PaulDotCom mailing list archives
Re: IPS placement
From: Ben Jackson <bbj () mayhemiclabs com>
Date: Tue, 19 Apr 2011 19:02:44 -0400
On Mon, Apr 18, 2011 at 5:16 PM, Crest Johanson <shesma () ymail com> wrote:
Hello All, I'm a bit confused on a placement of a second IPS device in the network. We already have an IPS typically placed behind the FW and before the DMZ. We purchased another IPS with a high bandwidth from a different vendor and placed it between the LAN and the servers farm. The IPS provides 3 more segments that we haven't yet utilized. Where do you think we should have the IPS inspecting? Maybe between the DMZ and the internal servers farm? Or maybe behind the older IPS so that we have an extra layer of protection from a two different IPS vendors?
If you aren't monitoring your LAN->Interwebs connection that would be the first place I recommend, assuming the IPS blocks client side attacks. While there is a ton of junk that's going to be flowing to your DMZ servers and those can be used to pivot into your LAN environment, a majority of (successful) attacks are likely going to be against the client side. From there I would recommend protecting your LAN<->Server chokepoint, then DMZ<->LAN chokepoint. -- Ben Jackson - Mayhemic Labs bbj () mayhemiclabs com - http://www.mayhemiclabs.com - +1-508-296-0267 "Assume that what is in the power of one man to do, is in the power of another" _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- IPS placement Crest Johanson (Apr 18)
- Re: IPS placement Michael Dickey (Apr 19)
- Re: IPS placement Mike Patterson (Apr 19)
- Re: IPS placement Ben Jackson (Apr 19)