Solved

Sourcefire IPS (Firepower deplying mode)

Posted on 2013-11-18
1
2,417 Views
Last Modified: 2013-12-04
hi,

dear valued supporters, i would like to ask one question regarding the top IPS vendor Sourcefire... the question is that if we are deploying the firepower in promiscuous mode so can we take any actions on the traffic or what actions can we take on this kind of traffic.

please reply asap as we need to support to one customer.
0
Comment
Question by:syedaassiiiff27
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39658117
I see mainly two mode e.g.
a) Passive - where the 3D Sensor is configured to only monitor traffic and not block. In a VM environment e.g. a port on the virtual switch is configured in promiscuous mode so that all traffic between VMs and to the physical NIC is mirrored on the promiscuous port to the sensor. It is best to use separate virtual switches and physical NICs for a sensor’s monitoring and management interfaces.

b) Passive in a Cluster -  Mostly in HA and load balancing situation. In virtual environment, Users can passively deploy the Virtual 3D Sensor in two possible
configurations: deploy one sensor per ESX host, or one sensor to monitor all the hosts in the cluster. Understand there is another configuration that requires the Cisco Nexus
1000V switch and a Nexus feature called Encapsulated Remote SPAN, or ERSPAN. ERSPAN is very similar to Cisco’s RSPAN feature, where SPAN traffic from a switch can be directed to the destination port on another switch.

Hence, if all of the hosts are using Cisco Nexus 1000V switches, most of the Nexus
switches can be configured to send their SPAN traffic to a single Virtual 3D Sensor. The sensor’s local switch can use traditional SPAN to send traffic to the sensor.

c) Inline - This block traffic. The sensor bridges the traffic between the switches and blocks any traffi c matching specific IPS “drop” rules.

e.g. from the community forum which you can find more info or post
https://community.sourcefire.com/questions/setting-a-policy-or-configuration-value-to-allow-all-ips-traffic-to-pass-through
https://community.sourcefire.com/questions/configuring-virtual-sensor-inline
https://community.sourcefire.com/questions/inspecting-virtual-traffic-from-multiple-vlans

I’d suggest you contact your SE and he/she can help you out there.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DDOS information about ip's, gateways and how it works 2 139
Quick cusco 2091 setup 5 41
Network Router- Access control List 4 62
Setting up new vpn 15 66
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question