Where Is the Proper Place to Deploy an IPS?

Posted on 1:28 PM by Bharathvn

This question is best in front of a whiteboard. The answer is not all that clear, either. The key is to focus on which assets the organization wishes to protect and from where. In general, you want to use your IDP to reinforce the overall security policy. Interviewers may provide a diagram similar to Figure 7-3. Your IDP should not only monitor and block malicious traffic but also be used to document attacks for
later prosecution. Your IDP should be a means to check your border router and firewall rules to assure that you are blocking traffic correctly. A good model today is one in which you have multiple modes of operation and an immediate response to an attack.

Shown in Figure 7-4, the correct locations would be inline above the firewall with spanned ports on each DMZ and one on the inside of the firewall. Be sure to add a caveat. A good final response to the interviewer would be that in your experience, the best place for an IDP is the place where you could look at the logs most frequently. Placing an IDP in front of the firewall, you will know what attacks are hitting you, but you will have a lot of data to analyze. In addition to that, the use of NAT on your firewall will make tracking inside addresses difficult. Placing the IDP behind the firewall, the attacks detected are the ones that made it
through your firewall, and you will have a significantly lower number of attacks to analyze. However, in this configuration, you will not have all the information available for trends, which could lead to a false sense of security.