Solved

Sourcefire IPS (Firepower deplying mode)

Posted on 2013-11-18
1
2,368 Views
Last Modified: 2013-12-04
hi,

dear valued supporters, i would like to ask one question regarding the top IPS vendor Sourcefire... the question is that if we are deploying the firepower in promiscuous mode so can we take any actions on the traffic or what actions can we take on this kind of traffic.

please reply asap as we need to support to one customer.
0
Comment
Question by:syedaassiiiff27
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
I see mainly two mode e.g.
a) Passive - where the 3D Sensor is configured to only monitor traffic and not block. In a VM environment e.g. a port on the virtual switch is configured in promiscuous mode so that all traffic between VMs and to the physical NIC is mirrored on the promiscuous port to the sensor. It is best to use separate virtual switches and physical NICs for a sensor’s monitoring and management interfaces.

b) Passive in a Cluster -  Mostly in HA and load balancing situation. In virtual environment, Users can passively deploy the Virtual 3D Sensor in two possible
configurations: deploy one sensor per ESX host, or one sensor to monitor all the hosts in the cluster. Understand there is another configuration that requires the Cisco Nexus
1000V switch and a Nexus feature called Encapsulated Remote SPAN, or ERSPAN. ERSPAN is very similar to Cisco’s RSPAN feature, where SPAN traffic from a switch can be directed to the destination port on another switch.

Hence, if all of the hosts are using Cisco Nexus 1000V switches, most of the Nexus
switches can be configured to send their SPAN traffic to a single Virtual 3D Sensor. The sensor’s local switch can use traditional SPAN to send traffic to the sensor.

c) Inline - This block traffic. The sensor bridges the traffic between the switches and blocks any traffi c matching specific IPS “drop” rules.

e.g. from the community forum which you can find more info or post
https://community.sourcefire.com/questions/setting-a-policy-or-configuration-value-to-allow-all-ips-traffic-to-pass-through
https://community.sourcefire.com/questions/configuring-virtual-sensor-inline
https://community.sourcefire.com/questions/inspecting-virtual-traffic-from-multiple-vlans

I’d suggest you contact your SE and he/she can help you out there.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now