Re: IPS placement

[Mike Patterson <mike () snowcrash ca>]

On 2011/04/18 5:16 PM, Crest Johanson wrote:
> Hello All,
>
> I'm a bit confused on a placement of a second IPS device in the network. We 
> already have an IPS typically placed behind the FW and before the DMZ. We 
> purchased another IPS with a high bandwidth from a different vendor and placed 
> it between the LAN and the servers farm. The IPS provides 3 more segments that 
> we haven't yet utilized. Where do you think we should have the IPS inspecting? 
> Maybe between the DMZ and the internal servers farm? Or maybe behind the older 
> IPS so that we have an extra layer of protection from a two different IPS 
> vendors?

Are you sure the IPSes run differing technology underneath? If they're
both using the Snort engine and some custom ruleset, it's unclear how
much you'd gain from that. For that matter, even if they _are_
different, which do you trust more? Now you have four times as much
work, and an extra thing to blame/inspect/request support for/etc any
time anything goes wrong.

If you have three more segments to use, why not just pitch the original
IDS and use two of the segments as you say - one between DMZ/farm,
another between FW/DMZ, and keep the third for a test network or in reserve?

Anything else seems like makework, to be honest. Unless you don't yet
trust your new IPS as much as you do the old, in which case, when will you?

Mike
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com