Our IPS sensors are Layer 2 devices. A base 4270 appliance will have a total of four sensing interfaces. You could use two and put the appliance inline as a Layer 2 bump-in-the-wire between the distribution switch and the edge firewall. As all Internet bound traffic will traverse the appliance in this design, care needs to be taken to ensure that you don't oversubscribe the hardware (2GB transactional/4GB media rich). If you only wanted the sensor to inspect specific distribution VLANs, you could look at using inline VLAN pairs which will effectively make the appliance an IPS-on-a-stick. The IPS in this case will handle the bridging between the configured VLANs. Additional care needs to be taken in active/active paths to ensure that traffic flows symmetrically through a single appliance. In cases where this is not possible, you will need to look at the asymmetric mode option.
I have a 4270-20 positioned at the edge of my network. It sits between the outside of the firewall and our Internet router. The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it. This gives us complete outside protection and inside visibility. This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS. One internal, and one external.
The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...