Hi,
If you get SUSA, yes you get access to signature updates which can be done
manually by the security admin or automatically by the IPS at scheduled
intervals.
Do you want to do it automatically or not, it depends on the company policy.
technically, if you really want to do things right, you want to do those
manually, so that when Cisco releases a new signature update, you read the
Release Notes and understand how applying the signature may affect your
network, based on how old signatures are configured and applying the update
may change that, or how new signatures apply or not to traffic in your
network.
Security is not easy to do it the right way!
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>
Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
On 08 Jun 2014, at 15:08, Tony Singh
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:
Great advice
My final question was touching on your last point or there about's..... I read
about Cisco's SIO Security Intelligence Operations - if we buy this as a
service do things like Signature files get sent to the box directly if we open
the connection to Cisco's cloud? or is traffic filtered by this service....
If you have any experience you could advise on, if this is not chosen then how
often are signatures required to be updated (I guess depends on the policy
this could be documented to be weekly/monthly)
BR
Tony
On 8 June 2014 12:53, Cristian Matei <cmatei_at_ine.com<mailto:cmatei_at_ine.com>>
wrote:
Hi Tony,
Yes indeed there are still parts of the box that can fail. So the answer to
that questions depends on money, security internal policies. If you take one
box-only and it fails, it supports hardware bypass so the only problem would
be traffic is no longer inspected until you replace it. You may be better in
price to get an aggressive SLA for the hardware and replace it ASAP when it
fails.
Having two boxes brings not only the network challenge, but also configuration
challenge; if you don�t have CSM, you need to manually do configuration on
each IPS unit, these don�t get synchronised.
Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>
Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
On 08 Jun 2014, at 14:35, Tony Singh
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:
ah knew there was a catch - thanks for the advice..
my last question is probably more design related but if a unit has dual RP's
and power supplies is their any need to protect it?
I guess you still have multiple components you still need to protect against
to be sure i.e motherboard,nics etc
BR
Tony
On 8 June 2014 12:26, Cristian Matei <cmatei_at_ine.com<mailto:cmatei_at_ine.com>>
wrote:
Hi Tony,
Whatever is written in the documentation, yes, you can make active-standby
through STP and active-active but for different traffic. So active-active does
not mean both IPS devices inspect the same traffic at the same time,
synchronise session states and support asymmetric traffic. IPS�s don�t share
any information, thus you cannot inspect in-out packets of a flow with one IPS
and out-in packets of the same flow with another IPS and expect it to work.
So you can do just that, put them in pairs with ether channels, you just need
to make sure that CEF mechanism on the upstream/downstream
devices/switches/routers (if is via VLAN-pair is the same box, if is via
interface-pair is different boxes) use the same CEF mechanism so that you are
sure that in-out and out-in traffic for a session is sent towards the same IPS
device for inspection.
Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>
Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
On 08 Jun 2014, at 13:49, Tony Singh
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:
Hi Cristian
Thanks for your reply my idea was to deploy them as L2 in-line pairs with
ether-channels either side of a stacked 3750X access layer and 6509E VSS core
layer
I would prefer not to have an extra L3 hop I'm sure there are way to
manipulate L2 STP costs for this to work but I'm trying to find the docs for
active/active or active/standby configuration on the 4500 series as Cisco's
product page suggests these designs are supported
--
BR
Tony
On 8 Jun 2014, at 11:38, Cristian Matei
<cmatei_at_ine.com<mailto:cmatei_at_ine.com>> wrote:
Hi,
To make that work, you would need a sort of clustering or HA where basically
the session state would be shared among multiple IPS devices. This is not
supported by Cisco IPS and i highly doubt any IPS vendor supports such
scenario, as the challenge is not only about session state, but also
fragmented packets and packet inspection.
Why can�t you just fix the asymmetric routing?
Regards,
Cristian Matei, 2 x CCIE #23684 (R&S/SC)
cmatei_at_INE.com<mailto:cmatei_at_INE.com>
Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>
On 08 Jun 2014, at 13:24, Tony Singh
<mothafungla_at_gmail.com<mailto:mothafungla_at_gmail.com>> wrote:
Hi
Is their a Cisco IPS solution with HA being able to deal with stateful
asymmetric traffic flows I.e the 4500 series
I don't want to disable TCP engines to allow for this behaviour..
--
BR
Tony
Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Sun Jun 08 2014 - 07:32:12 ART