Positioning IPS engines and Layer 2 Engines
IPS and Layer 2 Engines pick up passing network traffic for inspection in real time. The positioning of the engines is the most critical part of the deployment.
Each engine can inspect the network traffic of one or more network segments in IDS and IPS configurations.
The following table describes the modes for IPS engines and Layer 2 Engines.
Role | Default Policy | Mode | Description |
---|---|---|---|
IPS | Allows everything that is not explicitly denied in the policy. | Inline | In inline (IPS) mode, an IPS engine actively filters traffic. The IPS engine is connected as a “smart cable” between two network devices, such as routers and a switch. The IPS engine itself does not route traffic: packets enter through one port, are inspected, and exit through the other port that makes up the pair of Inline Interfaces. Failover network interface cards (NICs) are recommended on the IPS engine to allow network connectivity when the IPS engine is offline. An inline IPS engine can also transparently segment networks and control network access. |
Capture | In capture (IDS) mode, an IPS engine listens to network traffic that is replicated to the IPS engine through:
|
||
Layer 2 Engine | Denies everything that is not explicitly allowed in the policy. | Inline | In inline (IPS) mode, a Layer 2 Engine actively filters traffic. The engine is connected as a “smart cable” between two network devices, such as routers. The engine itself does not route traffic: packets enter through one port, are inspected, and exit through the other port that makes up the pair of Inline Interfaces. Fail-open network interface cards (NICs) can only be used on the Layer 2 Engine if the Failure Mode of the pair of Inline Interfaces is Normal. An inline Layer 2 Engine can also transparently segment networks and control network access. |
Capture (Passive Engine) | In capture (Passive Engine) mode, a Layer 2 Engine listens to network traffic that is replicated to the Layer 2 Engine through port mirroring (switch SPAN ports). | ||
Passive Inline | A Layer 2 Engine installs inline between two network devices, such as routers and a switch, but does not filter traffic. An inline Layer 2 Engine can be set to Passive Engine mode by configuring the Layer 2 Engine to only log connections. |
The same IPS engine can be used for both IPS and IDS operation simultaneously. For example, an IPS engine can be deployed inline to examine traffic from one network to another and capture traffic that stays within each network.
Take the following into consideration when you decide where to install the engines:
- The critical assets to be protected and the potential attack paths.
- The most suitable locations along the attack path for detecting and responding to attack attempts to protect the assets.
- The volume and profile of traffic to be inspected at each location.
Select the engine role based on the way the engine handles inspected traffic:
- Use a Layer 2 Engine if traffic must be denied unless it is explicitly allowed.
- Use an IPS engine if traffic must be allowed unless it is denied.
The illustration outlines common deployment scenarios for IPS engines in general internal networks and in DMZ networks. Layer 2 Engines can be used in similar scenarios. IPS engines and Layer 2 Engines are not necessarily needed at each of these points in all environments. A single IPS engine or a single Layer 2 Engine can also cover several or even all scenarios simultaneously if the physical setup makes it practical.