cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
1
Replies

NGIPS AMP

wanstor
Beginner
Beginner

Hi

 

We’re looking to use NGIPSv specifically the AMP portion to protect our network.  We have 8 ESXi hosts managed under vSphere.  We’d like  to compare having the AMP endpoint on around 300 VMs against having a network AMP.  Do we need to have a Firesight-AMP-VM on each ESX hosts?

 


Under this link http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html Table 37-3 Network vs Endpoint-Based Malware Protection Strategies:

malware detection robustness

limited file types

all file types

 

What does it mean by limited file types?

 

Finally we a number of different VLANs in our infrastructure, with the NGIPSv are we able to add say 10 NIC’s for the different networks and effectively have one device on each ESX?  Otherwise what is the recommended set up in a vSphere environment?

 

Sorry one more thing!  It's impossible to buy this for my.  I've tried 4 suppliers and all have come up empty.  Where can I get hold of this?

 

Thanks

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

If you want to run an AMP appliance as a VM, it needs to sit on a place in the network where it can provide effective inline inspection of all traffic you need to protect. In the case of a data center, this is usually somewhere in the edge of the data center. If your network design doesn't have a well-defined edge or has multiple high speed (i.e 10 Gbps + ) links, you may not be a good fit for a virtual IPS appliance. Without working with your exact design and layout it's not easy to say if or how many you would need.

Generally we look at network-based vs. endpoint-based AMP as being complementary pieces of a complete solution.

Network-based will show you network trajectory - when did a file come through and where did it go. We don't have the capability to inspect every file type in network-based. That's the caveat you asked about. Right now there are just over 100 file types available to choose from in your inspection policy.

Endpoint-based (the AMP connector) will give you (via the cloud-based console) file trajectory - all files that came into the host of all types and what (if anything) they did. That could include things such as launching a dropper, spawning processes, copying themselves to network shares, etc.

Regarding purchasing, I suggest you search the Cisco partner locator for a partner who is certified in Advanced Security Architecture or has a Master Security certification. (You can do that via this link - put in your location and be sure to click on Advanced Search Criteria.) They should have staff who are familiar with the latest solutions and their capabilities. You won't be able to purchase products like these (or more importantly get good advice) from every small reseller shop.

View solution in original post

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

If you want to run an AMP appliance as a VM, it needs to sit on a place in the network where it can provide effective inline inspection of all traffic you need to protect. In the case of a data center, this is usually somewhere in the edge of the data center. If your network design doesn't have a well-defined edge or has multiple high speed (i.e 10 Gbps + ) links, you may not be a good fit for a virtual IPS appliance. Without working with your exact design and layout it's not easy to say if or how many you would need.

Generally we look at network-based vs. endpoint-based AMP as being complementary pieces of a complete solution.

Network-based will show you network trajectory - when did a file come through and where did it go. We don't have the capability to inspect every file type in network-based. That's the caveat you asked about. Right now there are just over 100 file types available to choose from in your inspection policy.

Endpoint-based (the AMP connector) will give you (via the cloud-based console) file trajectory - all files that came into the host of all types and what (if anything) they did. That could include things such as launching a dropper, spawning processes, copying themselves to network shares, etc.

Regarding purchasing, I suggest you search the Cisco partner locator for a partner who is certified in Advanced Security Architecture or has a Master Security certification. (You can do that via this link - put in your location and be sure to click on Advanced Search Criteria.) They should have staff who are familiar with the latest solutions and their capabilities. You won't be able to purchase products like these (or more importantly get good advice) from every small reseller shop.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: