03-02-2006 02:28 AM - edited 03-03-2019 02:05 AM
Hi all, please see the pdf document I've attached. I'll start to explain some scenario I'm facing currently.
i. SegmentA,B,C and D have their server directly connected to the 6509 modules. The port is configured as switchport.
ii. There's member connecting to Distribution router via LL need to access the 4 mentioned segments.
iii. Now came a new requirement of securing the 4 segment, whereby there's a third party vendor proposed to introduce an IPS for the core switch. IPS will be configured in bridged mode and support trunking as well.
iv. In order to make it work, the vendor told me traffic that destined to the 4 segment need to pass through his IPS and out then only go to the destination.
Is that a normal practice of how people implementing IPS? At the first place I'm thinking of adding a new switch and connect all the 4 segment to the new switch. Create a trunk from the switch to the 6509. The IPS can sit between the switch and 6509 then problem solved, but may be it is not as easy as I've imagined.
Guys, any ideas?
03-02-2006 03:25 AM
Hi,
First of all I will ask, whether you have a firewall in this scenario to filter the traffic coming out from the routers. If you dont have the firewall here, it will put a hell lot of CPU overhead on your IPS to do the prevention.
Generally you will connect the IPS on the same vlan as your routers are connected and sniff the ports on which the routers are connected. If you have firewall (which is most of the case ) people connect a switch to 6509 and put your Firewall and routers on the switch and put the IPS on 6509 and sniff the Firewall's inside port connected on the 6509. This will filter the unnecceary traffic at the firewall and will sniff only the intersting traffic allowed by the firewall.
HTH, if it does please rate the post.
-amit singh
03-02-2006 03:56 AM
nope, we don't have a firewall for the scenario, I don't know whether the IPS can handle the CPU overhead but that's the other vendor's issue anyhow.
What I'm concern is, segmentA,B,C and D all fall in different vlan. When the packet entering 6509, it already know where's the exit point is (the switchport that connect to those segment's server), how we can direct the traffic to go through the IPS before going to the right exit point?
Forget about the switch, customer want to maintain the connection between the distribution router to 6509 (the port connecting from 6509 to the distribution router is configured as a router port, not switchport). And their budget is only allowed for the IPS, no other equipment else. Since the port connecting to distribution router is not switchport, where should they put the IPS in?
03-06-2006 04:55 PM
anyone can lend a helping hand here?
03-06-2006 07:37 PM
Since you need to direct the packets out to another device, you might have to point a default route out to that device and then perform another default route back into your network from the IPS.
Might work for now.. but Im sure there is a more elegant solution to this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: