48 Network Intrusion Prevention Design Guide: Using IBM Security Network IPS
You use the Logs area of the dashboard of your Network IPS appliance to view
system, firewall, and security alert logs. You can filter these lists for specific
keywords and network characteristics and then save your searches for future use.
Diagnostics tools
You use the Diagnostics area of your Network IPS appliance to test
communications and trace IP packets.
In the Downloads section, you can view and download log files and packet
captures that are associated with your Network IPS appliance and translate log
file timestamps.
2.2.3 Deployment options
The IBM Security Network IPS appliances can be cabled and configured in
several types of deployment scenarios. For a more detailed description of these
options, including HA scenarios, see Chapter 3, “IBM Security Network IPS
architecture” on page 73. This chapter focuses on introducing some of the
available options.
Inline or passive mode
The IBM Security Network IPS supports three modes of operation:
򐂰 Passive monitoring
Passive monitoring mode is similar to a traditional intrusion detection system
(IDS). It sits on a side channel of the actual production-network and passively
listening in on and analyzes the traffic using a promiscuous interface. In this
mode, responding to TCP attacks is done manually by sending TCP reset
packets to both source and destination hosts to prevent certain attacks.
򐂰 Inline simulation
Inline simulation mode acts as a learning mode for the appliance sitting inline
in the network, alerting you about traffic that might otherwise have been
blocked (in inline prevention mode). This mode is often used by organizations
to ensure that no false positives are blocking valid traffic before converting to
inline protection mode.
򐂰 Inline protection
Inline protection mode also sits inline on the wire. However, it actively blocks
malicious and unwanted traffic according to the security policy that has been
applied, without user intervention being required. The malicious packets are
Chapter 2. Introducing the IBM Security Network IPS solution 49
not allowed to traverse the IBM Security Network IPS and are unable to reach
their target.
Figure 2-9 illustrates these three modes of operation.
Figure 2-9 Three modes of operation for the IBM Security Network IPS
Passive monitoring mode can be used with the TCP_Reset port on the IBM
Security Network IPS appliances. Together they block certain types of attacks
that use TCP as the transport layer protocol and when it is not physically possible
to place a network IPS appliance between two devices. An example is a TCP
session between two hosts on the same Layer 2 switch.
50 Network Intrusion Prevention Design Guide: Using IBM Security Network IPS
Figure 2-10 shows a cabling diagram that illustrates this type of passive
deployment scenario.
Figure 2-10 Cabling overview of a network IPS in passive monitoring mode
You can use
passive monitoring
mode and connect one of the available monitoring
ports on the IBM Security Network IPS to a SPAN port on that switch and the
TCP_Reset port to another available port on the same switch. This way, TCP
sessions between the two hosts that are deemed to be malicious can be reset.
The IBM Security Network IPS is a preconfigured appliance. It operates
effectively by using an easily integrated configuration, whether it is deployed in
passive monitoring, inline simulation, or inline protection mode.
High availability
IBM Security Network IPS models GX5008 and later support several types of HA
network setups. They can operate in active/active or active/passive networks.
Since the release of firmware 4.1, they also work in geographically dispersed HA
setups. For more information about possible HA deployment models, see 3.4,
“High availability” on page 97.
The IBM Security Network IPS appliances rely on existing networking equipment
to determine when to fail over and how to orchestrate failover. They do not
participate in the Virtual Router Redundancy Protocol (VRRP) or Hot Standby
Router Protocol (HSRP).
Most networks sense failure by a lack of link state. To support this capability, the
IBM Security Network IPS has link state propagation enabled by default. If the link
goes down on one side of the appliance, the link on the other side is automatically
taken down. This behavior can be changed through configuration options.

Get Network Intrusion Prevention Design Guide: Using IBM Security Network IPS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.