IPS-4240 design question

I have two IPS 4240 s that can be placed between our internal network and our extranet firewall. The game of firewall is your pair of standard assets/ASA-5520 switch connected to both switches.

Q1 - if I'm not worried about atomic attacks, is there another advantage that IPS inline on promiscuity?

Is Q2 - If inline or promiscuity, necessary to connect the unique IPS for two switches in order to receive packets when a failover of the SAA occurs? If so, does physically or through RSPAN?

Q3 - if the IPS fails and it is set online, interfaces fail open (traffic continues to pass) or closed (traffic is removed)? I couldn't find that on the Cisco site.

Thank you!

"Promiscuous" mode, you can use a 4240 and extend the output of each switch in two interfaces of remote sensing of the 4240 (it has four available). A single 4240 should even be able to set up TCP sessions that span the two rails, as in the case of a failover.

Tags: Cisco Security

Similar Questions

  • IPS 4240 - additional card

    Hello

    Does anyone know, when will be available 4xFE cards for IPS-4240 (for total 8 interfaces)?

    Kind regards

    Krzysztof

    The option card for IPS-4240/4255 sensors will be a card 4GE to support copper (RJ45) and fiber (SX) connections. It will allow a total of 8 RJ45 interfaces or 4 SX fiber interfaces (and 4 RJ45 interfaces) on these platforms. Unfortunately, it will be probably available for another 9 months or more.

  • Deployment of Cisco IPS 4240 devices

    I can't find all the information about the Cisco IPS 4240 features massive deployments. I have 6 devices, I intend to drive to several remote sites and tie in a centralized unit of Cisco MARCH. Without the help of any CSM/LMS software, is there a quick and dirty to pull this off? I think to set up a single IPS appliance, then pull and distribute the configuration file for the remaining devices. I would like to see how others have done this...

    If all of your sensors are of the same type (all 4240 to your situation) and will execute all the even correct configuration, then the copy command will help out you.

    There is a new feature added to the copy command in IPS 6.1 which will help you during the copying of config of one sensor to another.

    Complete you configure a sensor (using IME, IDM or CLI). When you are satisfied with the configuration, and then use the command copy to copy ON a server of SCP.

    Now bringup a second sensor and configure basic networking through the Installer settings (ip address, gateway, etc...).

    Now, use the command copy to copy the first configuration of sensors from the SCP server in the running of the second probe configuration on the second.

    It will ask you to change the network settings on the second probe.

    Answer n °

    The rest of the configuration of the probe first copy will be placed in the second sensor.

    The second sensor will keep its own unique IP address but win the rest of the configuration of the config of the first probe.

    Continue to do this with additional sensors.

    The process can then be repeated every time that additional changes are made to the first sensor.

    Remember though that this only works if the configuration of the probe will be exactly duplicated (including what interfaces would be monitored and how).

    If each sensor will have some unique tunings, then you need to manage each sensor on its own or buy CSM which can be used to share only parts of the configuration of multiple sensors.

  • IPS-4240 engine upgradation procedure of E3 E4

    Hi all

    Can someone help me to upgrade the IPS 6.0 (1) 7.0 E1 (2) E4.

    What are the images need to be upgraded for this?

    What is the appropriate procedure for upgradation?

    Here is the version for your reference results show...

    ========================================

    Cisco IPS #.

    Cisco-IPS # sh ver
    Application partition:

    Cisco Intrusion Prevention System, Version 1.0000 E3

    Host:
    Domain keys key1.0
    Definition of signature:
    Update of the signing S479.0 2010-03-19
    Virus update V1.4 2007-03-02
    OS version: 2.4.30 - IDS-smp-bigphys
    Platform: IPS-4240-K9
    Serial number: JMX1244L0PK
    License expires: December 31, 2010 UTC
    Sensor time is 211 days.
    With the help of 1439252480 of 1984552960 memory available bytes (72% of use)
    the application data uses 44.0 M off 166,8 M bytes of disk space available (28% of use)
    startup is using 39.7 M off 68.6 M bytes of disk space available (61% of use)

    MainApp to E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
    AnalysisEngine-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
    CLI-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500

    Upgrade history:

    * IPS - GIS - S465 - req - E3 23:00:43 UTC Thursday, January 28, 2010
    IPS-GIS-S479-req - E3.pkg 00:05:37 UTC Wednesday, April 7, 2010

    Version 1.1 - 1, 0000 E3 recovery partition

    Valid certificate from the host: November 17, 2008 to November 18, 2010

    Cisco IPS #.

