Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
0
Helpful
4
Replies

IPS deployment

Go to solution
csco10865546
Level 1
Level 1

‎10-20-2011 03:31 AM - edited ‎03-10-2019 05:31 AM

Hello Guys,

Is it possible to deploy a 4440 IPS between the Internet Routers and the ASA 5550 and not after the ASA 5550 as commonly done.

WE rae thinking of that because of the throughput of te IPS.

If it is possible for the IPS to go between the Internet Router and the Firewall,will it have any effect on the site-to-site vpns,remote access or SSL vpns configured on the ASA 5550 ?

Thanks for your help

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7

‎10-20-2011 09:14 AM

You are asking if you can place your IPS sensor outside of your firewall. The answer is technically yes, you can place your sensor anywhere you please. The questions you should be asking yoruself are:

What am I trying to accomplish with my IPS sensor? (firewalls do not need an IPS sensor protecting them)

Are you planning on doing any analysis of high severity events that the sensor detects? (you will waste a lot of time doing analysis of attacks that your firewall will drop anyway).

Do you have enough sensor bandwidth to detect events ourside your firewall (the open internet is a noisy place, your sensor will have to work harder outside your firewall)

Do you care if you miss inspection of any VPN traffic that is tunneled into your firewall? (encrypted traffic will not be inspected. Placing the sensor AFTER the decryption point will provide coverage of tunneled traffic)

Are you getting paid by the number of events your sensor generates? (one of the few valid reasons to place a sensor outside a firewall)

- Bob

View solution in original post

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to csco10865546

‎10-21-2011 09:00 AM

I would try to avoid sending traffic thru your sensor that you don;t want inspected. If you can separate the VLANs you do not want inspected form those you do, you can send just the traffic to be inspected thru your sensor.

If you can do this on a per VLAN basis, this drawing will work, but if you really need trunks due to the number of VLANS, you will need two switches to properly separate VLANS:

- Bob

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rhermes
Level 7
Level 7

‎10-20-2011 09:14 AM

You are asking if you can place your IPS sensor outside of your firewall. The answer is technically yes, you can place your sensor anywhere you please. The questions you should be asking yoruself are:

What am I trying to accomplish with my IPS sensor? (firewalls do not need an IPS sensor protecting them)

Are you planning on doing any analysis of high severity events that the sensor detects? (you will waste a lot of time doing analysis of attacks that your firewall will drop anyway).

Do you have enough sensor bandwidth to detect events ourside your firewall (the open internet is a noisy place, your sensor will have to work harder outside your firewall)

Do you care if you miss inspection of any VPN traffic that is tunneled into your firewall? (encrypted traffic will not be inspected. Placing the sensor AFTER the decryption point will provide coverage of tunneled traffic)

Are you getting paid by the number of events your sensor generates? (one of the few valid reasons to place a sensor outside a firewall)

- Bob

0 Helpful

Go to solution
csco10865546
Level 1
Level 1
In response to rhermes

‎10-21-2011 01:27 AM

Thanks a lot Bob,this is the perfect answer I desire....That technically I can but why it doesnt make sense to do.

Regards,

Kolade

0 Helpful

Go to solution
csco10865546
Level 1
Level 1
In response to csco10865546

‎10-21-2011 04:11 AM

Hi Bob,

Quick one please -------

I will be deploying the IPS behind the firewall answering all the questions you highlighted for me to answer.

However,since my initial concern of throughput remains .I want to know if I can create two trunk ports on a layer 2 switch between the IPS and the distribution switch.

1 of the trunk port will be be allowed to forward traffic for vlan2 (data) and Extranet (200) on my network which i really need to inspect.

While the 2nd port will be another trunk port but could forward all other vlan traffics except the ones mentioned above and will not be assigned to be a sensing port.

Hope I make a bit of sense,all I am trying to achieve is separate traffic coming from the firewall...while one is being inspected by the engine,the other should just be forwarded along.

Thanks

Preview file
11 KB
0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to csco10865546

‎10-21-2011 09:00 AM

I would try to avoid sending traffic thru your sensor that you don;t want inspected. If you can separate the VLANs you do not want inspected form those you do, you can send just the traffic to be inspected thru your sensor.

If you can do this on a per VLAN basis, this drawing will work, but if you really need trunks due to the number of VLANS, you will need two switches to properly separate VLANS:

- Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card