I want opinions and suggestions if below scenario works for inline placement of IPS 4240. Or need to do differently.
[vlan A on cat6509 IP 10.0.0.1 (all outgoing traffic is routed to 10.0.0.2-pix) ] + one port of inline pair port of IPS ==> VLAN B - no ip address - other port of inline pair port of IPS + 2 ports of 'inside' interfaces of pix(in failover mode)with IP as 10.0.0.2 ==> vlan C - outside interfaces of pix + border router port.
Will traffic to PIX from inside network reach it or it will be blocked by IPS ?
thanks for your time
Cisco IOS Stateful Packet Inspection provides protection from DoS attack as a default when an inspection rule is applied. The DoS protection is enabled on the interface, in the direction in which the firewall is applied, for the protocols that the firewall policy is configured to inspect. DoS protection is only enabled on network traffic if the traffic enters or leaves an interface with inspection applied in the same direction of the traffic's initial movement. Cisco IOS Firewall inspection provides several adjustable values to protect against DoS attacks. These settings have default values that may interfere with proper network operation if they are not configured for the appropriate level of network activity in networks where connection rates will exceed the defaults:
ip inspect max-incomplete high value (default 500)
ip inspect max-incomplete low value (default 400)
ip inspect one-minute high value (default 500)
ip inspect one-minute low value (default 400)
ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]
These parameters allow you to configure the points at which your firewall router's DoS protection begins to take effect. When your router's DoS counters exceed the default or configured values, the router will reset one old half-open connection for every new connection that exceeds the configured max-incomplete or one-minute high values, until the number of half-open sessions drops below the max-incomplete low values. The router will send a syslog message if logging is enabled, and if Intrusion Protection System (IPS) is configured on the router, the firewall router will send a DoS signature message via SDEE. If the DoS parameters are not adjusted to your network's normal behavior, normal network activity may trigger the DoS protection mechanism, causing application failures, poor network performance, and high CPU utilization on the Cisco IOS Firewall router.
thanks MAry Chin,
My question is more on the network placement of IPS unit. I have cat6509 switch with various vlans and msfc for routing. PIX are connecting directly to cat6509 vlan and send/receives traffic to/from upstrem. NOw the trick is to how to place IPS unit so that traffic from inside passes first through IPS and then to PIX without changing any IP addresses.
Assuming there is a single Pix and a single wire connecting your Pix to your switch, then the answer is simple.
Obtain a Cisco IPS sensor with 2 or more ports.
Create an InLine Interface Pair of the 2 sensor ports.
Unplug the Pix from your switch, and plug it into one of the 2 sensor ports (you may have to use a crossover cable to get link).
Now plug the other sensor port of the pair into the switch where you just unplugged your Pix.
The InLine Interface Pair does not do IP routing, it merely passes traffic straight through between the 2 ports (unless specifically denied because it matched an attack). In some ways you can treat it like a 2 port bridge.
So nothing needs to change with your existing IP Addressing. Only the physical wires and the sensor config would be changed.
Now if you have 2 connections between your Pix and your switch, then things can get a little more difficult.
If your sensor has 4 ports, then you use the first 2 interfaces just as descibed above on one of the Pix to switch connections.
Then just create a 2nd InLine Interface Pair and place that pair inbetween the Pix and switch on the 2nd connection.
Understand that the interfaces are specifically Paired and traffic is only passed between the pairs. So if 0/0 is paired with 0/1, then traffic on 0/0 and 0/1 will only be passed through 0/1 and 0/0. The traffic on 0/0 and 0/1 will never be sent over 0/2 or 0/3.
HOWEVER, from the analysis standpoint the sensor does treat all 4 interfaces as if they were all the same network. This has led to problems.
Assume one of the switch connections is for your Internal network, and the other for your DMZ network.
Communication between the 2 networks is not NAT/PAT translated. So when a pc on the Internal network connects to a server in the DMZ the sensor sees the same packet twice (onee on the Internal side and again on the DMZ side). Seeing duplicate packets can sometimes confuse the sensor. If the Pix modifies the TCP headers of the packets (as is the case when using the tcp sequence randomization feature on the Pix which is on by default), then the sensor sees the original packet on one side and the Pix changed packet on the other. The sensor (thinking it is all one network) detects this as a hacker modifying packets and the sensor will intentionally deny/drop those packets.
