IPS design and implementation question

desaijaimin — Sun, 10 Mar 2019 12:29:50 GMT

I am in process of implementing an IPS in our network. IPS will be located behind the ASA firewall. For example Edge router/switch > IPS firewall > ASA firewall > Entry/Exit router . We are going to have a hardware bypass switch for the IPS firewall. I am new to IPS and I am not entirely sure I wanted to clarify few things.

My proposed design is ASA plugs into 1 port of hardware bypass switch. 2nd port on hardware bypass switch connects to edge router/switch. Remaining two ports will connect to the g0/0 and g0/1 will be inline pair of IPS. Firewalls are setup in active failover group at the moment but as only have 1 IPS we are not intending to use the IPS when primary ASA firewall is down. So when the primary firewall is down our backup firewall will take over but traffic won't be passed through the IPS. I have few questions/queries about this setup.

1. Can I create another inline pair g0/2 and g0/3 and connect backup firewall to that? When the backup firewall takes over can it use the IPS and pass the traffic via IPS along our primary/active infrastructure?

2. If I do not connect the backup firewall to IPS' 2nd inline pair, In this scenario traffic will flow through backup asa via backup infrastructure (backup edge router so on and so forth) automatic change over would still take place when the primary ASA fails as long as two ASAs have heartbeat packets between them?

3. Suppose if hardware bypass switch solution is not implemented and If I do not use the 2nd inline pair and just use the IPS with primary firewall, in case of IPS hardware failure would secondary firewall take over automatically. This is confusing me a great deal. Basically what I am proposing is that we don't use the hardware bypass. Connect the IPS between edge router and active ASA. Active ASA will be part of the fail over group with backup ASA. Now if the IPS sensor has a hardware failure, would primary ASA know somehow about it? Will this scenario trigger the automatic switch over to backup ASA firewall? Is this even possible? If so what configuration is needed to implement it. Or would primary ASA continue to send the traffic out to IPS eventhough its dead. Has ASA got some sort of built it mechanism like UDLD to detect the hardware failure for connected device?

For any of the setup options do I need to worry about Vlans? how does IPS fit in with multiple vlans on the local segment?

I would really appreciate any help with my questions. Thanks. Regards.

topic IPS design and implementation question in Network Security

IPS design and implementation question