cancel
Showing results for 
Search instead for 
Did you mean: 

NSP Sensor HA paired in different Model

Hi,

Just want to check is the 2 different model of NSP sensor can be paired as a HA?

Example: Primary: NS7200, Secondary: NS7100

 

Thanks.

 

4 Replies

Re: NSP Sensor HA paired in different Model

Hi Billy,

No, you can't configure 2 different models of senor into a HA pair according to the IPS Admin Guide, available at the link below

Network Security Platform documentation reference guide

https://kb.mcafee.com/agent/index?page=content&id=KB76064

Regards

Peter

Re: NSP Sensor HA paired in different Model

Hi Peter,

 

Thanks for your information!

Best Regards,

Billy Tan

Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: NSP Sensor HA paired in different Model

I would like to expand on Peter's response. Although he is correct that you cannot use the McAfee NSM to configure different models as HA pair, that doesn't stop you from using your upstream devices to fail over to another pipe out that traverses a different model sensor. You would lose things like session data from half completed sessions and that would cause a minor disruption / lack of alerting on that traffic, but it is essentially the same thing as HA.

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

Re: NSP Sensor HA paired in different Model

We could always argue about this: "loosing IPS scanning data is *High Availability*.. or not I guess?" Smiley Happy

As mjesmer explained - You don't need two physical IPS devices *connected* in High-Availability pair mode  (in other words, a physical Interconnect link) to cover redundant paths.

If you put aside the different models for a second... you can even use that statement with the same 2 x physical nsp devices...and that will still - somehow - be true...:

Say I have a datacentre in NY and one in London?  How do I pair the devices? Maybe you could call some friends to lay down a long enough interatlantic cablle..

But the reality is that you can only configure those devices as 'standalone sensors' and set them to scan the traffic in "Stateless mode". This means, that any signature that is based on understanding the state of the traffic cannot be used, and therefore it will be disabled when using STATELESS inspection: think this - was the 3-way TCP handshake following the RFC standard? - OR have I seen a SYN-ACK packet before this ACK response packet? 

They don't care about the 'state of the traffic' at any given time. Out of order packets etc, willl also be allowed. That means, you can potentially fail to detect some attacks.

If I remember well, 10% of the attacks on the sigset are statefull, so you would be still detecting 90% of the signatute/protocol anomaly based attacks. Too bad or not? that will depend on your requirements.

So if your high availability networks are designed to *not to lose any data*, and you require full IPS inspection on that data.... using different sensor models - or same sensor models without the interconnect link -  in a stateless inspection mode... could raise some red flags, from my point of view.

then you can always get, obviously, on how is the traffic flowing? I.e. symettric traffic, asymmetric traffic, etc etc... this will also have an impact and my lower (or not) the need for statefull inspection...

HTH. 

Regards

David

MPower Badge Now Available
Customers attending MPower can earn a community badge. Check into the MPower forum and say hi to have the badge awarded to your community profile.