03-30-2010 12:17 PM - edited 03-11-2019 10:27 AM
I have the following scenario:
We have two edge firewalls with Active/ Active setup connected directly to two core switches. New two IPS sensor s4260 are required to be connected inline between the firewalls and core switches. What is the best practice design for such a scenario? Does the below diagram work fine in this case or another design is applicable.
03-30-2010 03:46 PM
Hi,
The ASAs are virtualized and running security contexts (since you mentioned A/A Failover).
The IPS sensors should connect inline.
The IPS are transparent to the network (L2) and don't require readdressing.
It seems to me, that it depends on the amount of security contexts that you have on the pair of ASAs and
the connection between those ASAs and the Core Switches (to make sure all traffic flowing between the ASAs
and the Switches go through the IPS Sensors).
What I've done is to put the IPS sensors in IDS mode for some days and then place them inline (to make sure
they can deal with the amount of traffic).
Let me know if you have any questions.
Federico.
03-30-2010 03:53 PM
Thanks Federico
Actually the firewalls are Netscreen? Is there any difference?
What about the physical connections? Is the above diagram and design valid so I can evaluate the traffic using VLANs separation and make each IPS handle only the traffic coming to one core switch??
03-30-2010 04:16 PM
Hi Thaer,
I don't see any problem with that.
Just make sure the traffic that passes through the sensor is symmetric.
As I mentioned, if possible try to set up the IDS in promiscuous mode first before setting the sensor in IPS mode.
Federico.
03-30-2010 04:18 PM
What do you mean by symmetric? How can I insure this?
Thanks for your help.
03-30-2010 04:26 PM
What I mean by symmetric is that the same sessions that enter the IPS, they come back through the same IPS.
For example, traffic from VLAN X will flow through IPS-1 and when the response comes back, traffic should be inspected again by IPS-1.
If VLAN Y outbound traffic flows through IPS-2, then VLAN Y inbound traffic should flow through IPS-2 as well.
You manipulate this behavior by means of routing on the network devices (not the IPS Sensors).
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide