Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
3
Replies

IPS SENCORS ALLOCATIONS

Go to solution
alsayed
Level 1
Level 1

‎11-13-2009 03:59 AM - edited ‎03-10-2019 04:49 AM

Hello

Please Expert , examine the attached digaram and tell if you do agree with my interfaces allocation of the dedicate IPS 4215,looks like one is the C&C on the Inside,

in order to lanch the IDM mangment, and the other 2 sensors interfaces looks lile one sensing on the outside and one sensing on the DMZ along with the inline mode

to fully protect the the I-BANKING and the SMS server,so plz advise me for the optimum and Robust design that is switable to my attached topology

Waitng ur kind response

Thanks

Labels:
Preview file
31 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amadou TOURE
Level 1
Level 1

‎11-25-2009 12:38 PM

Hello,

To have best protection you should be in inline mode and the design would  depend on whether you have vlan on your DMZ or not.

Do you have Vlan in your DMZ segment ?

regards

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Amadou TOURE
Level 1
Level 1

‎11-25-2009 12:38 PM

Hello,

To have best protection you should be in inline mode and the design would  depend on whether you have vlan on your DMZ or not.

Do you have Vlan in your DMZ segment ?

regards

0 Helpful

Go to solution
alsayed
Level 1
Level 1
In response to Amadou TOURE

‎11-30-2009 10:46 AM

hello

yes i have vlan for DMZ

0 Helpful

Go to solution
Amadou TOURE
Level 1
Level 1
In response to alsayed

‎11-30-2009 01:08 PM

Hello,

after a quick verification on Cisco Website, it seems that the 4215 is end-of-life and sales so it would be better to upgrade the hardware before putting in production a device which will face a lack of support.

In regards to the design you have two options in my view :

1. INLINE MODE with inline vlan pair or vlan group in the case where your servers are in different vlan in DMZ

2. PROMISCUOUS MODE with shun depending of the type of router or switch that you have

I added promiscuous mode in regards to your statement about availability.

In regard to your environment the options for availability are :

1. hardware and/or software bypass, I'm not so sure if the harware bypass card is supported by the 4215 device

2. install a second IPS or use a cable between the switches where IPS is connected. In this case you'll need spanning-tree configuration on ports

I'm not convinced about about the efficiency of the sensing link outside the network, may be for anomaly detection purposes ?

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card