RE: IPS vs Firewall

["Shawn Jackson" <sjackson () horizonusa com>]

    IPS is a device that monitors traffic for specific attack patterns
and unusual behavior patterns and takes action. Unlike IDS an IPS box is
not a passive unit, but is intended to act when it discovers a problem.
Because of their nature, IPS units need to be less sensitive then IDS
units because they shape traffic instead of just observing it. IDS units
are obsessive little buggers and can be extremely sensitive seaming they
only monitor traffic. An IPS unit is there to monitor traffic and act
when it finds something suspicious, unlike a firewall that works by
blocking everything but what you've said is ok.

Q: Would you place a IPS box outside your firewall?
A: No. That's unnecessary and unneeded. A firewall is usually a network
edge box or a gateway box. It's job is to secure one zone from others,
(LAN from a WAN and/or DMZ). The firewall will block all data when it
hasn't been told is ok. There is no need to update definitions, or fine
tune the box (unless you change something on your net) it just works.
Sure firewalls have bugs some of which can be major, but so do IPS
boxes, nothings perfect. If you want to monitor traffic on your WAN
interface, place a IDS box there with a receive only cable on it, far
less intrusive and far more effective. Don't waste time and energy
protecting the protector.

Q: Would you place a IPS box in your DMZ?
A: Yes. A IPS box that routing between the DMZ servers and the firewall
is a good spot. Because the DMZ boxes communicate with your LAN via the
firewall you need to both inspect and act on data at this point. The IPS
box would monitor communications from your DMZ servers and if one of
them has been hijacked, it can act. The firewall just knows it's
supposed to let traffic from that host go to this host, it doesn't know
what the payload is, that's when a IPS box comes in.

Q: Would you place a IPS box behind you firewall in your LAN?
A: Yes. This is another good spot to monitor traffic leaving your LAN
and coming into your LAN. Another good spot would be in front of any WAN
routers (Frame, ATM, etc) that connect remote sites or even other
companies into your LAN.

Q: Where could you use a IDS box?
A: Everywhere you place a IPS box and more. IPS's haven't made IDS's
irreverent, they have just made the picture more complete. I use IDS
boxes to monitor traffic all over my network. Sometimes I just can't let
a system automatically kill traffic, other times it's just not
safe/easy/warranted to place a IPS box somewhere.

Think if a IPS box as a internal security unit then a perimeter or
external security unit. You want your IPS box to shape traffic to some
degree but you don't want it doing it all the time like a firewall does.
If your IPS is blocking all traffic but some, then it's more of a
firewall then a IPS box.

An IPS system is like a firewall and a IDS box had a kid. It listens
like a IDS but can act like a firewall. Sorry for being late on this
one, been slammed at work. I hope it's useful to someone.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------