Advice needed for IPS/IDS deployment

Unanswered Question
Apr 19th, 2010

Hi all,

We have a 6500 core switch and a ASA facing the internet. The 6500 core switch has any traffic from inside or outside flowing through it. I plan to deploy IPS/IDS devices in our network. It seems I can put IPS module for ASA at internet edge. Or I can put a IPS module in 6500 switch. The other solution is to put a 4200 series IPS/IDS. But I prefer the intergrated module solution.

I think putting IPS module at ASA only checks the traffic from the internet or out to the internet. For the internal traffic, like one remote office accesses the other one, this kind of traffic can't be monitored by IPS at ASA. So I'm thinking to put IPS module at 6500 may make more sense since every traffic must go through there.

Am I correct? Any advice is appreciated.

Lou

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Mon, 04/19/2010 - 14:49

Yes, you can have the IDSM2 module in your CAT 6K. However, please check how much traffic will be traversing the IDSM2 module since you mention internal as well as traffic towards the internet. Please ensure that the performance of the internal traffic is not impacted. Also depends on whether you will be configuring the IPS in promiscuous or inline mode.

Here is the datasheet for IDSM2:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet09186a00801e55dd.html

You might even want to bundle a few IDSM2:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps5058/product_data_sheet0900aecd804b91d7.html

Hope that helps.

hxmengmetro Mon, 04/19/2010 - 14:52

Thank you! So I would say internal traffic is up to 5 Gbps. I notice that ISDM module only support 2Gbps. That might be a problem. Even two ISDM is not enough. So FWSM can't do the IPS/IDS function, right?

Jennifer Halim Mon, 04/19/2010 - 14:57

No, unfortunately FWSM does not perform the IPS functionalities.

You might want to look at the IPS appliances, and devide traffic that is being sent to the IPS to cater for your internal traffic.

Here is the datasheet for IPS appliance for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html

hxmengmetro Mon, 04/19/2010 - 15:01

Thanks. So can I specify which interfaces in 6504 go to which 4200 appliance? If so, I can easily split up the traffic to prevent maxing out the capacity of IPS/IDS appliance. Thanks.

Actions

This Discussion