Re: location of an IPS

["Kurt Seifried" <bt () seifried org>]

> I'm sorry for this dumb question, which may have been answered many times.
>
> Where should one place an TippingPoint Unity 50 IPS device?  Behind or in 
> front of a firewall?

Depends what you want to measure. Broadly speaking in front of the firewall 
means you're measuring attempts, behind the firewall they are penetrations 
(or do both and then compare them, that way you can actually tell management 
"look we're stoping 90% of detected attacks, now would you please let me 
tighten the firewall rules so that's 100%?" or something). One thing to 
remember is to look for outgoing attacks as well, that's a good indication 
of a compromised host or a hostile user.

> I have a/the TippingPoint behind a Check Point firewall. Even though we 
> externally and internally port-scanned the firewall and the IPS many 
> times, the activity log did not contain any record of the "attacks".

One the one hand good, that would have been a false positive technically 
speaking, otoh that's bad, it probably should have alerted on that (even if 
it is a false positive). Sounds like you need to sit down and do the 
setup/configuration/alerting/whatnot (aka the hard parts of IDS/IPS). 
Broadly speaking you're saying "it's broken" to which I can only say 
"bummer. try fixing it."

> What am I missing here?  Any pointers are appreciated.
>
> Thanks,

The dreaded C word comes to mind (consultant), if your company lacks the 
expertise to set this up buy someones time who does.

-Kurt


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------