Sensing interfaces on IPS!

Unanswered Question

Hi

Guys

I have IPS 4215 with 6.0 image, 4 sensing Interfaces anlong with the C&C,i m confused a litlte bit about the sensing interfaces across the network what am thinking is as follow:

IPS will be functions as inline mode

1) Two sensing interfaces bridged togather on the inside

2) Two sensing interfaces  bridged togather on the outside, coz i have  web server on the DMZ Need to be accessed from outside

but the inline rule said:traffic from interface to onother interface need to be checked , so how is that with traffic leaving my network to the internet so it nee to be checked either wich useless in this case coz i just need inspection to traffic comes from outside toward my web server and inspection the inside interfaces?

any help here in order to determine the ideal deployment for the sensors

Thanks a lot

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Mon, 05/10/2010 - 02:35

You can configure VLAN Pair for each of the network segments that you would like to get the IPS inspected.

Example:

1st sensing interface, configure it as a dot1q trunk port:

- Eg: if your inside interface is in vlan 50, you can map it (bridge it) through the IPS to another vlan (eg: vlan 150).

- So on IPS --> vlan 50 pairs with vlan 150

- All inside hosts are assigned to vlan 50, and its default gateway is assigned to vlan 150, hence the traffic will pass through the IPS in bridge/transparent mode.

Then you can configure the same for DMZ and outside subnet.

Hope that helps.

Jennifer Halim Tue, 05/11/2010 - 03:11

Please find the vlan pairing and trunk for the IPS sensing interface diagram. The example diagram is for inside subnet, and you can replicate the same for DMZ and Outside.

Hope that helps.

Jennifer Halim Sun, 05/23/2010 - 18:01

Interface pair means you have to use a pair of the IPS interfaces, ie: one connects to the ASA and the other connects to the router, basically to ensure that traffic that needs to be inspected is passing through the IPS.

You are not limited to use interface pair, you can also use VLAN pair in your ASA to Internet router scenario. Basically the ASA vlan and the router vlan needs to be different with ASA and router in the same subnet, to force traffic through the IPS.

Example:

ASA outside IP is 200.1.1.1 -- vlan 10

Router interface IP is 200.1.1.2 -- vlan 110

IPS - pairing vlan 10 to vlan 110

Jennifer Halim Sun, 05/23/2010 - 17:18

1) Correct, but again, it depends on how you physically and logically connect the IPS in your network.

2) For vlan pair scenario, you would need to have 2 vlans bridging the traffic just like transparent firewall for example, so the traffic is forced to go through the IPS. If you only have 1 VLAN, traffic will directly go to its default gateway, hence will not pass through the IPS appliance.

Hope that answers your questions.

Jennifer Halim Tue, 05/25/2010 - 06:14

Can't really find a sample config on IPS, however, here is sample config on the concept on transparent firewall which is exactly what IPS is:

Interface pair (on ASA firewall): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

VLAN pair (FWSM): http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/exampl_f.html#wp1029042

For VLAN pair example, just check the diagram, and basically 1 subnet, and vlan pairing basically to force the traffic to go through the firewall/IPS. Since all hosts are on all 1 layer 3 subnet, it will ARP for the ip address, and if the default gateway is on the other side of the IPS/firewall, the traffic is forced to traverse through the appliance to get to its default gateway. Hence forcing the traffic to be inspected by the IPS. Otherwise, there is no other way to force traffic to pass through the IPS as IPS is layer 2 device (sensing interface is L2), not a routed device.

Actions

This Discussion