RE: location of an IPS

["Derick Anderson" <danderson () vikus com>]

> -----Original Message-----
> From: Doug Fox [mailto:dfox168 () hotmail com] 
> Sent: Wednesday, October 19, 2005 4:58 PM
> To: focus-ids () securityfocus com
> Subject: location of an IPS
>
> I'm sorry for this dumb question, which may have been 
> answered many times.
>
> Where should one place an TippingPoint Unity 50 IPS device?  
> Behind or in front of a firewall?
>
> I have a/the TippingPoint behind a Check Point firewall. Even 
> though we externally and internally port-scanned the firewall 
> and the IPS many times, the activity log did not contain any 
> record of the "attacks".
>
> What am I missing here?  Any pointers are appreciated.
>
> Thanks,

Where you place it depends on what you want to audit. I prefer behind
the firewall, since I'm only concerned about what gets through, but some
people want to know it all. My opinion is that there's too much
information to effectively monitor what's going on. A successful attack
may only generate a couple alerts.

As for your scans, what kind of scan (connect, stealth, XMAS, etc.) did
you use? Your IDS may also be ignoring internal traffic. If you've got
access to a system outside your network (i.e., home PC), try attacking
it from there. Make sure your ISP doesn't "frown" on that kind of
activity first though...

Derick Anderson

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------