I am bit confused on a placement of an IPS device......considering a 500 user network with two servers(in DMZ) for online business with a firewall at the gateway I wanted to where would it be best to place a IPS device...it it best to keep it in front of firewall or behind the firewall....please help me out n recommend which IPS to go about. thanks..
I'm not sure you will get much help here. Most people don't have corporate IT experience. My impression for bits I've read here and there is that IPS goes behind the gateway.
It depends on your "IPS" setup. Do you mean IDS (active defenses) or an IPS (passive) (Does it have a built in firewall or not is it just an IDS (is it built on SNORT?). Typically you would install it within your protected environment (Inside the hardware fire walled zone) but before the layer 1 switches to monitor traffic and breaches.. (Basically it's a packet filter/protocol analyzer looking for specially crafted packets based on preset rules... so it needs to "filter" through everything to work effectively. However it's not "IP" Specific. But they tend to have issues with encryption. Every network is different. If your network has multiple entry points (IE several routers you may need multiple IDS devices and firewalls) or if you need it to work with some type of load balancing device you need to put it behind that (As you would want to monitor all incoming network feeds) Keep an eye out for your WIFI zones as these devices tend to perform poorly with these... And why on earth would you want a DMZ on a corporate LAN? I hope it is only to your web server to bypass the firewall for performance issues. Even then you can open "only the appropriate ports on a static IP instead of wholesale wide open right at the firewall... Cant you use other method of providing open access? VPN or some other means? Why spending $$$ on traffic monitoring and security devices if you are going to provide open and free access to your servers via DMZ?
An IDS (Intrusion Dection System) if run, must be on the system being protected, but logged to some other media or network accessible storage device. While it is great for post-mortum analysis of "what happened-to-whom", it is only a reactive tool, not a proactive prevention technique. If done carefully and kept up-to-date, your disaster recovery plan will out perform the IDS analysis, action plan, implementation sequence. By this I mean, the mean time to recovery will be shorter and have more integrity in the result (ie: what if the IDS analysis fails to notice something critical?)
hi all .... thanks for your replies...my primary point of thinking to use an ips was to make my servers available for online access with out downtime...hence i thought ips could act as extra layer of security...