I would generally say you want an IPS/IDS anywhere you: - have a transition between two networks of differing security needs (often next to a firewall or filter) - have a choked location with traffic that you'd have some security interest in
>From my understanding you have 4 general networks: Internet, DMZ, LAN, and Servers. You already have an IPS between the Internet and DMZ. And a second between the LAN (I assume this is where general workstations are located) and Servers. 1. I wouldn't recommend doubling up different IPS boxes, one behind the other. You don't really gain anything except an understanding of what one of the boxes doesn't catch, especially if you're running more in IPS mode than IDS mode. And even if you gain that knowledge, you'd just want to use the best box and forget the other one since it is added administrative cost and an extra fail point. 2. I'd suggest one that inspects traffic between your: a. DMZ and the Servers, and placed on the Servers network (or even placed in DMZ network if you want). b. Or the LAN and your DMZ, and placed on the DMZ network (less noisy). c. Or the LAN and their Internet route, placed on the LAN. That's in decreasing order of how *I* would prefer them. a. Gives you the ability to catch something coming in from the Internet, owning a DMZ box, and continuing into the backend servers location. This is doubly nice because something missed by your first IPS covering the Internet/DMZ segment might be picked up as it moved further in. b. The LAN is sometimes a cesspool of users, and prone to physical intrusion with a rogue laptop. I'd want to know if something from that network is attempting to scan or traverse into my server areas. Or noisily scan my networks. c. I'd want to know if something is making attacks outbound, or just doing something strange outbound. Since egress firewall sets often suck, I'd maybe rely on an IDS/IPS to give me some ammunition to tighten the firewall or give warning. On Mon, Apr 18, 2011 at 4:16 PM, Crest Johanson <[email protected]> wrote: > Hello All, > > I'm a bit confused on a placement of a *second* IPS device in the network. > We already have an IPS typically placed behind the FW and before the DMZ. We > purchased another IPS with a high bandwidth from a different vendor and > placed it between the LAN and the servers farm. The IPS provides 3 more > segments that we haven't yet utilized. Where do you think we should have the > IPS inspecting? Maybe between the DMZ and the internal servers farm? Or > maybe behind the older IPS so that we have an extra layer of protection from > a two different IPS vendors? > > Hope someone came across a similar case. > > Thanks, > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
