Transparent Mode Overview

The following sections give an overview of transparent mode deployments:

Topology

Figure 3 shows a basic topology for a transparent mode deployment.

Figure 3: Network Diagram: Transparent Mode

Image g036683.gif

In transparent mode, you deploy the IDP Series device in the path of network traffic. You connect the IDP Series device traffic interfaces directly to network devices, such as firewalls or switches. You do not have to configure the firewall or switch devices to be aware of the IDP Series device.

Purpose

You deploy an IDP Series device in transparent mode when you are ready to take action against network attacks. In transparent mode, the IDP Series device drops or forwards traffic according to your configuration and IDP security policy. In particular:

Link Aggregation

In a transparent mode deployment, link aggregation and asymmetric routes are also transparent to the IDP Series device. In other words, you do not need to perform any special configuration on either the IDP Series device or surrounding network device to handle these cases.

In Figure 4, Switch 1 passes traffic with Switch 2 and Switch 3. Assume VLAN 10 is the path Switch 1: Port 1 and Switch 2: Port 4; VLAN 20 is the path Switch 1: Port 2 and Switch 3 Port 5; and VLAN 30 is the path Switch 1: Port 3 and Switch 3: Port 6.

The IDP Series device does not affect how your network handles link aggregation. In the example above with 3 network paths, you can aggregate switch interfaces and throughput so that one or all three paths are used, as long as the throughput is not greater than the maximum supported by the IDP Series device.

The IDP Series device handles asymmetric routes transparently. Let’s consider an HTTP transaction where the client request traverses Switch 1:Port 1 > eth3> eth2 > Switch 2:Port 4 and ultimately to a Web server farm. Assume the Web servers are load balanced in such a way that the server response traverses Switch 3:Port5 > eth4 > eth5 Switch 1:Port 2 to the client. Because the IDP Series virtual routers belong to one subscriber, the flow and security policy modules are aware that these client-to-server and server-to-client segments belong to the same session. If an attack is detected in a client-to-server flow, and the rule action is to close the client and server connection, then the client-side RST packet is sent through eth2 and the server-side RST packet is sent through eth3. Likewise, if the attack detected belongs to a server-to-client flow, then the client-side RST packet is sent through eth4, and the server-side RST packet is sent through eth5.

Limitations

Table 6 lists the features and limitations of transparent mode.

Table 6: Transparent Mode: Features and Limitations

Features

Limitations

  • Simple, transparent deployment
  • No changes to routing tables or network equipment
  • Supports all IDP security policy rulebases and all rule actions
  • Optionally passes through Layer 2 traffic
  • Passes through non-IP and non-ARP traffic
  • Passes through heartbeats used in deployments with an external bypass unit
  • Passes through bridge protocol data unit (BPDU) packets used in deployments with Spanning Tree Protocol (STP)
  • Internal bypass, flow bypass under congestion, and autorecovery features minimize risk that the IDP Series appliance will be a point of failure
  • Cannot connect IP networks with different address spaces

Configuration Overview

You enable transparent mode with the Appliance Configuration Manager (ACM). With ACM, you configure a deployment mode for each pair of interfaces. (In ACM, a pair of interfaces is referred to as a virtual router.)

Figure 5 shows the ACM Configure Virtual Routers page.

Figure 5: ACM Configure Virtual Routers Page

Image s036847.gif

Related Documentation