IPS HA Solution

Similar Messages

• Firewall for wireless deployment

  Hi all,
  I am currently working on a client RFP. They are inquiring about wireless controllers and AP alongwith Firewall and IPS/IDS solution for wireless. I want to know that does wireless lan controller (5760 in this case) supports firewall/IPS/IDS or is there any other box designed for this purpose ?

  To be honest... No. Cisco has a wIPS feature but that requires NCS or Prime infrastructure along with an MSE. There is no built in firewall. They must be looking at an Aruba solution to be honest.
  Sent from Cisco Technical Support iPhone App

• How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

  Hello there!
  I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS  throughput), what main points I should consinder?

  If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
  Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
  - Bob

• Solution on IPS Placement

  Dear Pros,
  Project explanation:
  Pair of pix firewall configured as failover.The outside of the pix pair connected to the internet gateway router 3825.Inside of the pix pair connected to the core switch ports configured with the vlan.The configuration as below
  Outside : 192.168.102.0
  Active pix out: 192.168.102.2
  Sec.Pix out : 192.168.102.3
  3825 Gieth : 192.168.102.1
  Inside PIX : 192.168.101.0
  Active pix in : 192.168.101.2
  Sec.PIX IN : 192.168.101.3
  Core SVI in : 192.168.101.1 (Gway for the vlan)
  Now i decided to connect the ips 4240 in inline ips mode by connecting ips's outside to the pix inside segment and ips
  inside to the core switch 4510R vlan interface that has been priviously connected to the pix inside segment.
  I have 5 vlans inside the core 4510R created with 172.16.16.0/24,172.16.17.0/24,172.16.18.0/24....
  I already configured the ips 4240 with 2 infs pairs and assigned to the sensin engines.I need to know
  the other steps to configure to allow the traffic inline thro the ips.Also i want to know the blocking concept and here
  do we need to configure the blocking for the 5 inside networks?
  Please give me the solution details.
  Thanks
  swamy

  Based on your scenario, pls have a look at the logical and physical connectivity of your devices.
  This is due to the devices limitations, especially the switch where you only have 1 x Cat4510R available. Therefore, you need to host all connection to this switch to cater for IPS - Firewall connectivity.
  This design is to allow you to filter traffic from Internet coming into your Internal network and vice-versa.
  Basically, you need to have 2 x Layer 2 Vlans on your Cat4510R switch, for (example):
  - Vlan 102 - host router interface, IPS and PIX Outside interfaces
  - VLan 11 - host PIX inside interfaces and IPS
  Maintain the existing Vlan with interface IP of 192.168.102.1, which was shared with PIX Inside interfaces IPs as well.
  I have implemented similar setup, and it works fine.
  As for your blocking concept, you need to use ACL to permit/deny who/ports, and apply it relevant Vlan interfaces.
  Hope this works. Pls rate all useful post(s).
  AK

• Complete IPS Solution

  I just upgraded my network backbone to the 4507r switch using sup IV and netflow cards. I also upgraded my Internet and core routers to the 2821 and 2851 respectively.
  I will also be installing a ASA-5520 w/ csc-ssm-20 module.
  How should I proceed with implementing an IPS solution that will protect my network from the outside world, as well as from other devices on our LAN/WAN environ.
  Our company has 3 remote sites. Two of which are connected to corp via a MPLS network and one is connected to corp via a point-to-point T1.
  What is the Cisco solution to do this?
  Can I use non-Cisco IPS solutions along with Cisco equipment, such as Lancope's StealthWatch XE for Cisco's Netflow?

  Hi ...there are several sensors that could cater for your environment based on the ammount of traffic you are planning to inspect. As per the location I suggest placing a sensor behind the firewall ( in in-line between the inside interface of your ASA and the LAN ). In that way traffic to/from the LAN will be inspected. Also .. if you have cisco devices such as routers or firewalls at the remote sites ,you could further protect them by using the sensor as device manager .. in other words you can configure the sensor so that in the event of an attack it can push down access-list entries to your remote cisco devices as well.
  I suggest to check the sensor portfolio which will provide you with detailed information.
  http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801eeea5.html
  I hope it helps ... please rate it if it does !!!

• ARP Poisoning & Cisco IDS/IPS Solutions

  I am trying to find out if someone familiar with Cisco's IDS/IPS (network and/or host-based) solutions can tell me if the product(s) can identify and/or prevent ARP poison routing attacks. If so, does it require customizing signatures or is there out of the box detection signatures?
  Thanks for any information

  There are some. Go here and do a search for "arp":
  http://tools.cisco.com/security/center/search.x?search=Signature
  Perhaps it goes without saying, but remember that the sensor has to see the relevant layer 2 traffic for these to work.

• I'm looking for Failover/High available solutions for IPS 4200 Series

  Hi all,
  I tried to find out Failover/High available solutions for IPS 4200 series,I didn't saw failover solutions in IPS guide document. Anybody can be help me!

  I do not know if this is documented anywhere, but I can tell you what I do. As long as the IPS 4200 has power, with the right software settings, the unit can fail such that it will pass traffic. Should the unit loose power, it does stop all traffic. I run a patch cable in parallel with the in line IPS unit, in the same VLAN, with a higher STP cost. Thus all traffic will traverse the IPS unit when possible, but should something happen to it, a $10 patch cable takes over.
  Mike

• Solution for IPS/HA needed.

  Hi,
  I need some help here.
  I have to integrate an IPS into an existent redundant network. This network always has two redundant switch links. There is also a redundant pair of Checkpoint firewalls. I have to implement two ASA/IPS in front of these firewalls and keep the redundancy. I also need to use the transparent mode to reduce the implantation impact, and an active/standby failover mode.
  So I decided to use the following physical topology (ignore the dots):
  sw1--ips1--sw3--fw1
  |....................|
  |....................|
  sw2--ips2--sw4--fw2
  The problem with this topology is the L2 loop and STP. The SPT will block a port to avoid this loop. But the converged topology will have problems.
  If the STP topology is like this one bellow, traffic from a host connect to sw1 to a host connected to sw2 will have to pass both IPS, including the standby unit.
  sw1--ips1--sw3--fw1
  |
  |
  sw2--ips2--sw4--fw2
  On other side, if the STP topology is like this one bellow, traffic from fw1 to fw2 will have to pass both IPS, including the standby unit.
  sw1--ips1--sw3--fw1
  |
  |
  sw2--ips2--sw4--fw2
  Moreover, if the STP topology is like one of the two bellow, I can force the topology to direct traffic to the active IPS. But the STP topology should change, if the active IPS fail.
  sw1--ips1 sw3--fw1
  |.......................|
  |.......................|
  sw2--ips2--sw4--fw2
  sw1--ips1--sw3--fw1
  |......................|
  |......................|
  sw2--ips2 sw4--fw2
  Am I missing anything here? Is there any other solution for HA/IPS?
  Any comment will be appreciated.
  Paulo Roque
  Network Engineer
  SPCBrasil

  Thx Robert.
  I have considered a solution similar to yours, but a question raised from that solution: if I issue a 'no failover active' command to force the standby unit to become active, the STP topology should also be modified to make the traffic pass thru the new active ASA.
  This STP topology change will not be automatic. And even worst, this will never happen in a situation were the ASA fails over by other reason.

• ASA5510-AIP10 as Dedicated IPS solution?

  Current setup is: Internet drop-point -> 2 ASA5505-SEC-BUN (primary/failover) -> Switch (multiple VLANs) -> machines
  Can I use an ASA5510-AIP10-K9 as a dedicated IPS solution?
  Can I use it in all modes?  (Promiscuous, Inline, Hybrid)
  I created a few images demonstrating the different setups.  Can I do each setup?  If not, can you briefly explain why?

  Hello Matt!
  To be honest I am not fully understand what do you mean under "dedicated solution".
  In my mind "dedicated solution" is something that stands alone of ASA and is independet from it (like 42xx/43xx/45xx appliances).
  AIP module is rather "built-in" solution rather than "dedicated"
  Judging by your schemas your main aim is to inspect traffic between internet edge and internal network.
  All your scenarios are easy to implement: you will need to use virtual sensors feature on AIM to create two sensors for promiscuous and inline modes.
  On ASA you will need to use MPF to tell ASA which traffic should go to which sensor.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_ips.html#wp1088096
  If you want to inspect traffic between VLANs that are behind the switch you will need to force traffic flow through the ASA (for example ASA can perform inter-vlan routing).
  PS: Keep in mind that you will need two AIP modules when you use two ASA in failover. Modules also should be identical.

• IPS High Availability Solution

  Hi all,
  requirement to have redundancy for IPS appliance placed on data center design, I have digged on Cisco docs but found the Resiliency and HA (High Availability) from the IPS point of view could occur in the switches side (HSRP/Eth channel load-balance).
  is there any visible way to implement the High Availability in dynamic way !!
  Regards,
  Belal

  Belal
  You are correct, only one sensor at a time will pass traffic.
  Spanning Tree Protocol uses layer 2 frames called BPDUs to determine if a path to the root bridge (in this case VLAN) exists. If the primary sensor stops passing layer 2 frames (a good indication that the rest of your traffic is not going to get through the sensor) then BPDUs will not pass thru the primary sensor and Spanning Tree will unblock the secondary path through the standby sensor. You may want to watch for an SNMP trap from the switch to know when that happens.
  The failover cable is just an ordinary roll over cable between two ports (in the two VLANS) on the switch. I called it a failover cable because it only carries traffic when the sensor has failed to pass layer two (and above) frames.

• Custom IPS sigs on NGFW (ASA-CX) IPS solution?

  Hi folks,
  I am trying to determine if it is possible to create custom IPS sigs on the ASA-CX module?  Not the ASA + Legacy IPS combo, but the ASA + ASA-CX (Application Detection, Web Filtering, IPS) combo.
  I couldn't find anything in the docs that said this was possible.
  Thanks!
  Neil

  Thank you for your response.  However my question was targeted towards Intrusion Prevention signatures such as the ones found on the traditional IPS units.  I would want the ability to use the various IPS engines such as Atomic IP, HTTP, etc and create sigs that match on things inside the packet, URL string, etc.
  Thanks!

• ASA IPS Transparent Design Solution Needed

  I have a query on IPS deployment. I have a customer with the following setup.
  One Internel Cisco L3 switch connects to ---> Two 5520 ASA firwalls in HA mode active/standby connects to another privae network.
  Now I am asked to put a ASA 5525-X series IPS between the L3 switch & ---> Two ASA firwalls.
  What are the implementation options available with out touching any config on L3 switch or two 5520 ASA firwalls
  Can I set this up in a transparent mode?

  You orginaly stated that you wanted to place an ASA5525-X between the external L3 switch and a HA pair of existing ASA5520 firewalls. That would place the ASA5525-X on the exterior of your HA firewalls.
  The "best option" depends on cost and product support.
  Replacing your ASA5520 firewalls with 5525-X firewalls seems like an expensive way to get IPS functionality
  You could find some AIP-SSM modules. End of sale was March 2013, so you'll have to buy some used. Put them into your existing 5520s. You can still get almost 5 years of licensing and support form Cisco on them: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727284.html
  Even an ASA with an IPS feature (either in software or hardware) in promiscuous mode will still interrupt traffic if you are passing traffic thru it upon some failures. They way around that would be to use a Tap or doing a spanning port on your L3 switch.
  Alternately you could place an inline IPS in the stream of traffic with an external FailOpen switch to divert traffic around an IPS sensor that is down.
  - Bob

• IPS solution in 2821

  Hi All,
  We are trying to deploy IPS inline on Software in 2821 routers. The objective of this is to demonstrate ourself on deploying IPS functionality on this routers and testing the same to verify its working.
  We are thinking,if we could understand ourself well ,it may be deployed in our network wherever appropriate.
  If somebody would help us in pointing to valid resource and even suggesting the way to proceed would be greatly appreciated.
  Currently we tried enabling IPS in-line on this router and configured to send any trigger logs to a syslog server. We want to test the same, whether it works and also whenever we reboot the router,the signature associated to the interface get removed.Any suggestion on this would be hugely appreciated.
  Thanks
  Regards
  Anantha Subramanian Natarajan

  Please have a look at this:
  http://www.cisco.com/en/US/products/ps6634/products_configuration_example09186a008097dbe8.shtml
  Regards
  Farrukh

• How to use two gtx transceivers in one quad for two aurora ips

  hera mgt bank is 113
  i am using two aurora ips 64b66b .for one ip GTX_X1Y0, another GTX_X1Y2.while simulating ,results are good.Coming to implementation its showing error in implementaion.that in MAP.
  Pack:2811 - Directed packing was unable to obey the user design constraints (LOC=GTXE2_COMMON_X1Y1) which requires the combination of the symbols listed below to be packed into a single GTXE2_COMMON component.
  The directed pack was not possible because: The target component type can only contain one fragment.
  The symbols involved are:
  GTXE2_COMMON symbol "Source2/Aurora_2/src_2_wrapper_i/Src_2_multi_gt_i/gtxe2_common_i" (Output Signal = NULL)
  GTXE2_COMMON symbol "Source1/Aurora_1/src_1_wrapper_i/Src_1_multi_gt_i/gtxe2_common_i" (Output Signal = NULL)
  What is the solution for it?
   find attachments.

  i got following error while implementing project in vivado.
  "[DRC 23-20] Rule violation (REQP-1739) GTx R/TXOUTCLK drives inappropriate load - GTXE2_CHANNEL cell design_1_i/aurora_64b66b_0/inst/design_1_aurora_64b66b_0_0_core_i/design_1_aurora_64b66b_0_0_wrapper_i/design_1_aurora_64b66b_0_0_multi_gt_i/design_1_aurora_64b66b_0_0_gtx_inst/gtxe2_i pin design_1_i/aurora_64b66b_0/inst/design_1_aurora_64b66b_0_0_core_i/design_1_aurora_64b66b_0_0_wrapper_i/design_1_aurora_64b66b_0_0_multi_gt_i/design_1_aurora_64b66b_0_0_gtx_inst/gtxe2_i/TXOUTCLK (net: design_1_i/aurora_64b66b_0/inst/design_1_aurora_64b66b_0_0_core_i/design_1_aurora_64b66b_0_0_wrapper_i/design_1_aurora_64b66b_0_0_multi_gt_i/design_1_aurora_64b66b_0_0_gtx_inst/tx_out_clk) should only drive BUFG, BUFH, BUFMR, MMCM or PLL loads, but drives one or more invalid loads such as FDRE cell CORE_STATUS_channel_up_master_reg. Please insert a BUFHCE (or a BUFMR, if the load is a BUFR) between the GT and its load(s).
  [DRC 23-20] Rule violation (REQP-1739) GTx R/TXOUTCLK drives inappropriate load - GTXE2_CHANNEL cell design_1_i/aurora_64b66b_1/inst/design_1_aurora_64b66b_1_0_wrapper_i/design_1_aurora_64b66b_1_0_multi_gt_i/design_1_aurora_64b66b_1_0_gtx_inst/gtxe2_i pin design_1_i/aurora_64b66b_1/inst/design_1_aurora_64b66b_1_0_wrapper_i/design_1_aurora_64b66b_1_0_multi_gt_i/design_1_aurora_64b66b_1_0_gtx_inst/gtxe2_i/TXOUTCLK (net: design_1_i/aurora_64b66b_1/inst/design_1_aurora_64b66b_1_0_wrapper_i/design_1_aurora_64b66b_1_0_multi_gt_i/design_1_aurora_64b66b_1_0_gtx_inst/tx_out_clk) should only drive BUFG, BUFH, BUFMR, MMCM or PLL loads, but drives one or more invalid loads such as FDRE cell CORE_STATUS_1_channel_up_slave_reg. Please insert a BUFHCE (or a BUFMR, if the load is a BUFR) between the GT and its load(s).
  [USF-XSim 62] 'compile' step failed with error(s) while executing 'F:/PERSONAL/XilinxVivado2014.2/shared_logic/shared_logic.sim/sim_1/behav/compile.bat' script. Please check that the file has the correct 'read/write/execute' permissions and the Tcl console output for any other possible errors or warnings.
  [Vivado_Tcl 4-23] Error(s) found during DRC. Placer not run."
  i am attaching topmodule file
  need solution
  thanks in advance
  razz

• SRP547W, How to use multiple WAN IPs for port forwarding?

  Hi folks,
  We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
  What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
  Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
  We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
  a.b.c.208     Network Address (/29 subnet)
  a.b.c.209     ISP Gateway
  a.b.c.210     IP1
  a.b.c.211     IP2
  a.b.c.212     IP3
  a.b.c.213     IP4
  a.b.c.214     IP5
  a.b.c.215     Broadcast Address
  On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
  VLAN ID:               4000 (Chosen arbitrarily)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.211
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  When we try to do so however we get:
  Fail!
  Conflict with Ether_WAN2 interface address type
  I should mention at this point that we're running on firmware version 1.02.01 (023).
  Any suggestions on how we can proceed?
  Is there a CLI or other method of configuration that might work if the web interface won't?
  Thanks,
  Tim.

  OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
  As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  We'd now like to expose a server function on IP2, let's say LAN details for this server are:
  VLAN:                  3000
  VLAN IP Range:         192.168.1.1/24
  Server IP:             192.168.1.10
  Server Port:           80
  So first we turn on Software DMZ:
  Status:                Enabled
  Public IP:             a.b.c.211
  Private IP:            192.168.1.10
  WAN Interface:         Ether_WAN2
  My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
  Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
  In Interface (WAN):    All
  Out Interface (LAN):   VLAN.3000
  Source IP:             0.0.0.0
  Source Subnet:         0.0.0.0
  Destination IP:        192.168.1.10
  Destination Subnet:    255.255.255.255
  Protocol:              TCP
  Source Port:           Any
  Destination Port:      Single:80
  Action:                Permit
  Schedule:              Everyday
  Times:                 24 Hours
  Still no dice. What am I missing?
  Cheers,
  Tim.