Re: IPS placement

[Ben Jackson <bbj () mayhemiclabs com>]

On Mon, Apr 18, 2011 at 5:16 PM, Crest Johanson <shesma () ymail com> wrote:
> Hello All,
> I'm a bit confused on a placement of a second IPS device in the network. We
> already have an IPS typically placed behind the FW and before the DMZ. We
> purchased another IPS with a high bandwidth from a different vendor and
> placed it between the LAN and the servers farm. The IPS provides 3 more
> segments that we haven't yet utilized. Where do you think we should have the
> IPS inspecting? Maybe between the DMZ and the internal servers farm? Or
> maybe behind the older IPS so that we have an extra layer of protection from
> a two different IPS vendors?

If you aren't monitoring your LAN->Interwebs connection that would be
the first place I recommend, assuming the IPS blocks client side
attacks. While there is a ton of junk that's going to be flowing to
your DMZ servers and those can be used to pivot into your LAN
environment, a majority of (successful) attacks are likely going to be
against the client side. From there I would recommend protecting your
LAN<->Server chokepoint, then DMZ<->LAN chokepoint.

-- 
Ben Jackson - Mayhemic Labs
bbj () mayhemiclabs com - http://www.mayhemiclabs.com - +1-508-296-0267
"Assume that what is in the power of one man to do, is in the power of another"
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com