Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
10
Helpful
5
Replies

Advice needed for IPS/IDS deployment

hxmengmetro
Level 1
Level 1

‎04-19-2010 02:42 PM - edited ‎03-10-2019 04:57 AM

Hi all,

We have a 6500 core switch and a ASA facing the internet. The 6500 core switch has any traffic from inside or outside flowing through it. I plan to deploy IPS/IDS devices in our network. It seems I can put IPS module for ASA at internet edge. Or I can put a IPS module in 6500 switch. The other solution is to put a 4200 series IPS/IDS. But I prefer the intergrated module solution.

I think putting IPS module at ASA only checks the traffic from the internet or out to the internet. For the internal traffic, like one remote office accesses the other one, this kind of traffic can't be monitored by IPS at ASA. So I'm thinking to put IPS module at 6500 may make more sense since every traffic must go through there.

Am I correct? Any advice is appreciated.

Lou

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-19-2010 02:49 PM

Yes, you can have the IDSM2 module in your CAT 6K. However, please check how much traffic will be traversing the IDSM2 module since you mention internal as well as traffic towards the internet. Please ensure that the performance of the internal traffic is not impacted. Also depends on whether you will be configuring the IPS in promiscuous or inline mode.

Here is the datasheet for IDSM2:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet09186a00801e55dd.html

You might even want to bundle a few IDSM2:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps5058/product_data_sheet0900aecd804b91d7.html

Hope that helps.

hxmengmetro
Level 1
Level 1
In response to Jennifer Halim

‎04-19-2010 02:52 PM

Thank you! So I would say internal traffic is up to 5 Gbps. I notice that ISDM module only support 2Gbps. That might be a problem. Even two ISDM is not enough. So FWSM can't do the IPS/IDS function, right?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to hxmengmetro

‎04-19-2010 02:57 PM

No, unfortunately FWSM does not perform the IPS functionalities.

You might want to look at the IPS appliances, and devide traffic that is being sent to the IPS to cater for your internal traffic.

Here is the datasheet for IPS appliance for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html

0 Helpful

hxmengmetro
Level 1
Level 1
In response to Jennifer Halim

‎04-19-2010 03:01 PM

Thanks. So can I specify which interfaces in 6504 go to which 4200 appliance? If so, I can easily split up the traffic to prevent maxing out the capacity of IPS/IDS appliance. Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card