This deployment scenario limitation may be alleviated in future sensor versions, but until then I would restrict the sensor to monitoring just one of the networks/connections coming off your fireall.
Another common scenario is to be using 2 Pix firewalls in Passive/Active Failover mode.
The IPS sensor can be deployed in this scenario as well, but the deployment can become even more complicated and you need to clearly understand the limitations.
Option 1: Deploy 2 sensors. One sensor would be matched with the 1st Pix, and the second sensor would be matched with the 2nd Pix. And each sensor would be deployed with it's matched Pix jsut as I described in my previous post.
The big caveat though is that the Pix failover will do stateFULL failover, but this will result in a stateLESS failover of the sensors. The current sensor versions do not yet support stateFULL failover. What this means is that any connections going through Pix A and IPS A at the time of the failure of Pix A (or IPS A), those connections will be moved immediately over to Pix B and IPS B. Pix B will try to allow the connection to continue uninterupted (because it supports stateFULL failover), but IPS B does not know about the connection and will deny/drop the connection. IPS B thinks it is an attempt by a hacker to get by the sensor and it will kill the connection.
So in this failover all TCP connections active at the time of the failover will be dropped, and have to be restarted by the clients.
To get around the limitation above you could try using a single sensor.
As I told you in the previous post you can create 2 InLine Interface Pairs on your sensor (assuming 4 sensor ports). Use pair1 with Pix A, and use pair2 with Pix B. This is fine in this scenario because it is the same network and the sensor will see each packet only once. The packet will either come through Pix A OR it will come to Pix B.
The big caveat here though is that now you have a single point of failure in the sensor (which is what you wanted to avoid by using 2 Pix firewalls in the first place).
Use option 2, but also add one or 2 Hardware ByPass Switches.
A HW ByPass switch is an additional piece of hardware that works well with InLine sensors.
You plug the Pix into one of the HW ByPass switch ports, and plug the switch into the 2nd. The plug the 2 ports of the InLine Interface Pair of the sensor into the 2 remaining ports of the sensor.
So long as the sensor is functioning properly the traffic will flow from the Pix to the HW ByPass switch, to the sensor for analysis, back to the HW ByPass switch, and then to the switch. And vice versa for traffic from the switch.
BUT if the sensor has a problem, then the ByPass capability of the HW ByPass Switch kicks in. It will ByPass the sensor and send directly from the Pix to the Switch and directly from the Switch to the Pix and "ByPass" the problem sensor.
What you can do is create 2 InLine Interface Pairs on the sensor. And put a HW ByPass Switch on each Pair. So you would need only 1 sensor, but 2 HW ByPass Switches. The 2 HW ByPass switches take care of ensuring continued traffic in case of sensor failure.
If cost is an issue, then use just one HW ByPass switch, and only use it on the 1st InLine Interface Pair connected to Pix A (the normally Active switch).
And of course you could try 2 sensors both with HW ByPass switches.
Only place the InLine sensor between Pix A (the usually active fireall) and the switch, and leave Pix B directly connected to the switch.
So under normal situations your traffic will flow through Pix A and the sensor.
But if either Pix A or the sensor fails, then Pix B becomes active and traffic flows without any IPS analysis.
Many users are often happy with this setup so long as Pix B is only for short term failures of Pix A or the IPS sensor.
Is it a good practice to place an IPS on the inside of the firewall or outside?
Here is my understanding, please suggest if it is OK:
1. When it comes to attacks from the outside (ex: internet), an IPS can prevent attacks better than a firewall. So, it is good to place it on the outside of the firewall.
2. In a topology with inside, DMZ and outside, to protect the DMZ from inside as well as the outside, IPS has to be placed such that all traffic going to the DMZ traverses the IPS.
3. If I have to protect my DMZ from inside & outside and protect my inside from outside..then should I go for multiple IPS appliances?
Appreciate your response.
ok... so based on fact that all 4 ports on IPS acts as if they are on the same network, i think we can make connections as per below using single pair, for inline placement with 2 pix (for only inside network).
- on cat 6509 make one more vlan without defining ip address (without msfc config).
- disconnect both pix inside interface from the pix vlan and connect it to the new vlan defined in first step.
- connect one interface of the inline pair of IPS to pix vlan and other to the new vlan defined in step 1.
With this connection, traffic towards pix should first pass thr' the IPS to the new vlan and then PIX should take over.
Please send your comments if this can work. I want to make sure before i try on Production setup.