On Mon, Apr 18, 2011 at 5:16 PM, Crest Johanson <[email protected]> wrote: > Hello All, > I'm a bit confused on a placement of a second IPS device in the network. We > already have an IPS typically placed behind the FW and before the DMZ. We > purchased another IPS with a high bandwidth from a different vendor and > placed it between the LAN and the servers farm. The IPS provides 3 more > segments that we haven't yet utilized. Where do you think we should have the > IPS inspecting? Maybe between the DMZ and the internal servers farm? Or > maybe behind the older IPS so that we have an extra layer of protection from > a two different IPS vendors?
If you aren't monitoring your LAN->Interwebs connection that would be the first place I recommend, assuming the IPS blocks client side attacks. While there is a ton of junk that's going to be flowing to your DMZ servers and those can be used to pivot into your LAN environment, a majority of (successful) attacks are likely going to be against the client side. From there I would recommend protecting your LAN<->Server chokepoint, then DMZ<->LAN chokepoint. -- Ben Jackson - Mayhemic Labs [email protected] - http://www.mayhemiclabs.com - +1-508-296-0267 "Assume that what is in the power of one man to do, is in the power of another" _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
