FWSM an IPS 4255 Design question

Unanswered Question
Sep 11th, 2008

We purchased a FWSM and external IPS 4255 to replace our existing external PIX525 and another vendors IPS. We currently have a 1 gig uplink to our main campus and the Internet. The PIX sits out front with the IPS behind it then our core 6513 campus router.

I have been reading about placement of the MSFC. We have a number of VLANs on our 6513 switch. They all talk to each other presently. I would like to add a DMZ to move certain services outside our internal network.

Trying to decide a few things.

Should we be using the inside or outside MSFC model? We have one uplink to our main campus and the Internet.

THe IPS placement. Our current IPS sits behind our external PIX. It only see incoming traffic that the firewall isn't blocking. Is there a means to route into the FWSM then out to the IPS and then back to our inside network? Or should we just place the IPS outside our network and inspect all traffic in and out.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Fernando_Meza Thu, 09/11/2008 - 15:46

Hi ..

"Should we be using the inside or outside MSFC model? We have one uplink to our main campus and the Internet." I recommend using the MSFC inside model where traffic from the Internet and Campus hits the FWSM first. This will be your perimeter layer of defense. You can create separate DMZ (VLANs) for restricted traffic that needs to be accessed from Internet and then route all other traffic (VLANs) towards to the MSFC. The MSFC can be used for Inside VLANs inter-vlan routing where security between them is not a concern.

The IPS placement. it depends on whether you want to use 'promiscuous' mode or 'in-line' mode. For promiscuous mode, traffic will be duplicated to the IPS device and so traffic pattern will not be affected. of course this is a reactive approach. In in-line mode you will have to use the IPS device to bridge the VLANs you want to monitor. If possible .. I recommend In-line approach as it is a pro-active instead of reactive approach.

To place an IPS in front of the FWSM might be useful only if you really care about all possible events that might cause a signature to fire. This approach will cause many events to fire on your IPS device. Also many of those attempts might be blocked by the FWSM anyway and so your IPS's resources might be wasted. I personally always prefer to have the IPS behind the firewall providing deep packet inspection for traffic ALREADY allowed. This provides another layer of defense for any critical devices that the IPS is protecting.

I hope it helps .. please rate helpful posts


This Discussion