PaulDotCom mailing list archives
Re: IPS placement
From: Michael Dickey <lonervamp () gmail com>
Date: Tue, 19 Apr 2011 12:16:39 -0500
I would generally say you want an IPS/IDS anywhere you: - have a transition between two networks of differing security needs (often next to a firewall or filter) - have a choked location with traffic that you'd have some security interest in
From my understanding you have 4 general networks: Internet, DMZ, LAN, and
Servers. You already have an IPS between the Internet and DMZ. And a second between the LAN (I assume this is where general workstations are located) and Servers. 1. I wouldn't recommend doubling up different IPS boxes, one behind the other. You don't really gain anything except an understanding of what one of the boxes doesn't catch, especially if you're running more in IPS mode than IDS mode. And even if you gain that knowledge, you'd just want to use the best box and forget the other one since it is added administrative cost and an extra fail point. 2. I'd suggest one that inspects traffic between your: a. DMZ and the Servers, and placed on the Servers network (or even placed in DMZ network if you want). b. Or the LAN and your DMZ, and placed on the DMZ network (less noisy). c. Or the LAN and their Internet route, placed on the LAN. That's in decreasing order of how *I* would prefer them. a. Gives you the ability to catch something coming in from the Internet, owning a DMZ box, and continuing into the backend servers location. This is doubly nice because something missed by your first IPS covering the Internet/DMZ segment might be picked up as it moved further in. b. The LAN is sometimes a cesspool of users, and prone to physical intrusion with a rogue laptop. I'd want to know if something from that network is attempting to scan or traverse into my server areas. Or noisily scan my networks. c. I'd want to know if something is making attacks outbound, or just doing something strange outbound. Since egress firewall sets often suck, I'd maybe rely on an IDS/IPS to give me some ammunition to tighten the firewall or give warning. On Mon, Apr 18, 2011 at 4:16 PM, Crest Johanson <shesma () ymail com> wrote:
Hello All, I'm a bit confused on a placement of a *second* IPS device in the network. We already have an IPS typically placed behind the FW and before the DMZ. We purchased another IPS with a high bandwidth from a different vendor and placed it between the LAN and the servers farm. The IPS provides 3 more segments that we haven't yet utilized. Where do you think we should have the IPS inspecting? Maybe between the DMZ and the internal servers farm? Or maybe behind the older IPS so that we have an extra layer of protection from a two different IPS vendors? Hope someone came across a similar case. Thanks, _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- IPS placement Crest Johanson (Apr 18)
- Re: IPS placement Michael Dickey (Apr 19)
- Re: IPS placement Mike Patterson (Apr 19)
- Re: IPS placement Ben Jackson (Apr 19)