    Cisco IPS #.

    =================================

    Kind regards

    Anuj Pratap

    No, do not reimage system (IPS-4240-K9-sys-1.1-a-7.0-2-E4.img), which would eliminate all of your configuration.

    Just perform the upgrade using this upgrade file: IPS-K9-7, 0-2 - E4.pkgand which would automatically be updated to 7.0.2 (E4).

  • The Upgrade Version of the engine on IPS-4240

    Hello

    I'm running a sensor IPS 4240 with engine Version 7.0 (1) E3 and the sensor will always have a strong canvassing from 97 to 98%. It's recommended to update the sensor to the latest version of the engine, considering the amount of load top right now?

    Thank you

    Kiran

    Hi Kiran,

    You need to update the engine at it, since you cannot use the latest signature definitions without being on the latest engine.  As long as you don't see packets ignored at the level of the interface of detection, it is fine for the use of the CPU which is high.  If you start to see rejected the packages that you need to reduce the amount of traffic being sent to the probe or reduce (by clearing and retreating) the number of signatures inspection of the traffic on the sensor.

    Best regards

    Justin

  • IPS-4240 fail open

    Hi all

    I have one unit of IPS-4240. I want to know if my sensor or the unit itself fails / stops, is there an option where in my traffic will be passed so that there is no downtime.

    Thank you

    Pratik

    You can configure the sensor when it is inline with inline-bypass 'auto' mode mode so when the unit does not work, it will just pass through traffic without inspection, however, if the sensor is completely shutdown, then no, the traffic will be dropped when in inline mode.

    Here is more information on derivation inline mode:

    http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/CLI/cli_interfaces.html#wp1047079

    However, if she is in promiscious mode, so you don't have to worry about this because the package is not "inline" and will cause no disruption.

    Hope that helps.

  • Not entirely taken TLS supported in Cisco IPS 4240

    I am trying to contact a Cisco IPS 4240 device while having security settings FIPS enabled on the client using SSL. This is not possible because the device does not support TLS extensions in the Client Hello packet (RFC 5746) sent by the client when using TLS (SSL3 and lower are not FIPS compatible). The IDM application that communicates with the device does not send these extensions (im seeing this with WireShark) TLS is able to connect to it.

    Is it possible to provide the 4240 support these TLS extensions?

    This is related to the bugs below.  The original solution will be included in the 7.1.5 release which is preparing to take in charge the platform 4240 among others.  This will allow the Web server IPS to ignore short-term extensions.  The long-term solution will require an update to the Web server so that it is fully compliant with RFC 5746.

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt18382

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx43502

    Todd

  • ISE design question

    I have a few design questions about ISE v.1.0.4.573

    1. The ISE 3395 gigabit ports are supported on the aggregation of links?  How can I use all 4 ports uplink?
    2. When you perform an installation of 2 x 3395 HA, is there a connection of heart rate between the two ISE or they will use the same link to the network of pulsing and synchronization?
    3. I'm designing ISE with WLC. My setup WLC (5508) looks like 5 floors with different VLAN but same SSID. How can I do ISE authenticate in this scenario because WGB AP is not supported in ISE v.1.0. Is there a work around for this type of WiFi to the ISE configuration?
    4. Continuous configuration above, roaming from one floor to another floor after changing of Vlan, the user will be re - authenticate or use the same session?

    Thanks for the help.

    Kind regards

    Zohaib

    1. the current version does not support the aggregation of links...

    2. they use the same link to the network of pulsing and synchronization.

