From: Ouajih OUAJA (oouaja@yahoo.fr)
Date: Thu Mar 12 2009 - 18:14:11 ARST
hi
with this design, the ips will not inspect the crypted traffic !
it is the less interesting solution.
normally, the IPS is placed in promiscious mode if placed between the router
and the firewall and could shun some trafic by acting on the internet router
as bloclink device or can reset sessions.
it could be placed between the firewall and the cat6K in promiscious and do
some thing as above.
Or it could placed in inline mode to deny packet / connexion inline ( and VPN
decrypted traffic by the way ) between the ASA and the switch. Be carefull on
the throughput limit of the IPS since the link between the cat6K and the asa
can forward much more traffic than the ips capacity !
Ouajih OUAJA
--- En date de : Jeu 12.3.09, jockey wearer <jockeywearer@gmail.com> a
icrit :
De: jockey wearer <jockeywearer@gmail.com>
Objet: ASA(VPN ) and IPS Correct Placement ??
@: "GS CCIE-Lab" <ccielab@groupstudy.com>, "security"
<security@groupstudy.com>
Date: Jeudi 12 Mars 2009, 16h02
Hi Security Experts,
Currently we have setup
Topology 1
1)Internet Router --- IPS(Inline)-----ASA-----core switch 6500
as per the requirement my management need to Use Cisco ASA as VPN Server so
Internet users will connect to ASA by VPN client and SSL client
should I need to change the place of IPS ?
Topology 2
2)Internet Router---ASA---IPS(Inline)---core sw6500
Can I keep same tolopogy(1) and configure something on IPS as I come to know
IPS drops encrypted traffic.
what is the proper design ? and what I need to configure on IPS to work with
Topology(1)
any update appreciate.
Many Thanks
Prashant.
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:04 ART