topic Re: ASA IPS Transparent Design Solution Needed in Network Security

ASA IPS Transparent Design Solution Needed

avilt — Sun, 10 Mar 2019 13:06:17 GMT

I have a query on IPS deployment. I have a customer with the following setup.

One Internel Cisco L3 switch connects to ---> Two 5520 ASA firwalls in HA mode active/standby connects to another privae network.

Now I am asked to put a ASA 5525-X series IPS between the L3 switch & ---> Two ASA firwalls.

What are the implementation options available with out touching any config on L3 switch or two 5520 ASA firwalls

Can I set this up in a transparent mode?

ASA IPS Transparent Design Solution Needed

rhermes — Mon, 02 Dec 2013 15:17:48 GMT

The first design issue is that you are being asked to place an IPS sensor OUTSIDE the firewall?

Is anyone actually going to be looking into the events being generated (event analysis), if so placing your sensor outside the firewall is a terrible idea becuse you will be generating IPS events on traffic that very well may be blocked by the firewall behind it. This will waste the resources and bandwidth of the person(s) doing event analysis.

The second issue is Realibility. You have an HA pair of 5520s, that tells me someone thinks connectivity is important to invest in redundant firewalls. You are going to definitely lower the realibility of this design by placing a single device that will be updated frequently and even rebooted (software updates). An IPS sensor does not have the realibility of a switch.

The good news is that the IPS sensors are all Layer 2 devices and do not require any changes to your existing Layer 3 design.

- Bob

Re: ASA IPS Transparent Design Solution Needed

avilt — Mon, 02 Dec 2013 18:15:31 GMT

Thank you Bob, when you say IPS outside the firewall do you mean IPS not integrated with ASA? Correct me if I am wrong.

So the best option will be to replace the asa firewals and implement 5520 asa pair with asa ips on the asa-x series firewall? What are the other options?

Also on the design issue, if I implement asa ips with promiscous mode/fail open (more of a IDS) and the firewall in transparent mode, is it going to affect the existing asa ha pair?

ASA IPS Transparent Design Solution Needed

rhermes — Mon, 02 Dec 2013 21:26:00 GMT

You orginaly stated that you wanted to place an ASA5525-X between the external L3 switch and a HA pair of existing ASA5520 firewalls. That would place the ASA5525-X on the exterior of your HA firewalls.

The "best option" depends on cost and product support.

Replacing your ASA5520 firewalls with 5525-X firewalls seems like an expensive way to get IPS functionality

You could find some AIP-SSM modules. End of sale was March 2013, so you'll have to buy some used. Put them into your existing 5520s. You can still get almost 5 years of licensing and support form Cisco on them: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727284.html

Even an ASA with an IPS feature (either in software or hardware) in promiscuous mode will still interrupt traffic if you are passing traffic thru it upon some failures. They way around that would be to use a Tap or doing a spanning port on your L3 switch.

Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.

- Bob

ASA IPS Transparent Design Solution Needed

avilt — Tue, 03 Dec 2013 14:16:01 GMT

Bob, sorry correction, I would like to place asa IPS behind internal L3 switch.

First the ASA pair and then internal L3 switch. I need to place the ASA-5525-X-IPS in between them.

Customer does not allow me to touch the existing setup. So what are the available options for me?

ASA IPS Transparent Design Solution Needed

rhermes — Tue, 03 Dec 2013 16:42:02 GMT

Avit -

If you read my responses carefully, you'll find all the answers to your question of available options.

- Bob

Re: ASA IPS Transparent Design Solution Needed

avilt — Tue, 03 Dec 2013 17:02:43 GMT

If you dont mind could please exlain the following setup. Attached is my setup diagram.

1) They way around that would be to use a Tap or doing a spanning port on your L3 switch.

How can I integrate this with ASA IPS?

2) Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.

What is external fail open?

ASA IPS Transparent Design Solution Needed

rhermes — Wed, 04 Dec 2013 18:07:10 GMT

You ask a lot of questions without providing any detailed information.

ASSUMING your L3 switch is a Cisco product, you can configure "Port Spanning" to grab a copy of your traffic and send it to that ASA running as a IDS.

I'll let you look up the configuration guide for your specific switch.

Cisco does not sell fail open switches. You can either make one yourself from a L2 switch (search the forum for clues) or buy one from a variety of vendors (another search will be required)