I want to implement cisco IPS 4260.  Where should I place it in the network?

Posted on 2008-10-13
Last Modified: 2013-11-29
I have purchased one IPS for my network while i have active/standby PIX firewall running in my network.
Question by:tasnee
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 22702532
If you only have one, and you're running in-line, I'd suggest placing it between your Interent Router and your Primary PIX.  This way, if your IPS fails, you'll still have an active Internet connection.

If the security of the IPS is more important that preventing Internet downtime, then place a switch behind the IPS and plug the outside interface to both PIXes into it.  This would be:  internet router -> IPS -> Switch -> both pixes.  This assumes the IPS you have is only a two-port device.  If it has more, you might be able to do the same thing without the switch.
LVL 32

Expert Comment

ID: 22702635

You can have up to 9 monitoring interfaces with this model, so you can put this device everywhere it makes sense for you. Obviously, you want to ensude you are protecting your critical assests so it depends how your are currently setup.

If you only have the default one interface then I would monitor/protect my critical inside assessts and craft
filters on your edge device to deny all traffic directed to the edge device and the firewall from outside sources.

harbor235 ;}
LVL 12

Expert Comment

ID: 22703766
I agree - put it wherever you want. Either way, it is standard practice to plug it into an interface on the PIX so that it can monitor whatever zone (be it the DMZ, inside, or outside) without any complications.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 32

Expert Comment

ID: 22704130

Not sure what pugglewuggle means by plugging it into an interface on the PIX?

You use this device by connecting it to a switch that has SPAN capabilites, you can configure SPAN to monitor an entire vlan and forward that traffic to the sensing port on the IDS, very powerful.

How many ssensing interfaces do you have?

harbor235 ;}
LVL 12

Expert Comment

ID: 22706863
What I mean is that if you're trying to monitor zones on other interfaces of the PIX, it is best practice to the IPS sensor into an interface on the PIX so there is no double-NATing and confusion of the Sensor.
As far as using SPAN goes, make sure the total bandwidth of the monitored interfaces doesn't exceed the outgoing bandwidth of the mirrored port.

Author Comment

ID: 22708886
Actually I want to know what are the prons and cons if I place in either between internet routers and firewalls or before firewall?
LVL 12

Accepted Solution

Pugglewuggle earned 250 total points
ID: 22708964
The thing is that you can put it wherever you want... that's what's great about the IPS Sensor devices. You create virtual sensor zones wherever you want in the network by monitoring traffic on specified interfaces.
You usually want to connect it to the device that's acting as a "central hub" for all traffic - aka where all traffic has to cross to get to other networks. In many networks, this is either a core switch or a PIX/ASA (because PIXes connect several separate networks that you'd generally want to monitor like the outside, DMZ, everything coming/going to/from the inside, or other interfaces on the PIX. That's why I recommended the PIX.
What this will do is prevent the traffic from using up valuable bandwidth on the other interfaces of that device. The only real consideration here is making sure the backplane of the device you connect it to can handle all the monitoring traffic from the virtual sensors.
As far as where you want to place it goes (you mentioned between routers), you want to place it where the extra traffic it generates will create the smallest impact on your network bandwidth load. Routers have terrible throughput compared to a PIX or a switch, so putting it between routers usually isn't a good idea.
As I stated, the best place is generall directly to an interface on the PIX so traffic from other networks doesn't clog up every interface on the PIX but instead goes straight to the IPS Sensor through it's dedicated interface on the backplane (not a special port or anything, just a regular ethernet port like the others).
Also, use a gigabit port for the IPS if your PIX has one.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question