IDS mailing list archives
RE: location of an IPS
From: "Swift, David" <dswift () ipolicynetworks com>
Date: Thu, 20 Oct 2005 07:23:06 -0700
Where to put an IPS depends on your network and what you want to do with it. Most IPS's need L2 connectivity to a LAN segment if you want to monitor it. So...if your looking to monitor internal traffic, it will sit south (protected side) of your firewall. At L3/Routing, an alternate path not through the device (or dropping of broadcasts), may prevent the IPS from seeing the attack. Likewise you may have VPN termination on the firewall, and an IPS cannot detect events in encrypted traffic streams (unless it is the VPN termination point itself), so the device may be installed south of the VPN concentrator. Alternatively however, since most IPS boxes can also do DoS and DDoS mitigation, you may want it north (unprotected side) of your firewall to help screen/drop DoS/DDoS attacks. -----Original Message----- From: Doug Fox [mailto:dfox168 () hotmail com] Sent: Wednesday, October 19, 2005 3:58 PM To: focus-ids () securityfocus com Subject: location of an IPS I'm sorry for this dumb question, which may have been answered many times. Where should one place an TippingPoint Unity 50 IPS device? Behind or in front of a firewall? I have a/the TippingPoint behind a Check Point firewall. Even though we externally and internally port-scanned the firewall and the IPS many times, the activity log did not contain any record of the "attacks". What am I missing here? Any pointers are appreciated. Thanks, ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- location of an IPS Doug Fox (Oct 19)
- Re: location of an IPS Kurt Seifried (Oct 20)
- Re: location of an IPS FinAckSyn (Oct 20)
- Re: location of an IPS Kurt Seifried (Oct 21)
- Re: location of an IPS FinAckSyn (Oct 21)
- Re: location of an IPS Kurt Seifried (Oct 21)
- Re: location of an IPS Paul Schmehl (Oct 20)
- Re: location of an IPS ilaiy (Oct 21)
- Re: location of an IPS Seek Knowledge (Oct 21)
- <Possible follow-ups>
- RE: location of an IPS Gary Halleen (ghalleen) (Oct 20)
- RE: location of an IPS Derick Anderson (Oct 20)
- RE: location of an IPS Swift, David (Oct 20)
- RE: location of an IPS kgeorgiades (Oct 20)
- RE: location of an IPS Bourque Daniel (Oct 21)
- Re: Re: location of an IPS asalo (Oct 21)