I'm sorry for this dumb question, which may have been answered many times.
Where should one place an TippingPoint Unity 50 IPS device? Behind or in
front of a firewall?
Depends what you want to measure. Broadly speaking in front of the firewall
means you're measuring attempts, behind the firewall they are penetrations
(or do both and then compare them, that way you can actually tell management
"look we're stoping 90% of detected attacks, now would you please let me
tighten the firewall rules so that's 100%?" or something). One thing to
remember is to look for outgoing attacks as well, that's a good indication
of a compromised host or a hostile user.
I have a/the TippingPoint behind a Check Point firewall. Even though we
externally and internally port-scanned the firewall and the IPS many
times, the activity log did not contain any record of the "attacks".
One the one hand good, that would have been a false positive technically
speaking, otoh that's bad, it probably should have alerted on that (even if
it is a false positive). Sounds like you need to sit down and do the
setup/configuration/alerting/whatnot (aka the hard parts of IDS/IPS).
Broadly speaking you're saying "it's broken" to which I can only say
"bummer. try fixing it."
What am I missing here? Any pointers are appreciated.
Thanks,
The dreaded C word comes to mind (consultant), if your company lacks the
expertise to set this up buy someones time who does.
-Kurt
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
