• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 987
  • Last Modified:

I want to implement cisco IPS 4260. Where should I place it in the network?

I have purchased one IPS for my network while i have active/standby PIX firewall running in my network.
0
tasnee
Asked:
tasnee
1 Solution
 
JasonTracyCommented:
If you only have one, and you're running in-line, I'd suggest placing it between your Interent Router and your Primary PIX.  This way, if your IPS fails, you'll still have an active Internet connection.

If the security of the IPS is more important that preventing Internet downtime, then place a switch behind the IPS and plug the outside interface to both PIXes into it.  This would be:  internet router -> IPS -> Switch -> both pixes.  This assumes the IPS you have is only a two-port device.  If it has more, you might be able to do the same thing without the switch.
0
 
harbor235Commented:

You can have up to 9 monitoring interfaces with this model, so you can put this device everywhere it makes sense for you. Obviously, you want to ensude you are protecting your critical assests so it depends how your are currently setup.

If you only have the default one interface then I would monitor/protect my critical inside assessts and craft
filters on your edge device to deny all traffic directed to the edge device and the firewall from outside sources.

harbor235 ;}
0
 
PugglewuggleCommented:
I agree - put it wherever you want. Either way, it is standard practice to plug it into an interface on the PIX so that it can monitor whatever zone (be it the DMZ, inside, or outside) without any complications.
Cheers!
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
harbor235Commented:


Not sure what pugglewuggle means by plugging it into an interface on the PIX?

You use this device by connecting it to a switch that has SPAN capabilites, you can configure SPAN to monitor an entire vlan and forward that traffic to the sensing port on the IDS, very powerful.

How many ssensing interfaces do you have?

harbor235 ;}
0
 
PugglewuggleCommented:
What I mean is that if you're trying to monitor zones on other interfaces of the PIX, it is best practice to the IPS sensor into an interface on the PIX so there is no double-NATing and confusion of the Sensor.
As far as using SPAN goes, make sure the total bandwidth of the monitored interfaces doesn't exceed the outgoing bandwidth of the mirrored port.
Cheers!
0
 
tasneeAuthor Commented:
Actually I want to know what are the prons and cons if I place in either between internet routers and firewalls or before firewall?
0
 
PugglewuggleCommented:
The thing is that you can put it wherever you want... that's what's great about the IPS Sensor devices. You create virtual sensor zones wherever you want in the network by monitoring traffic on specified interfaces.
You usually want to connect it to the device that's acting as a "central hub" for all traffic - aka where all traffic has to cross to get to other networks. In many networks, this is either a core switch or a PIX/ASA (because PIXes connect several separate networks that you'd generally want to monitor like the outside, DMZ, everything coming/going to/from the inside, or other interfaces on the PIX. That's why I recommended the PIX.
What this will do is prevent the traffic from using up valuable bandwidth on the other interfaces of that device. The only real consideration here is making sure the backplane of the device you connect it to can handle all the monitoring traffic from the virtual sensors.
As far as where you want to place it goes (you mentioned between routers), you want to place it where the extra traffic it generates will create the smallest impact on your network bandwidth load. Routers have terrible throughput compared to a PIX or a switch, so putting it between routers usually isn't a good idea.
As I stated, the best place is generall directly to an interface on the PIX so traffic from other networks doesn't clog up every interface on the PIX but instead goes straight to the IPS Sensor through it's dedicated interface on the backplane (not a special port or anything, just a regular ethernet port like the others).
Also, use a gigabit port for the IPS if your PIX has one.
Cheers!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now