Solved

Sourcefire IPS (Firepower deplying mode)

Posted on 2013-11-18
1
2,466 Views
Last Modified: 2013-12-04
hi,

dear valued supporters, i would like to ask one question regarding the top IPS vendor Sourcefire... the question is that if we are deploying the firepower in promiscuous mode so can we take any actions on the traffic or what actions can we take on this kind of traffic.

please reply asap as we need to support to one customer.
0
Comment
Question by:syedaassiiiff27
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39658117
I see mainly two mode e.g.
a) Passive - where the 3D Sensor is configured to only monitor traffic and not block. In a VM environment e.g. a port on the virtual switch is configured in promiscuous mode so that all traffic between VMs and to the physical NIC is mirrored on the promiscuous port to the sensor. It is best to use separate virtual switches and physical NICs for a sensor’s monitoring and management interfaces.

b) Passive in a Cluster -  Mostly in HA and load balancing situation. In virtual environment, Users can passively deploy the Virtual 3D Sensor in two possible
configurations: deploy one sensor per ESX host, or one sensor to monitor all the hosts in the cluster. Understand there is another configuration that requires the Cisco Nexus
1000V switch and a Nexus feature called Encapsulated Remote SPAN, or ERSPAN. ERSPAN is very similar to Cisco’s RSPAN feature, where SPAN traffic from a switch can be directed to the destination port on another switch.

Hence, if all of the hosts are using Cisco Nexus 1000V switches, most of the Nexus
switches can be configured to send their SPAN traffic to a single Virtual 3D Sensor. The sensor’s local switch can use traditional SPAN to send traffic to the sensor.

c) Inline - This block traffic. The sensor bridges the traffic between the switches and blocks any traffi c matching specific IPS “drop” rules.

e.g. from the community forum which you can find more info or post
https://community.sourcefire.com/questions/setting-a-policy-or-configuration-value-to-allow-all-ips-traffic-to-pass-through
https://community.sourcefire.com/questions/configuring-virtual-sensor-inline
https://community.sourcefire.com/questions/inspecting-virtual-traffic-from-multiple-vlans

I’d suggest you contact your SE and he/she can help you out there.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question