C H A P T E R
3-1
Firepower 7000 and 8000 Series Installation Guide
3
Deploying Firepower Managed Devices
After you register a device to a Firepower Management Center, you deploy the sensing interfaces of the
device on a network segment to monitor traffic using an intrusion detection system or protect your
network from threats using an intrusion prevention system.
Note
See the ASA documentation for more information on deployment scenarios for ASA FirePOWER
devices.
For additional information about deployments, consult the
Best Practices Guide
, available from the
Cisco sales department.
Sensing Deployment Considerations
Your sensing deployment decisions will be based on a variety of factors. Answering these questions can
help you understand the vulnerable areas of your network and clarify your intrusion detection and
prevention needs:
•
Will you be deploying your managed device with passive or inline interfaces? Does your device
support a mix of interfaces, some passive and others inline? See
Understanding Sensing Interfaces,
for more information.
•
How will you connect the managed devices to the network? Hubs? Taps? Spanning ports on
switches? Virtual switches? See
Connecting Devices to Your Network, page 3-4
for more
information.
•
Do you want to detect every attack on your network, or do you only want to know about attacks that
penetrate your firewall? Do you have specific assets on your network such as financial, accounting,
or personnel records, production code, or other sensitive, protected information that require special
security policies? See
for more information.
•
Will you use multiple sensing interfaces on your managed device to recombine the separate
connections from a network tap, or to capture and evaluate traffic from different networks? Do you
want to use the multiple sensing interfaces to perform as a virtual router or a virtual switch? See
Using Multiple Sensing Interfaces on a Managed Device, page 3-16
for more information.
•
Do you provide VPN or modem access for remote workers? Do you have remote offices that also
require an intrusion protection deployment? Do you employ contractors or other temporary
employees? Are they restricted to specific network segments? Do you integrate your network with
the networks of other organizations such as customers, suppliers, or business partners? See
Network Deployments, page 3-18
for more information.