cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1402
Views
0
Helpful
7
Replies

ASA IPS Transparent Design Solution Needed

avilt
Level 3
Level 3

I have a query on IPS deployment. I have a customer with the following setup.

One Internel Cisco L3 switch connects to ---> Two 5520 ASA firwalls in HA mode active/standby connects to another privae network.

Now I am asked to put a ASA 5525-X series IPS between the L3 switch & ---> Two ASA firwalls.

What are the implementation options available with out touching any config on L3 switch or two 5520 ASA firwalls

Can I set this up in a transparent mode?

7 Replies 7

rhermes
Level 7
Level 7

The first design issue is that you are being asked to place an IPS sensor OUTSIDE the firewall?

Is anyone actually going to be looking into the events being generated (event analysis), if so placing your sensor outside the firewall is a terrible idea becuse you will be generating IPS events on traffic that very well may be blocked by the firewall behind it. This will waste the resources and bandwidth of the person(s) doing event analysis.

The second issue is Realibility. You have an HA pair of 5520s, that tells me someone thinks connectivity is important to invest in redundant firewalls. You are going to definitely lower the realibility of this design by placing a single device that will be updated frequently and even rebooted (software updates). An IPS sensor does not have the realibility of a switch.

The good news is that the IPS sensors are all Layer 2 devices and do not require any changes to your existing Layer 3 design.

- Bob

Thank you Bob, when you say IPS outside the firewall do you mean IPS not integrated with ASA? Correct me if I am wrong.

So the best option will be to replace the asa firewals and implement 5520 asa pair with asa ips on the asa-x series firewall? What are the other options?

Also on the design issue, if I implement asa ips with promiscous  mode/fail open (more of a IDS) and the firewall in transparent mode, is it going to affect the existing asa ha pair?

You orginaly stated that you wanted to place an ASA5525-X between the external L3 switch and a HA pair of existing ASA5520 firewalls. That would place the ASA5525-X on the exterior of your HA firewalls.

The "best option" depends on cost and product support.

Replacing your ASA5520 firewalls with 5525-X firewalls seems like an expensive way to get IPS functionality

You could find some AIP-SSM modules. End of sale was March 2013, so you'll have to buy some used. Put them into your existing 5520s. You can still get almost 5 years of licensing and support form Cisco on them: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727284.html

Even an ASA with an IPS feature (either in software or hardware) in promiscuous mode will still interrupt traffic if you are passing traffic thru it upon some failures. They way around that would be to use a Tap or doing a spanning port on your L3 switch.

Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.

- Bob

Bob, sorry correction, I would like to place asa IPS behind internal L3 switch.

First the ASA pair and then internal L3 switch. I need to place the ASA-5525-X-IPS  in between them.

Customer does not allow me to touch the existing setup. So what are the available options for me?

Avit -

If you read my responses carefully, you'll find all the answers to your question of available options.

- Bob

If you dont mind  could please exlain the following setup. Attached is my setup diagram.

1) They way around that would be to use a Tap or doing a spanning port on your L3 switch.

How can I integrate this with ASA IPS?

2) Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.

What is external fail open?

You ask a lot of questions without providing any detailed information.

ASSUMING your L3 switch is a Cisco product, you can configure "Port Spanning" to grab a copy of your traffic and send it to that ASA running as a IDS.

I'll let you look up the configuration guide for your specific switch.

Cisco does not sell fail open switches. You can either make one yourself from a L2 switch (search the forum for clues) or buy one from a variety of vendors (another search will be required)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: