IPS design

Similar Messages

• IPS design review

  Hello ,
  Could you review my IPS design (the topology picture is in the attachment) ? Can I have one IPS with three or four ports attached to the same switch in an etherchannel? I am talking about one IPS with multiple interfaces. For example two IPS with four interfaces in the switch's etherchannel group with eigth ports. ( IPS's interfaces are in VLAN pair mode )
  Kind Regards.

  Sorry, i have forgotten to attach the topology picture.

• IPS Design Help

  Hi All,
  There are two ASA with failover and two switches, one internal switch and one DMZ switch. Both ASAs connected to two switches. Now we want to implement IPS here. we are using 4240 model. I want to use two inline interface pairs one for DMZ and one for internal. But the problem is there two ASA. If you show me high level design and how connect ASA to IPS then to switch, that would be very appreciated.
  Thanks
  Al

  THanks for your reply,
  ASA has three interfaces, one is outside, one is inside and the other one is DMZ. inside and DMZ interfaces are trunk ports with bunch of VLANs each and they are connected to two switches with trunk ports. these two switches are not connected to each other and they are connected to seperate network.
  sorry for incomplete description. any suggestion would be very apprecited.
  thanks

• HA IPS Design

  Hi,
  I'm designing a security system that involves:
  2 x inside firewalls (ASA5520)
  2 x switches connected together (for failover)
  2 x IPS (4240IPS)
  2 x switches connected together (for failover)
  2 x outside firewalls (Juniper SSG)
  I'm at looking at active/standby or active/active for the firewalls but am not sure if the IPS supports the same with stateful failover? My concern is with asymmetric routing if both IPS's are active and independant. Can I guarantee that a session will use the same IPS for inbound/outbound flows and not get separated across two IPS's?
  Any guidance is appreciated.
  Thanks, Wayne

  IPSec Stateful Failover (VPN High Availability) is a feature that enables a router to continue processing and forwarding packets after a planned or unplanned outage. You can employ a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of an active router failure. The process is transparent to users and to remote IPSec peers. The time that it takes for the standby router to take over depends on HSRP timers.
  IPSec Stateful Failover (VPN High Availability) is designed to work in conjunction with Reverse Route Injection (RRI) and Hot Standby Router Protocol (HSRP) with IPSec. When used together, RRI and HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote peers.
  RRI and HSRP are supported together with the restriction that the HSRP configuration on the outside interface uses equal priorities on both routers. As an option, when not using RRI, you can use an HSRP configuration on the LAN side of the network (equal HSRP priority restriction still applies).

• IDP IPS Design

  Where is the best place to put IDS/IPS device? For example, outside/inside of the Firewall?
  Does Cisco has any recommendation?
  Does anybody has good design to share with?
  Thanks,

  There's probably not a "1 size fits all" answer here. If you have unlimited $$$ then you could sprinkle sensors all over you network but I'm guessing that's not the case.
  As such your going to need to take a few steps that will help you design your IDS/P deployment.
  First you'll need to map out your network and then decide what assets are the most critical. one place where most people will deploy some IDS/P is in a DMZ. This is an obvious choice as the assets there are accessed by untrusted sources.
  Another good spot is behind the firewall. Assuming that the sensor can handle the bandwidth this will let you see traffic coming in from the DMZ(s) and going out from the trusted networks. You'll be able to see things like traffic from PCs infected with Zombies and the like on this sensor.
  Next if you have your "critical" assets (say like DB servers and the like) segmented off on their own internal network then putting a sensor where it can see traffic going to/from them makes good sense too. This will again give you a good look into what if any attacks are being directed at them. If it's a server in the DMZ you'll already pick that up on the DNZ sensor but the one near you critical assets will also show any infected PCs or hosts on the inside trying to hit them.
  I don't normally put a sensor on the "outside" as there's not much value in that. There's way too much data there to handle and if 90% of the traffic is being dropped by your firewall rules why bother worrying about that anyway? Putting sensors in the firewall like the AIP-SSMs or putting external sensors where they can see the other firewall interfaces will show you the same traffic minus all the junk that gets dropped by not matching a rule.
  Hope this helps. I know it's very general but you really need a detailed map of your network topology and traffic flows to make the best choices where sensors should be.

• IPS design question

  Hi All,
  I have two ASA as active/standby failover. these two are connected to 3750 switch through trunk port that carry vlan 10,20 and 30. I want to deploy IPS in between with inline mode. I am little confuse how to connect IPS here. should it be connected with both two ports to switch, or it should be connected to ASA from one end and then connected to switch with another end.
  If you show me how to connect IPS here, that would be very appreciated.
  thanks
  Alex

  With inline vlan pair only one IPS interface is utilized (it has to be a trunk), have a look at:
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
  Regards
  Farrukh

• IPS 4270 placement @ Internet Edge

  Given that I have same topology as shown in Internet Edge Cisco IPS Design Best Practices  and basically inserting 4270 Appliance into an INLINE mode.
  Core and Distribution Switch  = Layer-3 routed links
  Distribution Switch and ASA = Layer-2 access port
  I'm wondering how IPS sensors be configured? I think I understand belows method but since my Core/Distrib is a layer-3 links, not sure which method gonna work since most require two vlans ...
  1. Interface Pairing
  2. VLAN Pairing
  3. VLAN Group
  Anyone has same experience?
  Thanks in advance ...
  Gerard

  I have a 4270-20 positioned at the edge of my network.  It sits between the outside of the firewall and our Internet router.  The only problem with this model is that it makes tracking down threats very difficult, as the only thing you will ever see are the NAT'd public IPs for all your traffic.
  To get around this limitation, we created an addition interface in promiscuous mode and we SPAN the traffic on the link between our core switch and the internal interface of our firewall to it.  This gives us complete outside protection and inside visibility.  This is still not an ideal setup and we are in the process of re-architechting our internal traffic so that we can run two in-line pairs on the IPS.  One internal, and one external.
  The best way to go, is having the IPS in the firewall itself, but throughput on firewalls is often a concern, and unfortunately for Cisco, quite a limitation.

• When switching to asymmetric mode - what functionality is lost?

  Hello,
  I'm working on a IPS design in a fully redundant DC that is almost impossible to force symmetrical flows.  My question is when using assymetric mode for TCP reassembly - what exactly is lost?  Below is the list I've come up with so far:
  1.  TCP Normalization.  (No big deal in my case because the ASA provides alot of this same functionality)
  2.  Anomaly Detection.  With assymetric mode this should be set to Inactive.
  I'm also including a diagram that depicts my situation.

  Hi Fadi,
  Thanks for the response.  In our design, the only time we would really see asymmetric traffic is if one of the 4270's link's went down.  If we lose an entire 4270 we are still ok - just an individual link is when we could encounter asymmetric flows.  I'd really like to design around that, but it seems the only way would to have a services block layer where via STP we can rely on the traffic always going to one switch.  vPC with all it's benefits does lose you a predictable traffic path.
  Brad

• Ips 4260 design

  In one of our customer design is like 2 5580 asa active /active and 2 6500 core .In firewall dmz switch is connected.now they want to install IPS in inline mode.So we removed link from asa to dmz SW and connected asa to ips from ips to DMZ SW.Like this we did both the firwall to configure in inline mode.Whether device will work efficiently.For this how we can configure.
  Kindly do the needfull

  Here's a configuration example-
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml

• Validate PIX & IPS Network Design

  Attached is my network design of the PIX and the IPS in promiscuous mode (non-inline). It doesn't look sound:
  1. Is it possible to set up the IPS in non-inline mode with two sensors?
  2. Can the IPS direct blocking commands to the PIX through the Desktop Management console? If not, do I need to place an internal switch for the desktop console and the command/control interfaces of the PIX and IPS?
  3. Other comments/suggestions?

  Cisco IPS Version 5.0 Sensor can be configured either in the IPS (inline) mode or the promiscuous IDS mode. If your sensor already has more than one monitoring interface, no additional hardware is required to run Cisco IPS Sensor Software Version 5.0 in the IPS (inline) mode. IPS services require at least one monitoring interface pair (two monitoring interfaces). Cisco provides the option of upgrading sensors with a single monitoring interface to support multiple monitoring interfaces. For more information on the various IDS and IPS sensor platforms and part numbers, please refer to Cisco IPS 4200 Series Data Sheet located at: http://www.cisco.com/go/ips
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_qanda_item0900aecd801e6a99.shtml

• IPS etherchannel load balancing design

  Is it possible to do a etherchannel load balancing with the design attached? i know I need to configure vlan pairs but I'm not sure if it's possible with my current design

  Etherchannel design will work with interface pair as well ,provided the design is appropriate to take care of the asymmetry.
  Coming to your design, if i understand the requirement correctly, you wish to create etherchannel between 3750 stacked switch and the pair of CAT6K. Enabling VSS on the pair of CAT6K switches and then creating etherchannel should help.But the flow symmetry will not be guaranteed ( meaning the same IPS may not see the forward and the reverse packets of the flow).

• IPS 4240 Design Question

  I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
  Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
  Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
  Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
  Thanks!

  A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
  A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
  A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

• ASA IPS Transparent Design Solution Needed

  I have a query on IPS deployment. I have a customer with the following setup.
  One Internel Cisco L3 switch connects to ---> Two 5520 ASA firwalls in HA mode active/standby connects to another privae network.
  Now I am asked to put a ASA 5525-X series IPS between the L3 switch & ---> Two ASA firwalls.
  What are the implementation options available with out touching any config on L3 switch or two 5520 ASA firwalls
  Can I set this up in a transparent mode?

  You orginaly stated that you wanted to place an ASA5525-X between the external L3 switch and a HA pair of existing ASA5520 firewalls. That would place the ASA5525-X on the exterior of your HA firewalls.
  The "best option" depends on cost and product support.
  Replacing your ASA5520 firewalls with 5525-X firewalls seems like an expensive way to get IPS functionality
  You could find some AIP-SSM modules. End of sale was March 2013, so you'll have to buy some used. Put them into your existing 5520s. You can still get almost 5 years of licensing and support form Cisco on them: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727284.html
  Even an ASA with an IPS feature (either in software or hardware) in promiscuous mode will still interrupt traffic if you are passing traffic thru it upon some failures. They way around that would be to use a Tap or doing a spanning port on your L3 switch.
  Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.
  - Bob

• Unable to open query designer while able to access BI system

  Hi Experts,
     I have problem while opening query designer, analyzer , WAD . I get the below error. But when i access the relevant BI system i am able to access it well , i dont get any RFC Error. Will there any port setting for query designer separately. This is problem faced at offshore which connects to client servers at onsite. Onsite guys are not facing any issues openning query designer or analyser. Please guide as i am not good in basis ..
  RFC_ERROR_COMMUNICATION
  Message
  CMALLC : rc=27 > Connect from SAP gateway to RFC server failed
  Connect_PM  GWHOST=163.164.XX.XXX, GWSERV=sapgw00, SYSNR=00
  LOCATION    SAP-Gateway on host XXXXXXX/ sapgw00
  ERROR       timeout during allocate
  TIME        Mon Sep 12 14:20:38 201
  RELEASE     700
  COMPONENT   SAP-Gateway
  VERSION     2
  RC          242
  MODULE      gwr3cpic.c
  LINE        2066
  DETAIL      no connect of TP sapdp00 from host 163.164.XX.XXX, after 20 sec
  Thanks
  Vamsi
  Edited by: vamsi talluri on Sep 14, 2011 6:57 PM

  Hi Experts,
     I have checked with basis team , my issue is resolved, please find the solution .
  1) Add corresponding system server names in host files of the offshore desktops.
  2) After that basis has added offshore natted ips in sap gatewat parameter/alternate hostnames in system profile (rz10 tcode).
  Then offshore are able to access query deisgner etc....
  Regards
  vamsi

• How to use two gtx transceivers in one quad for two aurora ips

  hera mgt bank is 113
  i am using two aurora ips 64b66b .for one ip GTX_X1Y0, another GTX_X1Y2.while simulating ,results are good.Coming to implementation its showing error in implementaion.that in MAP.
  Pack:2811 - Directed packing was unable to obey the user design constraints (LOC=GTXE2_COMMON_X1Y1) which requires the combination of the symbols listed below to be packed into a single GTXE2_COMMON component.
  The directed pack was not possible because: The target component type can only contain one fragment.
  The symbols involved are:
  GTXE2_COMMON symbol "Source2/Aurora_2/src_2_wrapper_i/Src_2_multi_gt_i/gtxe2_common_i" (Output Signal = NULL)
  GTXE2_COMMON symbol "Source1/Aurora_1/src_1_wrapper_i/Src_1_multi_gt_i/gtxe2_common_i" (Output Signal = NULL)
  What is the solution for it?
   find attachments.

  i got following error while implementing project in vivado.
  "[DRC 23-20] Rule violation (REQP-1739) GTx R/TXOUTCLK drives inappropriate load - GTXE2_CHANNEL cell design_1_i/aurora_64b66b_0/inst/design_1_aurora_64b66b_0_0_core_i/design_1_aurora_64b66b_0_0_wrapper_i/design_1_aurora_64b66b_0_0_multi_gt_i/design_1_aurora_64b66b_0_0_gtx_inst/gtxe2_i pin design_1_i/aurora_64b66b_0/inst/design_1_aurora_64b66b_0_0_core_i/design_1_aurora_64b66b_0_0_wrapper_i/design_1_aurora_64b66b_0_0_multi_gt_i/design_1_aurora_64b66b_0_0_gtx_inst/gtxe2_i/TXOUTCLK (net: design_1_i/aurora_64b66b_0/inst/design_1_aurora_64b66b_0_0_core_i/design_1_aurora_64b66b_0_0_wrapper_i/design_1_aurora_64b66b_0_0_multi_gt_i/design_1_aurora_64b66b_0_0_gtx_inst/tx_out_clk) should only drive BUFG, BUFH, BUFMR, MMCM or PLL loads, but drives one or more invalid loads such as FDRE cell CORE_STATUS_channel_up_master_reg. Please insert a BUFHCE (or a BUFMR, if the load is a BUFR) between the GT and its load(s).
  [DRC 23-20] Rule violation (REQP-1739) GTx R/TXOUTCLK drives inappropriate load - GTXE2_CHANNEL cell design_1_i/aurora_64b66b_1/inst/design_1_aurora_64b66b_1_0_wrapper_i/design_1_aurora_64b66b_1_0_multi_gt_i/design_1_aurora_64b66b_1_0_gtx_inst/gtxe2_i pin design_1_i/aurora_64b66b_1/inst/design_1_aurora_64b66b_1_0_wrapper_i/design_1_aurora_64b66b_1_0_multi_gt_i/design_1_aurora_64b66b_1_0_gtx_inst/gtxe2_i/TXOUTCLK (net: design_1_i/aurora_64b66b_1/inst/design_1_aurora_64b66b_1_0_wrapper_i/design_1_aurora_64b66b_1_0_multi_gt_i/design_1_aurora_64b66b_1_0_gtx_inst/tx_out_clk) should only drive BUFG, BUFH, BUFMR, MMCM or PLL loads, but drives one or more invalid loads such as FDRE cell CORE_STATUS_1_channel_up_slave_reg. Please insert a BUFHCE (or a BUFMR, if the load is a BUFR) between the GT and its load(s).
  [USF-XSim 62] 'compile' step failed with error(s) while executing 'F:/PERSONAL/XilinxVivado2014.2/shared_logic/shared_logic.sim/sim_1/behav/compile.bat' script. Please check that the file has the correct 'read/write/execute' permissions and the Tcl console output for any other possible errors or warnings.
  [Vivado_Tcl 4-23] Error(s) found during DRC. Placer not run."
  i am attaching topmodule file
  need solution
  thanks in advance
  razz