cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Multiple IPS sensors in traffic path

Jump to solution

I have an attack scenario which I cannot come up with the correct answer. I have posted a picture below of the scenario.

PC1 has attacked both PC2 and PC3. Attack one occurs between PC1 and PC2. This attack is seen on IPS1 attack log. PC1 has also attacked PC3, and the attack log can be seen on IPS2. Why does IPS1 not see the attack between PC1 and PC3?

The only thing I can come up with is that we are doing Asymmetric routing and have port clusters on both IPS1 and IPS2. IPS1 doesn't log the attack traffic because the request and response of the TCP connection between PC1 and PC3's attack goes over different port cluster pairs on IPS1, would that cause IPS1 not to log the traffic?

Is there another reason why IPS1 isn't seeing the attack between PC1 and PC3?

 

 

 

 

Untitled Diagram_clean.png

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Multiple IPS sensors in traffic path

Jump to solution

Hi @wohlebnt_HZA 

Thank you for providing the case details, I see my colleague is working with you on the reported issue.

In an ideal scenario if the Sensor is able to detect flows, the attack should trigger.

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

6 Replies
Highlighted

Re: Multiple IPS sensors in traffic path

Jump to solution

This does not seem to be a problem with Asymmetric routing or port clusters. However what I do see is strange behaviors in the Attack logs.

I have a PC4 in the same Subnet as PC3, and sometimes in the attack log on IPS 1 and IPS 2 I see attacks From PC1 to PC4 on both IPS devices. However not all attacks I see between PC1 and PC4 are logged by both IPS devices.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: Multiple IPS sensors in traffic path

Jump to solution

Hi @wohlebnt_HZA 

IPS1 & IPS2 are two different sensors acting as a standalone device? or are they connected to same manager as a fail over pair? Also, would you please explain what kind of attacks are being performed?

 

 

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Highlighted

Re: Multiple IPS sensors in traffic path

Jump to solution

@fkazi04  IPS1 and IPS2 are connected to the NSM under the same domain, but they are not failover pairs and are protecting separate network segments. The specific attack that I am investigating is confidential and I cannot post this publicly. However I have posted more details in  SR 4-20985707581 if you can access the ticket, there I have posted the attack log export.

So I guess the question is, in theory. Should the IPS Sensors be logging the attacks on both sensors?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Multiple IPS sensors in traffic path

Jump to solution

Hi @wohlebnt_HZA 

Thank you for providing the case details, I see my colleague is working with you on the reported issue.

In an ideal scenario if the Sensor is able to detect flows, the attack should trigger.

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

Highlighted

Re: Multiple IPS sensors in traffic path

Jump to solution

@fkazi04So I was reading that: "Sensors in a fail-over Pair scan independently, but use the information they share with each other during the scanning process. In this way, if a flow happens to be asymmetrically routed across both Sensors, each Sensor will end up with the full flow. "

So would it be optimal to join the devices as active-active Fail-over pairs to create a Cluster so that the device can share flow information. Would this be the ideal solution?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: Multiple IPS sensors in traffic path

Jump to solution

Hi @wohlebnt_HZA 

In an active-active network setup, if two sensors are configured as stand alone unit, then there lies a possibility some traffic might go via Sensor 1 and some via Sensor 2. Because the Sensor doesn't have the complete flow, it might not be able to detect the traffic.

Having Sensors in a fail over pair should help when the flows are getting missed.

 

I hope this answer  your question.

 

Regards,
Faizan

Was my reply helpful?
If you find this post useful, please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community