PaulDotCom mailing list archives
Re: IPS placement
From: Mike Patterson <mike () snowcrash ca>
Date: Tue, 19 Apr 2011 13:52:53 -0400
On 2011/04/18 5:16 PM, Crest Johanson wrote:
Hello All, I'm a bit confused on a placement of a second IPS device in the network. We already have an IPS typically placed behind the FW and before the DMZ. We purchased another IPS with a high bandwidth from a different vendor and placed it between the LAN and the servers farm. The IPS provides 3 more segments that we haven't yet utilized. Where do you think we should have the IPS inspecting? Maybe between the DMZ and the internal servers farm? Or maybe behind the older IPS so that we have an extra layer of protection from a two different IPS vendors?
Are you sure the IPSes run differing technology underneath? If they're both using the Snort engine and some custom ruleset, it's unclear how much you'd gain from that. For that matter, even if they _are_ different, which do you trust more? Now you have four times as much work, and an extra thing to blame/inspect/request support for/etc any time anything goes wrong. If you have three more segments to use, why not just pitch the original IDS and use two of the segments as you say - one between DMZ/farm, another between FW/DMZ, and keep the third for a test network or in reserve? Anything else seems like makework, to be honest. Unless you don't yet trust your new IPS as much as you do the old, in which case, when will you? Mike _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- IPS placement Crest Johanson (Apr 18)
- Re: IPS placement Michael Dickey (Apr 19)
- Re: IPS placement Mike Patterson (Apr 19)
- Re: IPS placement Ben Jackson (Apr 19)