing traffic through, and it is mainly just in power failure or sensor reboot situations that a Hardware ByPass functionality kicks in.

All sensor platforms support Software ByPass functionality.

Also understand that the sensor supports 3 types of InLine monitoring mode.

1) InLine Interface Pair mode where 2 interfaces are paired together for the InLine Monitoring. The Hardware ByPass Switches (or the Hardware ByPass NICs in the IPS-4260 and IPS-4270) can be used in InLine Interface Pair mode.

2) InLine Vlan Pair mode where 2 vlans on a single interface are paired together for the InLine monitoring. Since only a single NIC is used there is no Hardware ByPass support for InLine Vlan Pair mode.

3) Chassis designated InLine mode for Modules. For our AIM-IPS (module for the router) and AIP-SSM (module for the ASA), it is the chassis (router or ASA) configuration that determines whether a packet can be monitored inline or not.

There is not Hardware ByPass support for the modules.

HOWEVER, the router and ASA do support a "fail-open" configuration where if the sensor module fails then the router/ASA is able to continue passing traffic through even if the sensor module has failed. So the "fail-open" configuration can be considered the sensor module's equivalent to the Hardware ByPass feature for appliances.

In all 3 of the above InLine monitroing modes, the IPS software DOES support the Software ByPass feature.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.

Mark,

These devices are pretty much an identical copy to the version you've already experienced in the ASA. This is in regards to configuration and management.

1 - These will though give you the ability to run a promiscuous port or group of ports.

2 - Ultimately you'd want an IPS on the outside/inside and any DMZ interface. But, that is pricey so my suggestion would be internal side of the firewall. You'll want all of your traffic to be running through it. If you decide to create paired interfaces, you could setup one pair on the outside and one pair on the inside.. and just go crazy with it!

3 - The IPS actually looks inside each packet, so I believe it goes beyond layer 3. The IPS has an Application Inspection Engine, so it actually works all the way up to layer 7.

mark.j.hodge Tue, 04/08/2008 - 08:43

I have done a little more reading on this, and have another question. The IPS Data Sheet

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html

states that the IPS 4240 supports "Automated hardware Fail Open" with third-party products.

Does this mean that if the power fails it will revert to acting as a pass-through cable?

And what are the "third-party products"

Correct Answer
marcabal Tue, 04/08/2008 - 10:36

The IPS-4240 can be used in conjunction with a ByPass Switch from either NetOptics or ShoreMicro.

The ByPass Switch would be plugged inbetween 2 networking devices (typically between a firewall or router and a switch).

There are then 2 additional ports on the ByPass Switch that are then connected to 2 ports of the sensor.

The 2 sensors ports need to be configured as an InLine Interface Pair.

If the sensor is passing traffic, then traffic coming in from the firewall into the ByPass Switch will be sent to the sensor on the 1st port. The sensor analyzes the packets and forwards back on the 2nd port to the ByPass Switch. The ByPass Switch then forwards on to the main Switch.

Similarly for traffic from the main switch.

The ByPass Switch passes the packets to 2nd port of the sensor. Packet is analyzed and passed back through the 1st port. Then the ByPass switch passes the packet onto the firewall.

However, if the sensor stops passing traffic (sensor loses link, sensor is powered down, or sensor just stops processing for some reason), then the ByPass Switch will detect that traffic to/from the sensor has stopped.

The ByPass Switch will then link the Firewall and Switch directly to each other and as you say it acts as a pass-through cable.

The same also happens if power to the ByPass Switch itself is lost.

So for the IPS-4215, IPS-4235, IPS-4250, IPS-4240, and IPS-4255 it requires a ByPass Switch from either NetOptics or ShoreMicro for this functionality.

The IPS-4260 and IPS-4270, however, have this functionality built directly into their 4 GE port Copper TX NICs so a ByPass Switch it not needed when using those NICs. (ByPass Switch still needed for the 2 port GE Fiber NICs)

We refer to the feature above as Hardware ByPass where the ByPass can happen even with power loss on the sensor.

The sensor also supports a feature we call SOFTWARE ByPass. With Software ByPass the NIC driver itself will pass traffic through even should the analysis engine stop analyzing for some reason.

In Most situations the sensor still has power and the Software ByPass takes care of passing traffic through, and it is mainly just in power failure or sensor reboot situations that a Hardware ByPass functionality kicks in.

All sensor platforms support Software ByPass functionality.

Also understand that the sensor supports 3 types of InLine monitoring mode.

1) InLine Interface Pair mode where 2 interfaces are paired together for the InLine Monitoring. The Hardware ByPass Switches (or the Hardware ByPass NICs in the IPS-4260 and IPS-4270) can be used in InLine Interface Pair mode.

2) InLine Vlan Pair mode where 2 vlans on a single interface are paired together for the InLine monitoring. Since only a single NIC is used there is no Hardware ByPass support for InLine Vlan Pair mode.

3) Chassis designated InLine mode for Modules. For our AIM-IPS (module for the router) and AIP-SSM (module for the ASA), it is the chassis (router or ASA) configuration that determines whether a packet can be monitored inline or not.

There is not Hardware ByPass support for the modules.

HOWEVER, the router and ASA do support a "fail-open" configuration where if the sensor module fails then the router/ASA is able to continue passing traffic through even if the sensor module has failed. So the "fail-open" configuration can be considered the sensor module's equivalent to the Hardware ByPass feature for appliances.

In all 3 of the above InLine monitroing modes, the IPS software DOES support the Software ByPass feature.

Actions

This Discussion