Solved: If you want to run an AMP

wanstor · ‎07-14-2015

Hi

We’re looking to use NGIPSv specifically the AMP portion to protect our network. We have 8 ESXi hosts managed under vSphere. We’d like to compare having the AMP endpoint on around 300 VMs against having a network AMP. Do we need to have a Firesight-AMP-VM on each ESX hosts?

Under this link http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html Table 37-3 Network vs Endpoint-Based Malware Protection Strategies:

malware detection robustness

limited file types

all file types

What does it mean by limited file types?

Finally we a number of different VLANs in our infrastructure, with the NGIPSv are we able to add say 10 NIC’s for the different networks and effectively have one device on each ESX? Otherwise what is the recommended set up in a vSphere environment?

Sorry one more thing! It's impossible to buy this for my. I've tried 4 suppliers and all have come up empty. Where can I get hold of this?

Thanks

Marvin Rhoads · ‎07-15-2015

If you want to run an AMP appliance as a VM, it needs to sit on a place in the network where it can provide effective inline inspection of all traffic you need to protect. In the case of a data center, this is usually somewhere in the edge of the data center. If your network design doesn't have a well-defined edge or has multiple high speed (i.e 10 Gbps + ) links, you may not be a good fit for a virtual IPS appliance. Without working with your exact design and layout it's not easy to say if or how many you would need.

Generally we look at network-based vs. endpoint-based AMP as being complementary pieces of a complete solution.

Network-based will show you network trajectory - when did a file come through and where did it go. We don't have the capability to inspect every file type in network-based. That's the caveat you asked about. Right now there are just over 100 file types available to choose from in your inspection policy.

Endpoint-based (the AMP connector) will give you (via the cloud-based console) file trajectory - all files that came into the host of all types and what (if anything) they did. That could include things such as launching a dropper, spawning processes, copying themselves to network shares, etc.

Regarding purchasing, I suggest you search the Cisco partner locator for a partner who is certified in Advanced Security Architecture or has a Master Security certification. (You can do that via this link - put in your location and be sure to click on Advanced Search Criteria.) They should have staff who are familiar with the latest solutions and their capabilities. You won't be able to purchase products like these (or more importantly get good advice) from every small reseller shop.

View solution in original post

Marvin Rhoads · ‎07-15-2015

If you want to run an AMP appliance as a VM, it needs to sit on a place in the network where it can provide effective inline inspection of all traffic you need to protect. In the case of a data center, this is usually somewhere in the edge of the data center. If your network design doesn't have a well-defined edge or has multiple high speed (i.e 10 Gbps + ) links, you may not be a good fit for a virtual IPS appliance. Without working with your exact design and layout it's not easy to say if or how many you would need.

Generally we look at network-based vs. endpoint-based AMP as being complementary pieces of a complete solution.

Network-based will show you network trajectory - when did a file come through and where did it go. We don't have the capability to inspect every file type in network-based. That's the caveat you asked about. Right now there are just over 100 file types available to choose from in your inspection policy.

Endpoint-based (the AMP connector) will give you (via the cloud-based console) file trajectory - all files that came into the host of all types and what (if anything) they did. That could include things such as launching a dropper, spawning processes, copying themselves to network shares, etc.

Regarding purchasing, I suggest you search the Cisco partner locator for a partner who is certified in Advanced Security Architecture or has a Master Security certification. (You can do that via this link - put in your location and be sure to click on Advanced Search Criteria.) They should have staff who are familiar with the latest solutions and their capabilities. You won't be able to purchase products like these (or more importantly get good advice) from every small reseller shop.

NGIPS AMP