Great advice
My final question was touching on your last point or there about's..... I
read about Cisco's SIO Security Intelligence Operations - if we buy this as
a service do things like Signature files get sent to the box directly if we
open the connection to Cisco's cloud? or is traffic filtered by this
service....
If you have any experience you could advise on, if this is not chosen then
how often are signatures required to be updated (I guess depends on the
policy this could be documented to be weekly/monthly)
BR
Tony
On 8 June 2014 12:53, Cristian Matei <cmatei_at_ine.com> wrote:
> Hi Tony,
>
> Yes indeed there are still parts of the box that can fail. So the answer
> to that questions depends on money, security internal policies. If you take
> one box-only and it fails, it supports hardware bypass so the only problem
> would be traffic is no longer inspected until you replace it. You may be
> better in price to get an aggressive SLA for the hardware and replace it
> ASAP when it fails.
> Having two boxes brings not only the network challenge, but also
> configuration challenge; if you donb�t have CSM, you need to manually do
> configuration on each IPS unit, these donb�t get synchronised.
>
> Regards,
> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
> cmatei_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com <http://www.ine.com/>
>
>
>
> On 08 Jun 2014, at 14:35, Tony Singh <mothafungla_at_gmail.com> wrote:
>
>
> ah knew there was a catch - thanks for the advice..
>
> my last question is probably more design related but if a unit has dual
> RP's and power supplies is their any need to protect it?
>
> I guess you still have multiple components you still need to protect
> against to be sure i.e motherboard,nics etc
>
> BR
>
> Tony
>
>
> On 8 June 2014 12:26, Cristian Matei <cmatei_at_ine.com> wrote:
>
>> Hi Tony,
>>
>> Whatever is written in the documentation, yes, you can make
>> active-standby through STP and active-active but for different traffic. So
>> active-active does not mean both IPS devices inspect the same traffic at
>> the same time, synchronise session states and support asymmetric traffic.
>> IPSb�s donb�t share any information, thus you cannot inspect in-out
packets
>> of a flow with one IPS and out-in packets of the same flow with another
IPS
>> and expect it to work.
>> So you can do just that, put them in pairs with ether channels, you
>> just need to make sure that CEF mechanism on the upstream/downstream
>> devices/switches/routers (if is via VLAN-pair is the same box, if is via
>> interface-pair is different boxes) use the same CEF mechanism so that you
>> are sure that in-out and out-in traffic for a session is sent towards the
>> same IPS device for inspection.
>>
>> Regards,
>> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
>> cmatei_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com <http://www.ine.com/>
>>
>>
>>
>> On 08 Jun 2014, at 13:49, Tony Singh <mothafungla_at_gmail.com> wrote:
>>
>>
>>
>> Hi Cristian
>>
>> Thanks for your reply my idea was to deploy them as L2 in-line pairs with
>> ether-channels either side of a stacked 3750X access layer and 6509E VSS
>> core layer
>>
>> I would prefer not to have an extra L3 hop I'm sure there are way to
>> manipulate L2 STP costs for this to work but I'm trying to find the docs
>> for active/active or active/standby configuration on the 4500 series as
>> Cisco's product page suggests these designs are supported
>>
>> --
>> BR
>>
>> Tony
>>
>> On 8 Jun 2014, at 11:38, Cristian Matei <cmatei_at_ine.com> wrote:
>>
>> Hi,
>>
>> To make that work, you would need a sort of clustering or HA where
>> basically the session state would be shared among multiple IPS devices.
>> This is not supported by Cisco IPS and i highly doubt any IPS vendor
>> supports such scenario, as the challenge is not only about session state,
>> but also fragmented packets and packet inspection.
>>
>> Why canb�t you just fix the asymmetric routing?
>>
>> Regards,
>> Cristian Matei, 2 x CCIE #23684 (R&S/SC)
>> cmatei_at_INE.com
>>
>> Internetwork Expert, Inc.
>> http://www.INE.com <http://www.ine.com/>
>>
>>
>>
>> On 08 Jun 2014, at 13:24, Tony Singh <mothafungla_at_gmail.com> wrote:
>>
>> Hi
>>
>> Is their a Cisco IPS solution with HA being able to deal with stateful
>> asymmetric traffic flows I.e the 4500 series
>>
>> I don't want to disable TCP engines to allow for this behaviour..
>>
>> --
>> BR
>>
>> Tony
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Jun 08 2014 - 13:08:58 ART