IDS mailing list archives

RE: location of an IPS

From: "Gary Halleen (ghalleen)" <ghalleen () cisco com>
Date: Wed, 19 Oct 2005 22:16:06 -0700

I can't answer your question regarding why the TippingPoint didn't fire
when you portscanned.  However, it sounds like a rule wasn't enabled.

As to where to deploy an IPS, in my opinion this depends greatly on what
you're using to monitor it.  Using traditional monitoring tools, or even
most SIM products, it makes sense to place the IPS behind the firewall.
When placed before the firewall, you'll be overwhelmed with event logs.

On the other hand, if you're using a monitoring solution that is aware
of the network topology, like Cisco's MARS, then it often does make
sense to place an IPS or IDS before the firewall.  This is because your
monitoring solution will use the IDS/IPS to classify the traffic that is
arriving on the outside interface of the firewall, and correlate it with
the denied traffic being logged from the firewall, effectively reducing
the number of security events that need to be analyzed by a human.  It
is able to determine that this bad traffic was denied entry to your
network.  Bad traffic (as determined by the IDS/IPS) that the firewall
allows to pass will be treated differently, and you'll be able to report
on it.  You'll also be able to correlate that traffic with any security
events generated by the traffic from other monitored devices on the
network, including things like Host-based IPS, antivirus, web server
logs, router and switch logs, and OS logs.

Gary


-----Original Message-----
From: Doug Fox [mailto:dfox168 () hotmail com] 
Sent: Wednesday, October 19, 2005 1:58 PM
To: focus-ids () securityfocus com
Subject: location of an IPS

I'm sorry for this dumb question, which may have been answered many
times.

Where should one place an TippingPoint Unity 50 IPS device?  Behind or
in front of a firewall?

I have a/the TippingPoint behind a Check Point firewall. Even though we
externally and internally port-scanned the firewall and the IPS many
times, the activity log did not contain any record of the "attacks".

What am I missing here?  Any pointers are appreciated.

Thanks,

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

location of an IPS Doug Fox (Oct 19)
- Re: location of an IPS Kurt Seifried (Oct 20)
- Re: location of an IPS FinAckSyn (Oct 20)
  - Re: location of an IPS Kurt Seifried (Oct 21)
    - Re: location of an IPS FinAckSyn (Oct 21)
- Re: location of an IPS Paul Schmehl (Oct 20)
- Re: location of an IPS ilaiy (Oct 21)
- Re: location of an IPS Seek Knowledge (Oct 21)
- <Possible follow-ups>
- RE: location of an IPS Gary Halleen (ghalleen) (Oct 20)
- RE: location of an IPS Derick Anderson (Oct 20)
- RE: location of an IPS Swift, David (Oct 20)
- RE: location of an IPS kgeorgiades (Oct 20)
- RE: location of an IPS Bourque Daniel (Oct 21)
- Re: Re: location of an IPS asalo (Oct 21)