Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: location of an IPS

from [Swift, David] Network Security [Permanent Link]
Subject: RE: location of an IPS
Date: Thu, 20 Oct 2005 07:23:06 -0700 
Where to put an IPS depends on your network and what you want to do with
it.

Most IPS's need L2 connectivity to a LAN segment if you want to monitor
it. So...if your looking to monitor internal traffic, it will sit south
(protected side) of your firewall. At L3/Routing, an alternate path not
through the device (or dropping of broadcasts), may prevent the IPS from
seeing the attack.

Likewise you may have VPN termination on the firewall, and an IPS cannot
detect events in encrypted traffic streams (unless it is the VPN
termination point itself), so the device may be installed south of the
VPN concentrator.

Alternatively however, since most IPS boxes can also do DoS and DDoS
mitigation, you may want it north (unprotected side) of your firewall to
help screen/drop DoS/DDoS attacks.  

-----Original Message-----
From: Doug Fox [mailto:dfox168@hotmail.com] 
Sent: Wednesday, October 19, 2005 3:58 PM
To: focus-ids@securityfocus.com
Subject: location of an IPS

I'm sorry for this dumb question, which may have been answered many
times.

Where should one place an TippingPoint Unity 50 IPS device?  Behind or
in 
front of a firewall?

I have a/the TippingPoint behind a Check Point firewall. Even though we 
externally and internally port-scanned the firewall and the IPS many
times, 
the activity log did not contain any record of the "attacks".

What am I missing here?  Any pointers are appreciated.

Thanks,

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: location of an IPS, Derick Anderson
Next by Date:  Re: TippingPoint and its filters, Paul Schmehl
Previous by Thread:  RE: location of an IPS, Derick Anderson
Next by Thread:  RE: location of an IPS, kgeorgiades
Indexes:  [Date] [Thread] [Top] [All Lists]