07-20-2010 08:24 AM - edited 03-10-2019 05:03 AM
Hi all,
We have basic set up : 2 Core SW (6513 -port channelled) --> 2 ASA (Active/standby: running OSPF). ASAs DMZ --> 2 DMZ switches (2948 & 3560 port channeled).
Same core Switches, --> second pair ASA via different vlan than First pair (runs OSPF as well). no DMZ.
Iam planning to add 4255 IPS to the infrastructure. With the current scenario, If I start with one unit, will I be able to monitor all the traffic (inside fw pairs and DMZ) on active and standby connections. If not possible with one unit 'inline', what about placing the IPS in monitoring mode and and with that using Span and Rspan capability of 6513, will it be possible to 'monitor' all the Inside (in total 4) and DMZ (intotal 2) segments?
TIA
MS
Solved! Go to Solution.
07-20-2010 09:48 AM
Placing one IPS sensor in-line with a dual firewall is just asking for trouble. You will have created a single point of failure.
Your 4255 has several monitoring interfaces. I would span one from each switch and use your 4255 in promiscious mode.
Alternatlely, if your dual firewalls are in Active/Standby, you could put the 4255 in-line in the Active path and Promisciously monitor the Standby path.
Always plan on your sensor going down, Cisco will not dissapoint you.
- Bob
07-20-2010 11:53 AM
1. Yes, in this set-up you will not be able to block in-line on the standby path. The amount of time your traffic spends on the standby path should be minimal. You do not want to compromise your stand by path with a common device to both paths that can fail.
2. Yes you CAN place a single IPS sensor in-line behind your primary and standby firewalls, but it is a really bad idea to do so.
3. The 4255 Cisco bypass is a software diven bypass. This will not function if the sensor reboots, requires a reboot due to a sig pack (it happens) or software updates. If the software crashes hard enough the software bypass will also not work.
4. It is an expense issue. You either buy two in-line IPS sensors, or you make do with promiscious mode IDS on one of both of the links. The golden rule of High Availbility is to never have a single point of failure.
- Bob
07-20-2010 09:48 AM
Placing one IPS sensor in-line with a dual firewall is just asking for trouble. You will have created a single point of failure.
Your 4255 has several monitoring interfaces. I would span one from each switch and use your 4255 in promiscious mode.
Alternatlely, if your dual firewalls are in Active/Standby, you could put the 4255 in-line in the Active path and Promisciously monitor the Standby path.
Always plan on your sensor going down, Cisco will not dissapoint you.
- Bob
07-20-2010 11:15 AM
Hi Bob,
Thanks for your suggestion. Infact Iam thinking in the same lines, but here is my Q...
1. Lets say IPS in line with Active FW , successfully blocking the unwanted traffic reaching out to user PC and same port Promisciously monitor the
Standby path (please correct me if it is not same port). If FW failover occurs we may loose the 'blocking'.
2. Dumb Q..;-).. if I have 4 monitoring i/f, Can I use 2 for one FW and rest 2 for another firewall Inline?
3. Does Cisco supports auto bypass (incase of any hardware failure, system bypasses itself, so that traffic flows with no interruption).
4. lastly, in normal production networks , at perimeter, user goes with 1 or 2 IPS's? I know its all budget pong, but Iam looking for common deployment scenarios.
TIA
MS
07-20-2010 11:53 AM
1. Yes, in this set-up you will not be able to block in-line on the standby path. The amount of time your traffic spends on the standby path should be minimal. You do not want to compromise your stand by path with a common device to both paths that can fail.
2. Yes you CAN place a single IPS sensor in-line behind your primary and standby firewalls, but it is a really bad idea to do so.
3. The 4255 Cisco bypass is a software diven bypass. This will not function if the sensor reboots, requires a reboot due to a sig pack (it happens) or software updates. If the software crashes hard enough the software bypass will also not work.
4. It is an expense issue. You either buy two in-line IPS sensors, or you make do with promiscious mode IDS on one of both of the links. The golden rule of High Availbility is to never have a single point of failure.
- Bob
07-20-2010 12:59 PM
Great. Thank you Bob.
Will you please guide me on what are the main things/areas I should be looking at, to evaluate the IPS?
TIA
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide