Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
5
Replies

4260 Sensor connected to Active/ Active firewalls

thaer.issa
Level 1
Level 1

‎03-30-2010 12:17 PM - edited ‎03-11-2019 10:27 AM

I have the following scenario:

We have two edge firewalls with Active/ Active setup connected directly to two core switches. New two IPS sensor s4260 are required to be connected inline between the firewalls and core switches. What is the best practice design for such a scenario? Does the below diagram work fine in this case or another design is applicable.

design.jpg

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-30-2010 03:46 PM

Hi,

The ASAs are virtualized and running security contexts (since you mentioned A/A Failover).
The IPS sensors should connect inline.

The IPS are transparent to the network (L2) and don't require readdressing.
It seems to me, that it depends on the amount of security contexts that you have on the pair of ASAs and
the connection between those ASAs and the Core Switches (to make sure all traffic flowing between the ASAs
and the Switches go through the IPS Sensors).

What I've done is to put the IPS sensors in IDS mode for some days and then place them inline (to make sure
they can deal with the amount of traffic).

Let me know if you have any questions.

Federico.

0 Helpful

thaer.issa
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-30-2010 03:53 PM

Thanks Federico

Actually the firewalls are Netscreen? Is there any difference?

What about the physical connections? Is the above diagram and design valid so I can evaluate the traffic using VLANs separation and make each IPS handle only the traffic coming to one core switch??

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to thaer.issa

‎03-30-2010 04:16 PM

Hi Thaer,

I don't see any problem with that.

Just make sure the traffic that passes through the sensor is symmetric.

As I mentioned, if possible try to set up the IDS in promiscuous mode first before setting the sensor in IPS mode.

Federico.

0 Helpful

thaer.issa
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-30-2010 04:18 PM

What do you mean by symmetric? How can I insure this?

Thanks for your help.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to thaer.issa

‎03-30-2010 04:26 PM

What I mean by symmetric is that the same sessions that enter the IPS, they come back through the same IPS.

For example, traffic from VLAN X will flow through IPS-1 and when the response comes back, traffic should be inspected again by IPS-1.

If VLAN Y outbound traffic flows through IPS-2, then VLAN Y inbound traffic should flow through IPS-2 as well.

You manipulate this behavior by means of routing on the network devices (not the IPS Sensors).

Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card