When switching to asymmetric mode - what functionality is lost?
I'm working on a IPS design in a fully redundant DC that is almost impossible to force symmetrical flows. My question is when using assymetric mode for TCP reassembly - what exactly is lost? Below is the list I've come up with so far:
1. TCP Normalization. (No big deal in my case because the ASA provides alot of this same functionality)
2. Anomaly Detection. With assymetric mode this should be set to Inactive.
I'm also including a diagram that depicts my situation.
don't forget that if the IPS sees half of the traffic, and if the attack pattern is in the other half that the IPS doesn't see, then of course the sensor can't detect the attack.
so asymetric traffic lowers the effectivness of the IPS, and makes it unreliable in always detecting the attacks it should. also attack patterns spread across several tcp segments might not be detected. if one segment is seen by the IPS while another is not.
Thanks for the response. In our design, the only time we would really see asymmetric traffic is if one of the 4270's link's went down. If we lose an entire 4270 we are still ok - just an individual link is when we could encounter asymmetric flows. I'd really like to design around that, but it seems the only way would to have a services block layer where via STP we can rely on the traffic always going to one switch. vPC with all it's benefits does lose you a predictable traffic path.
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...
This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE.
Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm...