Link to home
Start Free TrialLog in
Avatar of tasnee
tasneeFlag for Saudi Arabia

asked on

I want to implement cisco IPS 4260. Where should I place it in the network?

I have purchased one IPS for my network while i have active/standby PIX firewall running in my network.
Avatar of JasonTracy
JasonTracy
Flag of United States of America image
If you only have one, and you're running in-line, I'd suggest placing it between your Interent Router and your Primary PIX.  This way, if your IPS fails, you'll still have an active Internet connection.

If the security of the IPS is more important that preventing Internet downtime, then place a switch behind the IPS and plug the outside interface to both PIXes into it.  This would be:  internet router -> IPS -> Switch -> both pixes.  This assumes the IPS you have is only a two-port device.  If it has more, you might be able to do the same thing without the switch.
Avatar of harbor235
harbor235
Flag of United States of America image

You can have up to 9 monitoring interfaces with this model, so you can put this device everywhere it makes sense for you. Obviously, you want to ensude you are protecting your critical assests so it depends how your are currently setup.

If you only have the default one interface then I would monitor/protect my critical inside assessts and craft
filters on your edge device to deny all traffic directed to the edge device and the firewall from outside sources.

harbor235 ;}
Avatar of Pugglewuggle
Pugglewuggle
Flag of United States of America image
I agree - put it wherever you want. Either way, it is standard practice to plug it into an interface on the PIX so that it can monitor whatever zone (be it the DMZ, inside, or outside) without any complications.
Cheers!
Avatar of harbor235
harbor235
Flag of United States of America image


Not sure what pugglewuggle means by plugging it into an interface on the PIX?

You use this device by connecting it to a switch that has SPAN capabilites, you can configure SPAN to monitor an entire vlan and forward that traffic to the sensing port on the IDS, very powerful.

How many ssensing interfaces do you have?

harbor235 ;}
Avatar of Pugglewuggle
Pugglewuggle
Flag of United States of America image
What I mean is that if you're trying to monitor zones on other interfaces of the PIX, it is best practice to the IPS sensor into an interface on the PIX so there is no double-NATing and confusion of the Sensor.
As far as using SPAN goes, make sure the total bandwidth of the monitored interfaces doesn't exceed the outgoing bandwidth of the mirrored port.
Cheers!
Avatar of tasnee
tasnee
Flag of Saudi Arabia image

ASKER

Actually I want to know what are the prons and cons if I place in either between internet routers and firewalls or before firewall?
ASKER CERTIFIED SOLUTION
Avatar of Pugglewuggle
Pugglewuggle
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial