v6 and Multiple Virtual Sensors

mhellman · ‎05-18-2007

In a few places, we have a sensor both behind and in front of a firewall and both of them are underutilized. With v6, it would seem that monitoring both links using separate physical monitoring interfaces and virtual sensors would be possible. I'm concerned about problems this might cause. For example, I already know that today CSMARS doesn't include the interface from the original raw message, so I won't be able to differentiate based on that. Will CSMARS toss the "duplicate" event anyway? Any other reasons this configuration isn't advisable? Anyone doing this in production today?

hoogen_82 · ‎05-18-2007

Well the normalizer engine gets affected by putting your IPS in front and behind your firewall. With different Virtual sensor you would be able to take out this issue. I had some issues with this. So what i did was to have my IPS inline pair behind the PIX firewall and have promiscous port connect outside. Something like you have your Router connect to your hub and your pix outside connect to the hub too. Then you have a promiscous port connected to this hub. This way you would know the attacks happening outside of your Firewall. This is what i use, but my design is a bit more than this and i have a specific reason to use the hub here.

-Hoogen

scothrel · ‎05-18-2007

I can't comment on what CSMARS is going to do with Alarms, but the sensor should be fine. The virtualization provided by the virtualsensor instances will keep the data, including normalizer data, separated. The alarm data should contain both the vs # and the interface data.