Designing IPS Implementation on Medium-Sized LAN

Unanswered Question
Feb 24th, 2009
User Badges:

I manage a 500-node LAN with several remote branch offices. We currently have two ASA-5520's in active/standby mode. All internet access funnels thru the home office. Our ASA's currently have 8 10/100/1000 ethernet ports, so integrated module is not an option. How best to implement IPS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
marcabal Tue, 03/03/2009 - 14:48
User Badges:
  • Cisco Employee,

Let's assume a basic setup for your ASA-5520s where you have 1 outside interface, 1 inside interface, and 1 dmz interface per ASA and the 2 ASAs are configured for active/standby.

So you have a total of 3 networks connected to your ASAs.

The next decision is which of the 3 networks you want to monitor, and how you want them monitored.

Let's make the assumption that you want to monitor the connection to the External network and you want to do Inline monitoring (instead of promiscuous).

You will want to place your IPS sensor between your ASA and the external network connection.

Let's assume you have a router as your internet connection, and the router is connected to a switch, and both ASA's external interfaces are connected to the switch.


Take an IPS-4240 and place it between both ASAs and the switch.

You would create 2 inline interface pairs. You would place one of the inline interface pairs between the active ASA and the switch, and the other inline interface pair between the standby ASA and the switch.

The problem, however, is that if the IPS-4240 goes down, then it is a single point of failure and you lose internet connectivity.

So what is the next option:

If you only want to purchase a single IPS-4240 and are willing to live without monitoring in case of failure of the IPS, then there are 2 methods to try.

You could purchase 2 Hardware ByPass Switches. You would put a HW Bypass Switch between the active ASA and the switch, and the second HW ByPass switch between the standby ASA and the switch.

You then hook up the inline interface pairs of the IPS-4240 to the monitoring ports of the HE ByPass Switches.

So long as the IPS-4240 is functioning, the HW ByPass Switches will force the traffic to flow through the sensor for inline monitoring. If for some reason the IPS-4240 stops passing traffic (loss of power, or a crash), then the HW ByPass Switches automatically ByPass the IPS-4240 and the traffic passes straight from the ASAs to the switch without being analyzed by the sensor. This option works well when funds are limited, or when IPS analysis is a nice to have and not a hard requirement.

Another method is to change from using Inline Interface Pairs to using an InLine Vlan Pair, and using a Wire as a failover unit.

In this scenario the ASAs get directly connected to the switch. But they are put into a NEW vlan separate from the Internet Router.

The IPS-4240 has a single interface connected to the switch.

The switch is configured to trunk both the ASA vlan and the Internet Router vlan to the sensor.

The sensor is configured to PAIR the 2 vlans (an Inline Vlan Pair on the single sensor interface). So now traffic coming from the ASA gets analyzed as passed to the router, and traffic from the router gets analyzed then passed to the ASA.

As the failover mechanism you now connect a physical wire into 2 ports of the switch. One port on the ASA vlan, and the other port on the router vlan.

And configure spanning-tree on the switch to prefer the IPS Sensor port. If the IPS sensor goes down, then spanning-tree will fall back to using the wire to pass the traffic between the vlans (no IPS analysis).

Now if you can afford 2 IPS-4240 sensors then you can instead setup failover between the 2 sensors.

Follow the same setup as above for a single IPS-4240 in InLine Vlan Pair mode, and just repeat it for a second IPS-4240.

Spanning-tree will pick one as the primary and put in a Forwarding State. The other it will put into a Blocking state. If the first one fails, then the second one will change from a Blocking state to a Forwarding state and start monitoring traffic.

So why an IPS-4240?

It is the closest appliance to the same performance level as an ASA 5520.

marcabal Tue, 03/03/2009 - 14:49
User Badges:
  • Cisco Employee,

Continuation from previous post:

What if you don't want to monitor the external network, and instead want to monitor the internal and dmz networks?

Because it is now 2 networks that need to be monitored you might consider using 2 IPS-4240s (one for each network), and then use the same options I mentioned above (or even 4 IPS-4240s if you want to fail between sensors on each of the 2 networks).

OR consider using an IPS-4255 which is rated almost twice the speed of an IPS-4240.

If you use a single IPS-4255, then you will be forced to use the InLine Vlan Pair method described above for each of your networks. You will also want to create a second virtual sensor. The Vlan Pair for the internal network would be assigned to the default vs0 virtual sensor, and the Vlan Pair for the DMZ network would be assigned to the newly created virtual sensor.

And just like above you could use wires for failover, or deploy a second IPS-4255 deployed the same as the first IPS-4255 and let spanning-tree handle the failover.

Hope this gives you some of the basic information you were looking for.

maifadmin Fri, 03/13/2009 - 10:01
User Badges:

Hi Marcabal,

Thanks for the info - that's exactly what I'm looking for! One more question: turns out using integrated modules may be an option after all. What then?


This Discussion