HA IPS Design

Unanswered Question
Jun 3rd, 2009
User Badges:

Hi,


I'm designing a security system that involves:


2 x inside firewalls (ASA5520)

2 x switches connected together (for failover)

2 x IPS (4240IPS)

2 x switches connected together (for failover)

2 x outside firewalls (Juniper SSG)


I'm at looking at active/standby or active/active for the firewalls but am not sure if the IPS supports the same with stateful failover? My concern is with asymmetric routing if both IPS's are active and independant. Can I guarantee that a session will use the same IPS for inbound/outbound flows and not get separated across two IPS's?


Any guidance is appreciated.


Thanks, Wayne

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sadbulali Tue, 06/09/2009 - 13:27
User Badges:
  • Bronze, 100 points or more

IPSec Stateful Failover (VPN High Availability) is a feature that enables a router to continue processing and forwarding packets after a planned or unplanned outage. You can employ a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of an active router failure. The process is transparent to users and to remote IPSec peers. The time that it takes for the standby router to take over depends on HSRP timers.


IPSec Stateful Failover (VPN High Availability) is designed to work in conjunction with Reverse Route Injection (RRI) and Hot Standby Router Protocol (HSRP) with IPSec. When used together, RRI and HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote peers.


RRI and HSRP are supported together with the restriction that the HSRP configuration on the outside interface uses equal priorities on both routers. As an option, when not using RRI, you can use an HSRP configuration on the LAN side of the network (equal HSRP priority restriction still applies).


rhermes Tue, 06/09/2009 - 14:30
User Badges:
  • Gold, 750 points or more

Asymmetric routing across both firewalls will cause you even larger problems than it will on your IPSs. Sove this problem for your firewalls and you've solved it for your IPS sensors.

Connect your IPS to the inside firewall interface, it's a layer 2 transparant device and traffic will follow what you have your firewalls configured to allow.

Actions

This Discussion