Installation guide
C HAPTER 5
Determining optimal Sensor location
The previous section is mostly intended as a point of reference. The good news is that
McAfee
®
Network Security Platform failover process is often identical, whether the network
failover configuration is active-active, with or without asymmetric routing, active-passive, or
even made up of a single path.
The details are as follows:
• Both McAfee
®
Network Security Sensors (Sensors) in a failover Pair are always in an
active state. In this way, they are sure to protect a network on which the redundant
path is active.
• However, such an approach does not preclude the Sensors from protecting a network
on which the Secondary path is passive; the Sensor on the passive path will not have
much or any flow information to pass to its counterpart.
• Sensors in a failover Pair scan independently, but use the information they share with
each other during the scanning process. In this way, if a flow happens to be
asymmetrically routed across both Sensors, each Sensor will end up with the full flow.
Redundant Sensors on redundant paths
Determining the optimal physical location for the Sensors on a redundant network is
usually quite obvious. If you ignore the idea of McAfee Network Security Platform failover
for a moment, the rule of thumb for Sensor placement is to install the Sensor along the
same boundaries of trust that often guide firewall placement. In fact, most Sensor
installations are either directly inside or directly outside the company firewall. Of course,
like a firewall, a Sensor can be used deep inside an enterprise to isolate one segment of
the network from the next.
6