Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
4
Replies

IPS 4240 Design Question

Go to solution
jbalchunas
Level 1
Level 1

‎11-11-2008 11:44 AM - edited ‎03-10-2019 04:22 AM

I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.

Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?

Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?

Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7
In response to jbalchunas

‎11-12-2008 08:36 AM

In promiscuous mode you can use one 4240 and span the output of each switch into two sensing interfaces of the 4240 (it has four available). A single 4240 should even be able to put together TCP sessions that span both rails, like in the instance of a failover.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rhermes
Level 7
Level 7

‎11-11-2008 12:58 PM

A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.

A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.

A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

0 Helpful

Go to solution
jbalchunas
Level 1
Level 1
In response to rhermes

‎11-12-2008 05:14 AM

Thanks, that is mostly what I needed to know. With regards to redundant IPS setup (more on Q2)- is it necessary to use both or can I use one IPS 4240 and connect an interface to each of my switches in order to catch packets on both (IDS/promiscuous mode)?

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to jbalchunas

‎11-12-2008 08:36 AM

In promiscuous mode you can use one 4240 and span the output of each switch into two sensing interfaces of the 4240 (it has four available). A single 4240 should even be able to put together TCP sessions that span both rails, like in the instance of a failover.

0 Helpful

Go to solution
jbalchunas
Level 1
Level 1

‎11-12-2008 12:39 PM

Perfect. That is what I needed to know.

Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card