IPS SENCORS ALLOCATIONS

Answered Question

Hello


Please Expert , examine the attached digaram and tell if you do agree with my interfaces allocation of the dedicate IPS 4215,looks like one is the C&C on the Inside,

in order to lanch the IDM mangment, and the other 2 sensors interfaces looks lile one sensing on the outside and one sensing on the DMZ along with the inline mode


to fully protect the the I-BANKING and the SMS server,so plz advise me for the optimum and Robust design that is switable to my attached topology




Waitng ur kind response


Thanks



Attachment: 
Correct Answer by Amadou TOURE about 7 years 4 months ago

Hello,


To have best protection you should be in inline mode and the design would  depend on whether you have vlan on your DMZ or not.

Do you have Vlan in your DMZ segment ?


regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Amadou TOURE Wed, 11/25/2009 - 12:38
User Badges:

Hello,


To have best protection you should be in inline mode and the design would  depend on whether you have vlan on your DMZ or not.

Do you have Vlan in your DMZ segment ?


regards

Amadou TOURE Mon, 11/30/2009 - 13:08
User Badges:

Hello,


after a quick verification on Cisco Website, it seems that the 4215 is end-of-life and sales so it would be better to upgrade the hardware before putting in production a device which will face a lack of support.


In regards to the design you have two options in my view :


1. INLINE MODE with inline vlan pair or vlan group in the case where your servers are in different vlan in DMZ


2. PROMISCUOUS MODE with shun depending of the type of router or switch that you have


I added promiscuous mode in regards to your statement about availability.


In regard to your environment the options for availability are :


1. hardware and/or software bypass, I'm not so sure if the harware bypass card is supported by the 4215 device


2. install a second IPS or use a cable between the switches where IPS is connected. In this case you'll need spanning-tree configuration on ports


I'm not convinced about about the efficiency of the sensing link outside the network, may be for anomaly detection purposes ?


Regards

Actions

This Discussion