Intrusion Prevention

 View Only


This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  Question on physical placement of IDP

    Posted 03-26-2010 09:42



    Below is my scenario:


    1- Server Farm switch is connected to the Core switch using 10gig uplink

    2- External DMZ is connected to External Firewall. and Firewall is connected to the Core switch.


    I want to protect external DMZ server from threats/attacks from internet using IDP and also wants to protect server farm from users on core switch using IDP.  My questions are that:


    1- I placed the IDP in between Core Switch and Server Farm Switch to protect servers from users on core switch . Can I placed the same IDP between External firewall and External DMZ switch to protect DMZ servers from internet.


    a- Is this against security best pratices?

    b- How to separate the IDP policies for both segments? I mean I want differet IDP policies for server farm segment and DMZ segment


    2- If I placed the IDP between core switch and server farm switch it would be the bottleneck because server farm switch is connected to core switch through 10gig link. In this case what could be the best physical placement of IDP for server farm?


    Many thanks

  • 2.  RE: Question on physical placement of IDP

    Posted 03-26-2010 11:31



    Answers to your questions:


    1 - Yes, you can use different VR's for traffic from the Core Switch to the Server Farm Switch. The only caution is making sure that the traffic is mutually exclusive. While there are many VR's, there is only one subscriber. If the IDP subscriber sees the same traffic twice, it will think it is malicious traffic and drop it.


    As far as seperating the traffic, you can create rules based on Zone, VLAN, SRC/DST IP addresses/networks, etc


    2 - Yes, since the IDP is inline for traffic, it can be a bottleneck. I don't know which IDP you are using, but if it is an IDP-8200, it supports around 10Gb of traffic, but with the "Recommended" policy. Any differing policy becomes an X-factor, and differing what the IDP can handle. Remember that 10Gb/s is total traffic, not per VR. So if you are processing traffic on two VR's, be aware that the IDP can handle only the total of both VR's.




  • 3.  RE: Question on physical placement of IDP

    Posted 03-27-2010 00:12



    Thanks for your help. So you mean I can configure Virtual routers on IDP it self and can used it for both segments. I got it right?


    One thing kindly clear that on standalone IDP we can not configure policies through zone wise?


    Other thing is that if IDP is the bottleneck between server farm and core switch then where I can place this IDP to scan the traffic for server farm?


    Many thanks for your help

  • 4.  RE: Question on physical placement of IDP

    Posted 03-28-2010 00:44

    I have the same scenario like "Aeroplane", having 8200 IDP in HA, please let me know where whould  i exactly place the device. Can we also deploy IDP "one armed" in inline transparent mode? 


    One thing more, If i have configured  a trunk in between Core Switch and Firewall (sub interfaces on FW)and I want to place IDP in between them, would there be any problem????


    awaiting for your response.


    Thanks and best regards,

  • 5.  RE: Question on physical placement of IDP

    Posted 03-29-2010 09:43



    The IDP cannot be deployed in classic "one armed mode," as virtual router (VR) pairs needs to be used. But you can use VR pairs to different zones, just make sure that the flow is not seen twice, or the IDP will drop the traffic.


    The IDP in inline transparent mode should not care about trunks and sub interfaces, so there should be no problem.




  • 6.  RE: Question on physical placement of IDP
    Best Answer

    Posted 03-29-2010 09:21



    Yes, you are correct, you can configure VR's on the IDP and use them for both segments. VR's are configured via the ACM on the IDP.


    You are correct in that policies cannot be configured zone-wise. There can only be one active golbal policy, the exception being when a new policy is loaded, with the IDP 8200 the old policy will be used until connections are finished, at which point all connections will go through the new policy. However, policies can be modified to be constructed of mulitple rules, and the rules can be zone specific.


    Regarding placement if I correctly understand your concern, the IDP will always act as a bottleneck if it can process less throughput than the surrounding devices when it is in inline mode. If the IDP is in sniffer mode, this bottleneck is removed, but the protection is not as robust. So this would ultimately depend on the amount of traffic you are seeing in segments that would be assigned to the two VR's, and if that traffic would exceed the capabilities of the IDP with the "Recommended" policy.



  • 7.  RE: Question on physical placement of IDP

    Posted 03-30-2010 12:26

    Thanks Dear,


    I thing can you clear if i configure the VR on IDP through ACM then to create IDP policies for both VR NSM will show the two VR to push the policies?



  • 8.  RE: Question on physical placement of IDP

    Posted 03-30-2010 13:25

    The IDP can only push one policy, you will configure the VR's though the ACM, and then you will add one or more RULES for each zone that maps to VR's, and then push that POLICY that contains these rules.




  • 9.  RE: Question on physical placement of IDP

    Posted 03-31-2010 01:44

    Thanks for your help. I have created VR on IDP through ACM. BUT kindy assist me how to create zone and bind to VR on NSM so that I can make rule zone wise and can push these rules to appropriate VR on IDP through NSM.


    Many thanks

  • 10.  RE: Question on physical placement of IDP

    Posted 03-31-2010 09:51



    Unfortunately this gets a bit beyond the scope of the forums. Can you open a JTAC ticket?


    Warm regards,


  • 11.  RE: Question on physical placement of IDP

    Posted 04-05-2010 11:57



    Unforutnately I can not 😞 can you give me the high level steps for doing this.