We have basic set up : 2 Core SW (6513 -port channelled) --> 2 ASA (Active/standby: running OSPF). ASAs DMZ --> 2 DMZ switches (2948 & 3560 port channeled).
Same core Switches, --> second pair ASA via different vlan than First pair (runs OSPF as well). no DMZ.
Iam planning to add 4255 IPS to the infrastructure. With the current scenario, If I start with one unit, will I be able to monitor all the traffic (inside fw pairs and DMZ) on active and standby connections. If not possible with one unit 'inline', what about placing the IPS in monitoring mode and and with that using Span and Rspan capability of 6513, will it be possible to 'monitor' all the Inside (in total 4) and DMZ (intotal 2) segments?
1. Yes, in this set-up you will not be able to block in-line on the standby path. The amount of time your traffic spends on the standby path should be minimal. You do not want to compromise your stand by path with a common device to both paths that can fail.
2. Yes you CAN place a single IPS sensor in-line behind your primary and standby firewalls, but it is a really bad idea to do so.
3. The 4255 Cisco bypass is a software diven bypass. This will not function if the sensor reboots, requires a reboot due to a sig pack (it happens) or software updates. If the software crashes hard enough the software bypass will also not work.
4. It is an expense issue. You either buy two in-line IPS sensors, or you make do with promiscious mode IDS on one of both of the links. The golden rule of High Availbility is to never have a single point of failure.
Placing one IPS sensor in-line with a dual firewall is just asking for trouble. You will have created a single point of failure.
Your 4255 has several monitoring interfaces. I would span one from each switch and use your 4255 in promiscious mode.
Alternatlely, if your dual firewalls are in Active/Standby, you could put the 4255 in-line in the Active path and Promisciously monitor the Standby path.
Always plan on your sensor going down, Cisco will not dissapoint you.