IPS Placement
in [Firewalls]
|
From: Arjun on 1 Feb 2008 02:52 I am bit confused on a placement of an IPS device......considering a 500 user network with two servers(in DMZ) for online business with a firewall at the gateway I wanted to where would it be best to place a IPS device...it it best to keep it in front of firewall or behind the firewall....please help me out n recommend which IPS to go about. thanks..
From: Sebastian G. on 1 Feb 2008 06:30 Arjun wrote: > I am bit confused on a placement of an IPS device......considering a > 500 user network with two servers(in DMZ) for online business with a > firewall at the gateway I wanted to where would it be best to place a > IPS device...it it best to keep it in front of firewall or behind the > firewall....please help me out n recommend which IPS to go about. Well, if you already bought an IPS device, then consider it as a sunk cost and place it inside the trash can, so at least it doesn't mess up anything. If you haven't bought any yet, then please reconsider the idea. Reconsider it once more, and then dump the obviously stupid idea of IPS.
From: Todd H. on 1 Feb 2008 12:20 "Sebastian G." <seppi(a)seppig.de> writes: > Arjun wrote: > > > I am bit confused on a placement of an IPS device......considering a > > 500 user network with two servers(in DMZ) for online business with a > > firewall at the gateway I wanted to where would it be best to place a > > IPS device...it it best to keep it in front of firewall or behind the > > firewall....please help me out n recommend which IPS to go about. > > Well, if you already bought an IPS device, then consider it as a sunk > cost and place it inside the trash can, so at least it doesn't mess up > anything. > > If you haven't bought any yet, then please reconsider the > idea. Reconsider it once more, and then dump the obviously stupid idea > of IPS. Oh give us your reasons mighty Sebastian, for this week's edition of "contrarian pedantry." It's certainly true that IPS does little to prevent attackers that are specifically targeting your organization. With enough time, the right spoofable network connectivity, and a large enough botnet someone targeting you isn't going to be chased away by IPS. However, IPS does raise the level of the overall network such that you're no longer low hanging fruit or nearly as vulnerable to the script kiddies in the event of a misconfiguration. Best Regards, -- Todd H. http://www.toddh.net/
From: Sebastian G. on 1 Feb 2008 17:03 Todd H. wrote: > "Sebastian G." <seppi(a)seppig.de> writes: > >> Arjun wrote: >> >>> I am bit confused on a placement of an IPS device......considering a >>> 500 user network with two servers(in DMZ) for online business with a >>> firewall at the gateway I wanted to where would it be best to place a >>> IPS device...it it best to keep it in front of firewall or behind the >>> firewall....please help me out n recommend which IPS to go about. >> Well, if you already bought an IPS device, then consider it as a sunk >> cost and place it inside the trash can, so at least it doesn't mess up >> anything. >> >> If you haven't bought any yet, then please reconsider the >> idea. Reconsider it once more, and then dump the obviously stupid idea >> of IPS. > > Oh give us your reasons mighty Sebastian, for this week's edition of > "contrarian pedantry." Very simple: Spoofing. Either you block legitimate hosts which have been spoofed, or you let attacks from spoofed hosts through. > However, IPS does > raise the level of the overall network such that you're no longer low > hanging fruit or nearly as vulnerable to the script kiddies in the > event of a misconfiguration. In terms of spoofing, it creates a wonderful DoS condition that even the most stupid script kiddie can trigger. However, defense against misconfiguration by other means (validation, anomaly analysis, policies).
From: Ansgar -59cobalt- Wiechers on 1 Feb 2008 08:43 Todd H. <comphelp(a)toddh.net> wrote: > "Sebastian G." <seppi(a)seppig.de> writes: >> In terms of spoofing, it creates a wonderful DoS condition that even >> the most stupid script kiddie can trigger. However, defense against >> misconfiguration by other means (validation, anomaly analysis, >> policies). > > Which might be an acceptable risk for certain environments. No. > Bad for an ecommerce website, perhaps a value add for, say, a > university campus where an IP being locked out for 15 minutes isnt' > the end of the world. Try a "host 198.41.0.4" (or "nslookup 198.41.0.4"). Does that name ring a bell? Now let us assume someone were to trigger the IPS condition by sending a maliciously crafted packet with this source address (as well as twelve more packets with addresses of the other twelve servers). Let us further assume that said someone were to repeat sending these thirteen (in words "thirteen") packets every, say, 15 minutes. What do you think would happen to your university campus' internet access in a situation like that? cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
|
Next
|
Last
Pages: 1 2 Prev: What to replace my Cisco 827 with? Next: Cisco - Career Advice & CV Writing Service ! |