Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS 4240 Design Question

I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.

Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?

Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?

Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: IPS 4240 Design Question

In promiscuous mode you can use one 4240 and span the output of each switch into two sensing interfaces of the 4240 (it has four available). A single 4240 should even be able to put together TCP sessions that span both rails, like in the instance of a failover.

4 REPLIES
Gold

Re: IPS 4240 Design Question

A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.

A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.

A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

New Member

Re: IPS 4240 Design Question

Thanks, that is mostly what I needed to know. With regards to redundant IPS setup (more on Q2)- is it necessary to use both or can I use one IPS 4240 and connect an interface to each of my switches in order to catch packets on both (IDS/promiscuous mode)?

Gold

Re: IPS 4240 Design Question

In promiscuous mode you can use one 4240 and span the output of each switch into two sensing interfaces of the 4240 (it has four available). A single 4240 should even be able to put together TCP sessions that span both rails, like in the instance of a failover.

New Member

Re: IPS 4240 Design Question

Perfect. That is what I needed to know.

Thank you.

308
Views
0
Helpful
4
Replies