Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1276
Views
0
Helpful
2
Replies

Firepower IPS/IDS and the ASA, creating rules in DMZ

tahscolony
Level 1
Level 1

‎06-20-2016 07:25 AM - edited ‎03-10-2019 06:37 AM

Simple complex question. Reading best practices, it is best to place the inline IPS behind the firewall. We will be using 7125 Firepower appliances, not the built in Firepower on the ASA. However, how do we protect a DMZ without Inline?  I haven't received he appliances yet, so have no idea on how the actual interfaces can be configured.

Two thoughts come to mind, if the inline configuration supports it, setup the ASA interface as a trunk, then scan inline on both vlans, then only have the one inline physical connection. Possible?

Second thought, we will also be doing passive IDS on the same appliances, multiple in fact as we also have a separate network that is firewalled internally.  If the IDS detects an attack on the DMZ segment, can it write an ACL to the ASA to deny the attack automatically?

Placing IPS outside the firewall would possibly block an attack to a DMZ server, but the downside is that it would not be able to see if anything internally has gone wrong, that and it would generate too many anomalies.

Thoughts are welcome as to best placement as well as my question.

Labels:
0 Helpful
2 Replies 2

Jetsy Mathew
Cisco Employee
Cisco Employee

‎06-20-2016 09:05 PM

Hello Team,

If you have ordered a hardware sensor of 7000 series , then you can manage it with the Firesight Management Center. It can be either hardwrae or virtual . Virtual Firesight can be installed in an ESXI host. If the device is configured in inline then the traffic inspection will occur accordingly based on the access control and intrusion rules and will take place the specified actions.

Since your are new to the device ,for the complete configuration its would be better to refer the configuration guide. It has all the configuration steps .

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401.html

  • Cisco Firepower 7000 and 8000 Series Installation Guide, Version 6.0

http://www.cisco.com/c/en/us/td/docs/security/firepower/hw/firepower_device/firepower_7k8k_device.html

Here is the datasheet for reference of throughputs expected.

http://www.cisco.com/c/en/us/products/collateral/security/firepower-7000-series-appliances/datasheet-c78-732954.html

Rate if this answer helps you.

Regards

Jetsy 

0 Helpful

tahscolony
Level 1
Level 1
In response to Jetsy Mathew

‎06-21-2016 05:43 AM

Thanks, but that is not what I was asking. Well aware that the appliance, and ASA/IOS IPS for that matter are controlled via the FireSight console, what I am asking is if a signature is triggered by IDS, can the device send an ACL to the ASA itself?   We wont be using the ASA FirePower due to an issue with Failopen on them.

So lets say an external host is attacking a host on the DMZ which is not inline to the appliance, but rather monitored via SPAN, can the system write an ACL on the firewall to block that attack?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card