You seem to be very knowledgable on IPS. I have one concern. Is it safe to deploy the IPS system in the default configuration (Inline-mode). I mean, I hope it would not bring down the network or start dropping traffic. Also, one question i have is that the documentation talks about a mode in which the sensor would not drop traffic if the software failed. My question is if the sensing interface is connected to a SPAN port, how would it drop packet or not forward the packets if the software failed? can you think of a configuration in which the sensor would actually impact the network if the software failed and start dropping all the packets?

The default configuration for an IPS sensor is well explained in this thread on the forum:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd920ee

As for monitoring via SPAN, if this is what you're doing then it is not "inline" at all. This is considered passive monitoring.

If you use the SPAN / TAP method of passively monitoring your network, you do not have to worry about sensor failure impacting your network. Basically, if the sensor goes down, monitoring stops - that's it.

If you deploy inline, then you have to consider the use of "Bypass Mode" to prevent the IPS sensor from introducing a point of failure in your communications path. This feature is well explained in the "Configuring the Cisco Intrusion Prevention Sensor Using the Command Line Interface" guide available here:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_guide_chapter09186a0080459225.html#wp1038307

Basically, it allows the sensor to pass traffic through an interface pair no matter what, which is an important feature when you're concerned about the sensor disrupting operations.

I hope this helps,

Alex Arndt

Can you please give me a senario in which the IPS will work in Inline mode? SPAN is the only way i know of sensing traffic, how do i put the IPS in inline mode? can you give me an example?

I just read the documentation on CCO that talks about inline pair concept. So, if i understand this correctly, if i put 2 interfaces in the same inline pair, it means that they are in bridge mode and will bridge traffic.

I have to be careful as i have to put 1 sensor between the firewall and internal network, 1 mistake and my network goes down.

Thanks

I guess you can see now why you have to seriously consider inline versus passive mode monitoring. Also, you'll have to configure the bypass mode appropriately for your environment to ensure you network doesn't go down...

That being said, don't be afraid to install the sensor inline. It will tell you by default what it would have blocked, if it were so configured, while not actually impacting the traffic that passes through it (your bridge comment was bang on!). If you see that the IPS would actually improve you network operations and security by blocking bad traffic, while still passing legitimate traffic, you can reconfigure it and take advantage of its capabilities.

I hope this helps (please rate the post if it does…),

Alex Arndt