Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
10
Helpful
4
Replies

IPs Placement for Dual FW

Go to solution
mvsheik123
Level 7
Level 7

‎07-20-2010 08:24 AM - edited ‎03-10-2019 05:03 AM

Hi all,

We have basic set up : 2 Core SW  (6513 -port channelled) --> 2 ASA (Active/standby: running OSPF). ASAs DMZ  --> 2 DMZ switches (2948 & 3560 port channeled).

Same core Switches, --> second pair ASA via different vlan than First pair (runs OSPF as well). no DMZ.

Iam planning to add 4255 IPS to the infrastructure. With the current scenario, If I start with one unit, will I be able to monitor all the traffic (inside fw pairs and DMZ) on active and standby connections. If not possible with one unit 'inline', what about placing the IPS in monitoring mode and and with that using Span and Rspan capability of 6513, will it be possible to 'monitor' all the Inside (in total 4) and DMZ (intotal 2) segments?

TIA

MS

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7

‎07-20-2010 09:48 AM

Placing one IPS sensor in-line with a dual firewall is just asking for trouble. You will have created a single point of failure.

Your 4255 has several monitoring interfaces. I would span one from each switch and use your 4255 in promiscious mode.

Alternatlely, if your dual firewalls are in Active/Standby, you could put the 4255 in-line in the Active path and Promisciously monitor the Standby path.

Always plan on your sensor going down, Cisco will not dissapoint you.

- Bob

View solution in original post

Go to solution
rhermes
Level 7
Level 7
In response to mvsheik123

‎07-20-2010 11:53 AM

1. Yes, in this set-up you will not be able to block in-line on the standby path. The amount of time your traffic spends on the standby path should be minimal. You do not want to compromise your stand by path with a common device to both paths that can fail.

2. Yes you CAN place a single IPS sensor in-line behind your primary and standby firewalls, but it is a really bad idea to do so.

3. The 4255 Cisco bypass is a software diven bypass. This will not function if the sensor reboots, requires a reboot due to a sig pack (it happens) or software updates. If the software crashes hard enough the software bypass will also not work.

4. It is an expense issue. You either buy two in-line IPS sensors, or you make do with promiscious mode IDS on one of both of the links. The golden rule of High Availbility is to never have a single point of failure.

- Bob

View solution in original post

4 Replies 4

Go to solution
rhermes
Level 7
Level 7

‎07-20-2010 09:48 AM

Placing one IPS sensor in-line with a dual firewall is just asking for trouble. You will have created a single point of failure.

Your 4255 has several monitoring interfaces. I would span one from each switch and use your 4255 in promiscious mode.

Alternatlely, if your dual firewalls are in Active/Standby, you could put the 4255 in-line in the Active path and Promisciously monitor the Standby path.

Always plan on your sensor going down, Cisco will not dissapoint you.

- Bob

Go to solution
mvsheik123
Level 7
Level 7
In response to rhermes

‎07-20-2010 11:15 AM

Hi Bob,

Thanks for your suggestion. Infact Iam thinking in the same lines, but here is my Q...

1. Lets say IPS in line with Active FW , successfully blocking the unwanted traffic reaching out to user PC  and same port Promisciously monitor the

Standby path (please correct me if it is not same port). If FW failover occurs we may loose the 'blocking'.

2. Dumb Q..;-).. if I have 4 monitoring i/f, Can I use 2 for one FW and rest 2 for another firewall Inline?

3. Does Cisco supports auto bypass (incase of any hardware failure, system bypasses itself, so that traffic flows with no interruption).

4. lastly, in normal production networks , at perimeter, user goes with 1 or 2 IPS's? I know its all budget pong, but Iam looking for common deployment scenarios.

TIA

MS

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to mvsheik123

‎07-20-2010 11:53 AM

1. Yes, in this set-up you will not be able to block in-line on the standby path. The amount of time your traffic spends on the standby path should be minimal. You do not want to compromise your stand by path with a common device to both paths that can fail.

2. Yes you CAN place a single IPS sensor in-line behind your primary and standby firewalls, but it is a really bad idea to do so.

3. The 4255 Cisco bypass is a software diven bypass. This will not function if the sensor reboots, requires a reboot due to a sig pack (it happens) or software updates. If the software crashes hard enough the software bypass will also not work.

4. It is an expense issue. You either buy two in-line IPS sensors, or you make do with promiscious mode IDS on one of both of the links. The golden rule of High Availbility is to never have a single point of failure.

- Bob

Go to solution
mvsheik123
Level 7
Level 7
In response to rhermes

‎07-20-2010 12:59 PM

Great. Thank you Bob.

Will you please guide me on what are the main things/areas I should be looking at, to evaluate the IPS?

TIA

MS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card