IPS Placement

Discussion in 'other firewalls' started by arjun, Jan 30, 2008.

Thread Status:
Not open for further replies.
  1. arjun

    arjun Registered Member

    Joined:
    Jan 21, 2008
    Posts:
    6
    I am bit confused on a placement of an IPS device......considering a 500 user network with two servers(in DMZ) for online business with a firewall at the gateway I wanted to where would it be best to place a IPS device...it it best to keep it in front of firewall or behind the firewall....please help me out n recommend which IPS to go about.

    thanks..
     
  2. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I'm not sure you will get much help here. Most people don't have corporate IT experience. My impression for bits I've read here and there is that IPS goes behind the gateway.
     
  3. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    It depends on your "IPS" setup. Do you mean IDS (active defenses) or an IPS (passive) (Does it have a built in firewall or not is it just an IDS (is it built on SNORT?). Typically you would install it within your protected environment (Inside the hardware fire walled zone) but before the layer 1 switches to monitor traffic and breaches.. (Basically it's a packet filter/protocol analyzer looking for specially crafted packets based on preset rules... so it needs to "filter" through everything to work effectively. However it's not "IP" Specific. But they tend to have issues with encryption.

    Every network is different. If your network has multiple entry points (IE several routers you may need multiple IDS devices and firewalls) or if you need it to work with some type of load balancing device you need to put it behind that (As you would want to monitor all incoming network feeds) Keep an eye out for your WIFI zones as these devices tend to perform poorly with these...

    And why on earth would you want a DMZ on a corporate LAN? I hope it is only to your web server to bypass the firewall for performance issues. Even then you can open "only the appropriate ports on a static IP instead of wholesale wide open right at the firewall... Cant you use other method of providing open access? VPN or some other means?

    Why spending $$$ on traffic monitoring and security devices if you are going to provide open and free access to your servers via DMZ?
     
    Last edited: Jan 31, 2008
  4. jobeard

    jobeard Registered Member

    Joined:
    Jan 31, 2008
    Posts:
    15
    Location:
    So. Cailf
    An IDS (Intrusion Dection System) if run, must be on the system being protected, but logged to some other media or network accessible storage device.

    While it is great for post-mortum analysis of "what happened-to-whom",
    it is only a reactive tool, not a proactive prevention technique.

    If done carefully and kept up-to-date, your disaster recovery plan will out perform the IDS analysis, action plan, implementation sequence.
    By this I mean, the mean time to recovery will be shorter and have more
    integrity in the result (ie: what if the IDS analysis fails to notice something critical?)
     
  5. arjun

    arjun Registered Member

    Joined:
    Jan 21, 2008
    Posts:
    6
    hi all ....

    thanks for your replies...my primary point of thinking to use an ips was to make my servers available for online access with out downtime...hence i thought ips could act as extra layer of security...
     
Thread Status:
Not open for further replies.