Chapter 4. IBM Security Network IPS solution design and management 117
4.3.3 Active/passive HA deployments
Because the passive link does not have any traffic flowing across it during normal
operation mode, there is no asymmetric traffic. That is, port mirroring is not a
necessity to avoid that type of scenario. However, an attack can take place during
the failover process. An attack can start over the active link and continue over the
secondary link during failover. This scenario is similar to the active/active
scenario illustrated in Figure 4-6 on page 116.
If active/passive configuration is not using port mirroring, there is no need for both
IBM Security Network IPS devices to be deployed in close physical proximity.
4.3.4 Geographical HA deployments
When considering the use of the geographical HA type, which is supported by
the IBM Security Network IPS since firmware version 4.x, an organization must
be aware of limitations that can entail the following details:
򐂰 When Geographic HA is invoked, the policy must be adjusted by the
operational security team. Standard block responses do not work across IPS
devices deployed in geographical HA mode. Change
block responses on the
signatures to
quarantine blocks.
򐂰 Additional quarantine responses might be needed.
򐂰 Trusting the X-Force recommended settings does
not provide blocking on
future signature updates, because block responses must be converted to
quarantine responses manually.
򐂰 NAT traffic and geographical HA blocks, by address, port, or both, come with
a limitation. Consider the case where an organization has NAT traffic and a
malware infected machine inside. With geographical HA blocking,
all traffic on
a port from that business partner might be blocked, both good and bad traffic.
4.3.5 External bypass units
The IBM Security Network Active Bypass intelligently provides maximum
flexibility and delivers an uninterrupted communications session. The active
bypass units can be configured to go from
inline or active mode to bypass mode
if a number (1 – 10) of heartbeats between the bypass unit and the IBM Security
Network IPS get lost. The fastest way to switch to bypass mode is to configure
heartbeat=1. In addition, you can configure the maximum time allowed between
heartbeat acceptance in the range 100 – 25500 ms.
For the bypass unit to switch back to
inline or active mode, you can configure the
same threshold as a number (1 –10) of heartbeats. When you set heartbeat=1,

Get Network Intrusion Prevention Design Guide: Using IBM Security Network IPS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.