    3. my suggestion is to assign your SSID, a group of interfaces, containing all interfaces belonging to your VLAN, on your WLC and set AAA replacement. And then, at ISE, create authorization profiles include the appropriate VLAN. Use the Called-Station-ID RADIUS attribute with your MAC address of the AP as a condition.

    4. they use the same session.

  • IPS 4240 high availability?

    Hello

    4240 running in HA mode?

    Or should I look at 4255 if I need to work in HA mode?

    Kindly help me with this info... Thanks in advance.

    Kind regards
    RAM

    Just to add a little bit to Bob's response.  It is possible for the HA, but as mentioned above, it is not HA as you would expect of a firewall and requires significant network planning and is rather technical in nature.

    The best documentation I could find about the designs HA is in chapter 21 - "Deploying Cisco IPS for high availability" and High Performance of Earworms security CCNP 642-627 official Cert Guide, ISBN: 9780132372107.  She gets quite detailed and explains a large number of different methods.

    I was also able to find some information on this site, but it is at a higher level and does not provide as many options.

    https://www.NetworkWorld.com/community/node/18384

    I had to work HA in some of our environments, and I'm here to tell you, plan ahead, far in advance, test several methods to find one that suits.  We were using a method that I just couldn't find it mentioned anywhere.

  • 4240 memory question

    I have a unit 4240 IPS he uses 1371 of 1893 and has only 522 left and is climbing. Is this normal and if is not how to clear the memory, so it does not use so much memory?

    They will tend to use all available memory. Unless you start exchanging on the disc, don't worry in this regard.

  • IPS-4240 Sig Update License

    Is this not the right part. the update of the GIS 4240 IPS license?  CON-SUSA-IPS4240S

    I can only find this part number in the ordering tool: CON-SUI-IPS4240, which also has a SMARTNet Support?

    What is do we need just to have updates of GIS?

    Thank you

    You cannot buy a stand-alone appliance IPS IPS subscription.

    You can buy either of the following:

    (1) CON-SUI-IPS4240 for example which includes Smartnet for hardware, software, and the IPS subscription.

    OR /.

    (2) CON-SUSA-IPS4240 contracts are sold only to customers who have purchased a support hardware and software through a reseller/partner contract.

    CON-SUSA... cannot be sold on its own, it must be sold in conjunction with the reseller/partner support contract.

    Hope that helps.

  • Double firewall, config VPN design question?

    All,

    I'm looking to implement a design of double firewall with different suppliers, i.e. Cisco at the front and another seller behind that. The Cisco ASA will manage the ends of the VPN. It's a design recommended to us.

    The reason was the front towards the firewall (cisco) will block most of the noise, and then the second firwall will make inspection of the IPS etc. Apparently, this is also done incase there are vulnerabilities with the first provider. The DMZ interface will in fact come the second firewall.

    I am currently working, what if all remote users terminate their VPN at the edge of the ASAs, what is the best way have to move towards the second firwall, then again on the internet so we can apply the policy to users / and inspection?

    There are no facilities on the front to ASAs IPS inspection, just a bog without visibility L7 stock Firewall (as this responsibility will lie with the second firewall).

    Looking for information so that I can start looking...

    The MCV is a great place to start.

    http://www.Cisco.com/en/us/solutions/ns340/ns414/ns742/ns1128/landing_iEdge.html

  • vSphere 5.0 and 5.5 SSO design question

    Hi all

    Currently we have a configuration with two virtual center servers installed.  One at our Production site and one on our site of Dr.  Our site of Production and the location of the DR are in a different location in the city, they are currently on a dish network, but this is subject to change to treat us like a totally different place.  We also currently do not use vCenter Linked Mode because we don't have two vCenters and like separation, however if its requried we can install it.

    The plan is to upgrade the DR site first to iron out everything before the upgrade of the production, with that said we where thinking about install SSO as such:

    http://www.VMware.com/files/PDF/vCenter/VMware-vCenter-Server-5.5-technical-whitepaper.PDF

    Page 11: I joined the design image

    We think where to install the first SSO on the site of DR and when completely modernize us our production site install an another SSO as another site to keep the replcatio SSO in place aka option:

    vCenter Single Sign-On for an additional vCenter server with a new site

    The end config looks like the second ssoconfig2 of attachment

    I wanted to just a few oppinons on this choice and if this is the best way to go with what we design.


