cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

539
Views
0
Helpful
1
Replies
smoothnetworks
Beginner

ASA5515-IPS-K9 Integration Design Query

Hello,

Came accross a slighly different and odd design today. Customer had:-

Internet----ASA(x2)----Internal Network

They now have purchased an IPS applaince and their proposed design looks like this:-

Internet----ASA(x2)----ASA5515-IPS-K9-----Internal Network

Sole Objective: Introduce Intrusion Prevention functionality to meet compliance requirements

Im trying to thrash out a design to allow traffic to be inspected by the IPS module within that second firewall (ASA5515-IPS-K9) however not use the ASA Firewall feature as it is not needed due to the policy being on the upstream ASAs - so basically just use the IPS.

Im not sure what's the best way to do this. Ideally removing the first pair of firewalls would be an option, it also would ease the burden on  management however Im looking for some ideas for a another method as I only have one IPS alliance at the moment so failure of it would be a problem.

Can anyone recommend a way I can pass traffic through the ASA5515-IPS-K9 straight to the IPS only? Other than a permit all security policy?

I am in a position to advise on a more suitable design but there may be (initial) budgetary constraints if a drastic design is needed

Regards,

SN

1 REPLY 1
Julio Carvajal
Advisor

Hello Sr,

I would actually recommend to have a 3 FW in place ( more managment but more security is added) ..

It would be a waste to buy that chassis just to use the IPS (There are IPS sensors that only perform Intrusion Prevention taks)

You could try to apply more layers to security to your network and that would not be a problem at all,

I mean if managment already decided to go for that ASA-X box why dont you take the best of it

Hope that I could help,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Create
Recognize Your Peers
Content for Community-Ad