IPS 4270 placement @ Internet Edge

Unanswered Question
May 1st, 2012

Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices  and basically inserting 4270 Appliance into an INLINE mode.

Core and Distribution Switch  = Layer-3 routed links

Distribution Switch and ASA = Layer-2 access port

I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...

1. Interface Pairing

2. VLAN Pairing

3. VLAN Group

Anyone has same experience?

Thanks in advance ...

Gerard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Todd Pula Wed, 05/02/2012 - 14:59

Our IPS sensors are Layer 2 devices.  A base 4270 appliance will have a total of four sensing interfaces.  You could use two and put the appliance inline as a Layer 2 bump-in-the-wire between the distribution switch and the edge firewall.  As all Internet bound traffic will traverse the appliance in this design, care needs to be taken to ensure that you don't oversubscribe the hardware (2GB transactional/4GB media rich).  If you only wanted the sensor to inspect specific distribution VLANs, you could look at using inline VLAN pairs which will effectively make the appliance an IPS-on-a-stick.  The IPS in this case will handle the bridging between the configured VLANs.  Additional care needs to be taken in active/active paths to ensure that traffic flows symmetrically through a single appliance.  In cases where this is not possible, you will need to look at the asymmetric mode option. 

enkrypter Mon, 05/07/2012 - 11:50

I have a 4270-20 positioned at the edge of my network.  It sits between the outside of the firewall and our Internet router.  The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.

To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it.  This gives us complete outside protection and inside visibility.  This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS.  One internal, and one external.

The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.

Actions

Login or Register to take actions

This Discussion

Posted May 1, 2012 at 1:02 PM
Stats:
Replies:2 Avg. Rating:
Views:471 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5