    Any help is greatly appricated,


    Thank you

    Hello

    I mean, this is Option 3 will be necessary if you want to use related modes.

    With regard to your questions:

    1. Yes, you can keep the two separate vCenter and a simple installation or see option 1 install both

    2 linked Mode requires option 3 works. But you can still use Option 3 without related modes if you want to have the replication of single-domain SSO (means that if you create a user in SSO VC1, it is replicated to the other SSO).

    Let's say you do not use option 3 for your second vCenter, subsequently if you decide to use bound mode, you must uninstall and reinstall SSO for your second vCenter to shape Option 1 to 3 Option replication of your first vCenter

  • Fashion design question (several sites)

    Hello

    I test View5 to vSphere5 and I have a question of design across multiple locations. See the image below. We have two locations, each has its own data center. Unfortunately, these two specific locations are currently connected only via an internet VDSL 20/20 Mbit connection and it is now improving.

    The LOCATION 2 is actually an office with many clients and also its own small data center (also based in vSphere5). The primary data center is in LOCATION 1 and is where I would put all my workstations virtual (not only for LOCATION 2, but for all the other places as well) and where the view connection manager will be. The problem is that on the LOCATION 2 (office) there are some servers of files users on this site using heavily.

    Question No. 1:

    (a) selling virtual offices on LOCATION 1-> in this case PCoIP will provide me with a pretty good connection, the problem is to access the file is used on 1 LOCATION of virtual desktops (it's GREEN Lane).

    (b) selling virtual desktops on the LOCATION 2-> in this case will have to go through the Manager connections, then the Virtual Office on the 2 LOCATION and to the customer... no idea no how this work (it's the PURPLE path)... it seems like a heavy network load? However, that could result in a quick access to files on the LOCATION 2 servers.

    Another solution is to put the Connection Manager view also in LOCATION 2, but that would make me administer another system, and I want to keep things simple.

    What do you suggest me?

    Question No. 2:

    I have to route traffic to LOCATION 2 to 1 of the LOCATION where the view connection manager lives by VPN or is the PCoIP traffic encrypted by itself and is OK to put it in the DMZ (controlled)?

    Thanks for the help!

    1986788.png

    The Orange path in the attached picture would be more precise if secure tunneling has been disabled?

  • Blackberry design question

    Hi all

    I developed Blackberry application development using native blackberry.  In what I have to add several resolution devices supported.  In the design point of view I fill and margins to the fields in my screen. So I think that's not good programming.

    Please someone tell me any way to write code in blackberry supports all resolutions (i.e. jre 6 and 7).

    After going through many links I got information about LWUIT components. So please someone tell me what is the best use of coding or LWUIT native blackberry to blackberry.

    Thanks in advance

    Simon suggested, I wrote some of my thoughts as part of a number of tutorials, see here:

    http://supportforums.BlackBerry.com/T5/Java-development/tutorials-for-new-developers-part-1/m-p/1621...

    I think the user interface of one is 10 tutorial.

    As Simon said, the thing with the user interface is either:

    (a) the creation of a specific Interface for the form factor, you post (so it comes to take into account the size of the screen (pixels), resolution (DPI) and orientation)

    (b) creating a General UI that is appropriate at run time to match the form factor.

    For most applications where you don't need pixel perfect poster, I think that (b) works very well, there are a variety of approaches you can use.  Take a look at this tutorial.

    For example, Simon chooses the UI (such as icons) in assets based on the screen resolution, so choose icons of different size according to the screen (Android does something similar, and you can do this same sort of thing in BB10).  Otherwise, I'm trying to understand the bigger picture in construction and he adapts the device.  My experience is that the scale on the device works OK, but I suspect that some will say an image of 96 x 96 pixels scaled down the device to 64 x 64 pixels could not look as good as the image 64 x 64 prepackaged, try and see.

Maybe you are looking for