Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
0
Helpful
5
Replies

Would it be possible to use an IPS 4255 in this topology?

monkeyboy
Level 1
Level 1

‎08-02-2005 03:15 AM - edited ‎03-10-2019 01:34 AM

(please see attached diagram - done in paint!) Basically I would like to use the ips 4255 to inlineIPS my internal network and also promiscous/IDS my DMZ.

The IPS 4255 has four interfaces - would this be a workable solution - also what are the potential security implications?

Many thanks

Labels:
25104-firewall-ips-setup.zip
0 Helpful
5 Replies 5

marcabal
Cisco Employee
Cisco Employee

‎08-02-2005 03:15 PM

No

In looking at your picture you would be trying to pair 3 interfaces (1 to left pix, 1 to right pix, and 1 to proxy/cache), and this won't work. To create an InLine pair you can only use 2 interfaces.

You would only be able to pair one Pix with the proxy/cache. Assuming you did that it will OK for most connections, but will have trouble with some others.

Connections coming in from the Lan through the proxy/cache through the InLine pair to the Pix then TO the DMZ 1 will again be copied to the sensor.

This second copy to the sensor could cause some confusion on the sensor. It works fine most of the time, but I have seen occasions where the sensor triggers a false positive and drops the packets.

0 Helpful

hwon
Level 1
Level 1

‎08-02-2005 09:25 PM

That design would introduce single point of failure because of the inline IPS serving both PIX. You can still pass traffic when analysis engine dies by setting the bypass mode to auto, however, if the physical unit itself has problems you won't be able to pass traffic on neither PIX nodes. Installing separate IPS for each PIX device would be the fix.

Having said that, if I only had one IPS with four interfaces I would rather protect two of the DMZ with most services open to the Internet. Granted, having IPS on the inside segment is important, for one you will be able to enforce policies for outbound traffic, such as IM and P2P protocols. However, it would make sense to deploy inline IPS in the DMZ from mitigating attacks perspective, since most of the network based attacks from the Internet will be targeted at DMZ servers.

0 Helpful

monkeyboy
Level 1
Level 1
In response to hwon

‎08-03-2005 01:35 AM

Many thanks - unfortunately we're unable to have 2 IDS' - as per cost implications.

Out of the diagram - where would be the best place to terminate remote access VPN's - DMZ3?

Cheers

Mark

0 Helpful

monkeyboy
Level 1
Level 1
In response to monkeyboy

‎08-03-2005 03:24 AM

...would this be a viable setup considering that the ips has to be able to monitor both the pixes?

25105-firewall-ips-setup.zip
0 Helpful

hwon
Level 1
Level 1
In response to monkeyboy

‎08-04-2005 12:28 PM

I believe DMZ3 could be a place for the Remote Access VPN, as long as DMZ3 is dedicated solely for Remote Access.

With your IPS setup based on the new diagram should let you monitor traffic for both PIX units. But again, with no redundancy.

We had a case where we had to place one IPS inline for failover PIX pair. We were running active/standby PIX, so we placed IPS for active PIX only. Just wanted to throw that as an option in case you wanted to protect against device failure.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card