Re: IPS placement

[Michael Dickey <lonervamp () gmail com>]

I would generally say you want an IPS/IDS anywhere you:
- have a transition between two networks of differing security needs (often
next to a firewall or filter)
- have a choked location with traffic that you'd have some security interest
in

> From my understanding you have 4 general networks: Internet, DMZ, LAN, and
Servers.
You already have an IPS between the Internet and DMZ.
And a second between the LAN (I assume this is where general workstations
are located) and Servers.

1. I wouldn't recommend doubling up different IPS boxes, one behind the
other. You don't really gain anything except an understanding of what one of
the boxes doesn't catch, especially if you're running more in IPS mode than
IDS mode. And even if you gain that knowledge, you'd just want to use the
best box and forget the other one since it is added administrative cost and
an extra fail point.

2. I'd suggest one that inspects traffic between your:
a. DMZ and the Servers, and placed on the Servers network (or even placed in
DMZ network if you want).
b. Or the LAN and your DMZ, and placed on the DMZ network (less noisy).
c. Or the LAN and their Internet route, placed on the LAN.

That's in decreasing order of how *I* would prefer them.

a. Gives you the ability to catch something coming in from the Internet,
owning a DMZ box, and continuing into the backend servers location. This is
doubly nice because something missed by your first IPS covering the
Internet/DMZ segment might be picked up as it moved further in.
b. The LAN is sometimes a cesspool of users, and prone to physical intrusion
with a rogue laptop. I'd want to know if something from that network is
attempting to scan or traverse into my server areas. Or noisily scan my
networks.
c. I'd want to know if something is making attacks outbound, or just doing
something strange outbound. Since egress firewall sets often suck, I'd maybe
rely on an IDS/IPS to give me some ammunition to tighten the firewall or
give warning.

On Mon, Apr 18, 2011 at 4:16 PM, Crest Johanson <shesma () ymail com> wrote:

>   Hello All,
>
> I'm a bit confused on a placement of a *second* IPS device in the network.
> We already have an IPS typically placed behind the FW and before the DMZ. We
> purchased another IPS with a high bandwidth from a different vendor and
> placed it between the LAN and the servers farm. The IPS provides 3 more
> segments that we haven't yet utilized. Where do you think we should have the
> IPS inspecting? Maybe between the DMZ and the internal servers farm? Or
> maybe behind the older IPS so that we have an extra layer of protection from
> a two different IPS vendors?
>
> Hope someone came across a similar case.
>
> Thanks,
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com