On 2011/04/18 5:16 PM, Crest Johanson wrote: > Hello All, > > I'm a bit confused on a placement of a second IPS device in the network. We > already have an IPS typically placed behind the FW and before the DMZ. We > purchased another IPS with a high bandwidth from a different vendor and > placed > it between the LAN and the servers farm. The IPS provides 3 more segments > that > we haven't yet utilized. Where do you think we should have the IPS > inspecting? > Maybe between the DMZ and the internal servers farm? Or maybe behind the > older > IPS so that we have an extra layer of protection from a two different IPS > vendors?
Are you sure the IPSes run differing technology underneath? If they're both using the Snort engine and some custom ruleset, it's unclear how much you'd gain from that. For that matter, even if they _are_ different, which do you trust more? Now you have four times as much work, and an extra thing to blame/inspect/request support for/etc any time anything goes wrong. If you have three more segments to use, why not just pitch the original IDS and use two of the segments as you say - one between DMZ/farm, another between FW/DMZ, and keep the third for a test network or in reserve? Anything else seems like makework, to be honest. Unless you don't yet trust your new IPS as much as you do the old, in which case, when will you? Mike _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
