> -----Original Message----- > From: Doug Fox [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 19, 2005 4:58 PM > To: [email protected] > Subject: location of an IPS > > I'm sorry for this dumb question, which may have been > answered many times. > > Where should one place an TippingPoint Unity 50 IPS device? > Behind or in front of a firewall? > > I have a/the TippingPoint behind a Check Point firewall. Even > though we externally and internally port-scanned the firewall > and the IPS many times, the activity log did not contain any > record of the "attacks". > > What am I missing here? Any pointers are appreciated. > > Thanks, >
Where you place it depends on what you want to audit. I prefer behind the firewall, since I'm only concerned about what gets through, but some people want to know it all. My opinion is that there's too much information to effectively monitor what's going on. A successful attack may only generate a couple alerts. As for your scans, what kind of scan (connect, stealth, XMAS, etc.) did you use? Your IDS may also be ignoring internal traffic. If you've got access to a system outside your network (i.e., home PC), try attacking it from there. Make sure your ISP doesn't "frown" on that kind of activity first though... Derick Anderson ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
