INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...I signed up to your site to get help with a problem and I am so glad I did. I found the help I needed immediately. Thanks to all who contribute to your site..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > MIS/IT > Security Solutions > NetScreen solutions Forum

SSG-140 configuration question with a IPS device

Read More Threads Like This One

mlchris2 (TechnicalUser)

8 Feb 11 15:46

I have a SSG-140 that I have been running for months. As part of a network upgrade, I am required to install a IPS device (Nitro 1225) and Im having some trouble with the IPS device returning false positives. After some discussion with the IPS support guys, it's because of how it's connected to my network. I need some help figuring how to get a SSG-140 configured.

Below is direct from the install documentation of the IPS;

"You must locate the IPS device between the trusted and untrusted sides of your network. The trusted side of your network is the side of your network you wish to protect, whereas the untrusted side is the side you intend to leave unprotected. For example, you could locate your IPS between your firewall (untrusted side) and your switch (trusted side). Because network
configurations vary greatly, your selection of location depends on your individual security requirements and network environment."

Here is how I have it connected to my network (I didn't set this up, i came into the network with it being configured...);

ISP connection is coming from a DMARC extension to my switch -> from switch to port 0/2 on SSG-140 -> from port 0/0 on SSG-140 to the "untrusted" port on my IPS -> from the "trusted" port on my IPS to port on switch.

Here is the interfaces on my SSG-140;

NAME        - IP               - ZONE  - TYPE
ethernet0/0 - 192.168.100.1/24 - Trust     Layer3 (local subnent)
ethernet0/1 - 192.168.200.1/24 - Trust     Layer3 (subnet for phones)
ethernet0/2 - 66.232.69.66/28  - Untrust Layer3 (Public/ISP)
ethernet0/3 - 192.168.101.1/24 - Trust     Layer3 (branch office subnet)
ethernet0/4 - 0.0.0.0/0        - Null     Unused
ethernet0/5 - 0.0.0.0/0        - Null     Unused
ethernet0/6 - 0.0.0.0/0        - Null     Unused
ethernet0/7 - 10.1.254.1/24    - Trust     Layer3 (branch office subnet)
ethernet0/8 - 0.0.0.0/0        - Null     Unused
ethernet0/9 - 0.0.0.0/0        - Null   Unused
tunnel.1    - unnumbered       - Untrust     Tunnel
tunnel.2    - unnumbered       - Untrust     Tunnel
tunnel.3    - unnumbered       - Untrust     Tunnel
tunnel.4    - unnumbered       - Untrust     Tunnel
tunnel.5    - unnumbered       - Untrust     Tunnel
tunnel.6    - unnumbered       - Untrust     Tunnel
tunnel.7    - unnumbered       - Untrust     Tunnel
vlan1         - 0.0.0.0/0        - VLAN     Layer3

Okay, now my question... Is this the best or configuration of the SSG? If not how would you suggest I configure it?

I was thinking instead of plugging the connection from my ISP into my switch, plug it right into port 0/2 on the SSG-140? To me it is silly it's plugged into the switch then to the SSG...

Mark C.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To NetScreen solutions