Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
742 Views 4 Replies Latest reply: Jul 19, 2013 12:14 AM by shwetimaverma RSS
shwetimaverma Newcomer 3 posts since
Jul 16, 2013
Currently Being Moderated

Jul 16, 2013 12:13 PM

IPS Installation using Link Agregation

Hi There,

 

I am new to NIPS and I have read a lot of documentation ,product guides and discussions about NIPS and NSM. We are planning to implement IPS sensors in our new datacentre. We are on the stage where planning and designing are in process. But I have a query regarding failover configuration. We have two datacentres and using one firewall per datacentre which will be configured as failover to each other. The firewall is checkpoint firewall. Now if we implement IPS sensor in one datacentre and considering the failover, we cannot connect two the IPS sensors to one checkpoint firewall.

Also, we are not using bypass units( since the customer do not  allow the traffic without monitoring). So, if we implement two IPS using one firewall and connect the ports with Link agregation on firewall, would it possible to divert traffic from one IPS and other will be failover. So, in case one IPS goes down, another will be active since both are in failover.

 

My question here is that, will link agregation ( binding two physical ports in  virtual IP address on firewall) help in failover configuration? attached is the logical diagram for refrence.

Will one IPS will work as active here and another will be failover? Please help

Attachments:
  • dt1 Newcomer 12 posts since
    Apr 17, 2013
    Currently Being Moderated
    1. Jul 17, 2013 10:20 AM (in response to shwetimaverma)
    Re: IPS Installation using Link Agregation

    i don't know if i fully understand the question or two datacentre requirement.

    My question here is that, will link agregation ( binding two physical ports in  virtual IP address on firewall) help in failover configuration?

     

    sure, it would help provide redundancy on that network, but the NSP IPS sensors won't really care.  Each one will inspect the traffic which passes through it's inline port pair.  HA on the NSP sensors work by forwarding all inspected packets and alert data to the peer NSP device via the HA cable.  So each NSP sensor is aware of all scanned traffic on both links.  if one link fails, the VIP will be broadcasted on the single active firewall interface, and IPS inspection will continue to occur on that link.   

  • dt1 Newcomer 12 posts since
    Apr 17, 2013
    Currently Being Moderated
    3. Jul 18, 2013 8:03 AM (in response to shwetimaverma)
    Re: IPS Installation using Link Agregation
    Does it mean that data will be monitored from both devices before it will be allowed to pass to core switch?

    Yes, kind of.  Traffic will be monitored as it flows inbound/outbound through the FW to core switch.  If a packet flows over path #1, it will be monitored by IPS #1.  Over path #2, then monitored by IPS #2.  These IPS sensors are setup as a FO Pair -- therefore IPS #1 will share all events with IPS #2 and vice versa.  Whichever IPS detects the alert, it will be the one responsible for forwarding to NSM.

     

     

    Will the failover IPS connected in HA will not just act as secondary that will keep record of all the sessions of primary.


    Correct, it will act as more than just a secondary IPS monitoring the sessions and health of the primary.  It will function as a fully operational IPS sensor, capability of monitoring, alerting, and blocking on any detected events.

     

    Regarding whether or not link aggregation is helpful, etc., i guess that's really for you or your network engineers to decide.  based on your network and business requirements.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points