Positioning IPS engines and Layer 2 Firewalls
IPS and Layer 2 Firewall engines pick up passing network traffic for inspection in real time. The positioning of the engines is the most critical part of the deployment.
Each engine can inspect the network traffic of one or more network segments in IDS and IPS configurations.
The following table describes the modes for IPS engines and Layer 2 Firewalls.
| Role | Default Policy | Mode | Description |
|---|---|---|---|
| IPS | Allows everything that is not explicitly denied in the policy. | Inline | In inline (IPS) mode, an IPS engine actively filters traffic. The IPS engine is connected as a “smart cable” between two network devices, such as routers and a switch. The IPS engine itself does not route traffic: packets enter through one port, are inspected, and exit through the other port that makes up the pair of Inline Interfaces. Failover network interface cards (NICs) are recommended on the IPS engine to allow network connectivity when the IPS engine is offline. An inline IPS engine can also transparently segment networks and control network access. |
| Capture | In capture (IDS) mode, an IPS engine listens to network traffic that is replicated to the IPS engine through:
|
||
| Layer 2 Firewall | Denies everything that is not explicitly allowed in the policy. | Inline | In inline (IPS) mode, a Layer 2 Firewall engine actively filters traffic. The engine is connected as a “smart cable” between two network devices, such as routers. The engine itself does not route traffic: packets enter through one port, are inspected, and exit through the other port that makes up the pair of Inline Interfaces. Fail-open network interface cards (NICs) can only be used on the Layer 2 Firewall if the Failure Mode of the pair of Inline Interfaces is Normal. An inline Layer 2 Firewall can also transparently segment networks and control network access. |
| Capture (Passive Firewall) | In capture (Passive Firewall) mode, a Layer 2 Firewall listens to network traffic that is replicated to the Layer 2 Firewall through port mirroring (switch SPAN ports). | ||
| Passive Inline | A Layer 2 Firewall installs inline between two network devices, such as routers and a switch, but does not filter traffic. An inline Layer 2 Firewall can be set to Passive Firewall mode by configuring the Layer 2 Firewall to only log connections. |
The same IPS engine can be used for both IPS and IDS operation simultaneously. For example, an IPS engine can be deployed inline to examine traffic from one network to another and capture traffic that stays within each network.
Take the following into consideration when you decide where to install the engines:
- The critical assets to be protected and the potential attack paths.
- The most suitable locations along the attack path for detecting and responding to attack attempts to protect the assets.
- The volume and profile of traffic to be inspected at each location.
Select the engine role based on the way the engine handles inspected traffic:
- Use a Layer 2 Firewall if traffic must be denied unless it is explicitly allowed.
- Use an IPS engine if traffic must be allowed unless it is denied.
Figure: Example of positioning NGFW Engines in different network segments
The illustration outlines common deployment scenarios for IPS engines in general internal networks and in DMZ networks. Layer 2 Firewalls can be used in similar scenarios. IPS engines and Layer 2 Firewalls are not necessarily needed at each of these points in all environments. A single IPS engine or a single Layer 2 Firewall can also cover several or even all scenarios simultaneously if the physical setup makes it practical.