placement of IPS on the network


I have pair of pix (in failover config) and those are connected to vlan on cat6509. There are other vlans where all 'inside' hosts are configured.

I want to configure IPS 4240 for 'inline' just between pix 'inside' interface and iniside networks (vlans).

How do i place ips? How will be the physical connections and settings on cat6509?





Re: placement of IPS on the network

want to know if the IPS is connected inline.. then does the two interface knows the IPs of the device connected to it? OR there is some static routes needs to be defined? For example if for inside network, the default gateway is PIX ip address but if IPS is connected inbetween, does traffic flows thr' it and reach PIX and vis a versa?

This may be silly question but want to make sure before putting it this way into production network.





Re: placement of IPS on the network

You can think of the Inline IPS as something similar to a 2 port switch.

It switches packets between it's 2 interfaces and does not participate in IP Routing.

Let's say your Pix is connected to a 48 port switch on which your internal network machines are connected.

If you wanted to, you could quickly take a simple 2 port switch. Unplug the Pix from the 48 port switch and plug the 2 port switch into the 48 port switch in the same port. Then plug the Pix into the other port of the 2 port switch.

You don't have to do any additional configuration on the 48 port switch or on the Pix (some configuration maybe on the 2 port switch to put the 2 ports in the same vlan).

The 48 port switch and the Pix will quickly and easily figure out how to talk with each other using Spanning tree and Arp packets.

An InLine IPS works similarly. Put the InLine IPS in place of the 2 port switch, and the 48 port switch and the Pix figure out how to talk to each using Spanning tree and Arp packets.

The only configuration needed is on the InLine IPS to pair the 2 interfaces (similar to putting 2 interfaces of a switch on to the same vlan).

No IP routing changes will be necessary.

NOTE: The above all assumes you are using the traditional InLine IPS on an Appliance where one interface is paired with a second interface on the sensor to form an InLine interface pair.

If you run the IDSM-2 or you are running the new IPS version 5.1 feature for vlan pairing on a single sensor interface, then there are configuration changes that would have to happen on the 48 port switch. These would be vlan changes because InLine IPS participates at a switching layer dealing with vlans rather than at the IP Routing layer. Typically no changes would need to be made to any IP Routing configurations. An exception is in situations where the switch itself is participating at the routing layer; in these cases the switch's IP Address may have to be moved to new vlans.

Re: placement of IPS on the network

Thank you very much for this answer.

