topic Re: Sensing interfaces on IPS! in Network Security

Sensing interfaces on IPS!

alsayed — Sun, 10 Mar 2019 11:59:19 GMT

Guys

I have IPS 4215 with 6.0 image, 4 sensing Interfaces anlong with the C&C,i m confused a litlte bit about the sensing interfaces across the network what am thinking is as follow:

IPS will be functions as inline mode

1) Two sensing interfaces bridged togather on the inside

2) Two sensing interfaces bridged togather on the outside, coz i have web server on the DMZ Need to be accessed from outside

but the inline rule said:traffic from interface to onother interface need to be checked , so how is that with traffic leaving my network to the internet so it nee to be checked either wich useless in this case coz i just need inspection to traffic comes from outside toward my web server and inspection the inside interfaces?

any help here in order to determine the ideal deployment for the sensors

Thanks a lot

Re: Sensing interfaces on IPS!

Jennifer Halim — Mon, 10 May 2010 09:35:59 GMT

You can configure VLAN Pair for each of the network segments that you would like to get the IPS inspected.

Example:

1st sensing interface, configure it as a dot1q trunk port:

- Eg: if your inside interface is in vlan 50, you can map it (bridge it) through the IPS to another vlan (eg: vlan 150).

- So on IPS --> vlan 50 pairs with vlan 150

- All inside hosts are assigned to vlan 50, and its default gateway is assigned to vlan 150, hence the traffic will pass through the IPS in bridge/transparent mode.

Then you can configure the same for DMZ and outside subnet.

Hope that helps.

Re: Sensing interfaces on IPS!

alsayed — Mon, 10 May 2010 12:43:48 GMT

Could you please prepare a drawing for yr suggestions in order to use as a sample?

Thanks

Re: Sensing interfaces on IPS!

Jennifer Halim — Tue, 11 May 2010 10:11:15 GMT

Please find the vlan pairing and trunk for the IPS sensing interface diagram. The example diagram is for inside subnet, and you can replicate the same for DMZ and Outside.

Hope that helps.

Re: Sensing interfaces on IPS!

alsayed — Tue, 11 May 2010 11:50:23 GMT

Thanks Freind

1)so I need 3 sensing interface acting as trunk for 1 for inside and 1 for outside and 1 for dmz

2)Why i have 2 different vlan and the same IP Subnet?what is the reason for that?how the inspection work?

Thanks

Re: Sensing interfaces on IPS!

alsayed — Sun, 23 May 2010 14:27:55 GMT

mate,so if i have route from the asa toward the internet router so now route is in place so i need interface pair not vlan pair coz i have route,is that true?

Re: Sensing interfaces on IPS!

Jennifer Halim — Mon, 24 May 2010 00:18:13 GMT

1) Correct, but again, it depends on how you physically and logically connect the IPS in your network.

2) For vlan pair scenario, you would need to have 2 vlans bridging the traffic just like transparent firewall for example, so the traffic is forced to go through the IPS. If you only have 1 VLAN, traffic will directly go to its default gateway, hence will not pass through the IPS appliance.

Hope that answers your questions.

Re: Sensing interfaces on IPS!

Jennifer Halim — Mon, 24 May 2010 01:01:39 GMT

Interface pair means you have to use a pair of the IPS interfaces, ie: one connects to the ASA and the other connects to the router, basically to ensure that traffic that needs to be inspected is passing through the IPS.

You are not limited to use interface pair, you can also use VLAN pair in your ASA to Internet router scenario. Basically the ASA vlan and the router vlan needs to be different with ASA and router in the same subnet, to force traffic through the IPS.

Example:

ASA outside IP is 200.1.1.1 -- vlan 10

Router interface IP is 200.1.1.2 -- vlan 110

IPS - pairing vlan 10 to vlan 110

Re: Sensing interfaces on IPS!

alsayed — Mon, 24 May 2010 14:29:49 GMT

Hello freind

why 2 different vlan while one single subnet,how the logic goes?

Do u have different IPS deployment including connectivitys

Thanks

Re: Sensing interfaces on IPS!

Jennifer Halim — Tue, 25 May 2010 13:14:18 GMT

Can't really find a sample config on IPS, however, here is sample config on the concept on transparent firewall which is exactly what IPS is:

Interface pair (on ASA firewall): http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

VLAN pair (FWSM): http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/exampl_f.html#wp1029042

For VLAN pair example, just check the diagram, and basically 1 subnet, and vlan pairing basically to force the traffic to go through the firewall/IPS. Since all hosts are on all 1 layer 3 subnet, it will ARP for the ip address, and if the default gateway is on the other side of the IPS/firewall, the traffic is forced to traverse through the appliance to get to its default gateway. Hence forcing the traffic to be inspected by the IPS. Otherwise, there is no other way to force traffic to pass through the IPS as IPS is layer 2 device (sensing interface is L2), not a routed device.