RE: location of an IPS
From: Gary Halleen (ghalleen) (ghalleen_at_cisco.com)
Date: 10/20/05
- Previous message: Gary Halleen (ghalleen): "RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Maybe in reply to: Doug Fox: "location of an IPS"
- Next in thread: FinAckSyn: "Re: location of an IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Oct 2005 22:16:06 -0700 To: "Doug Fox" <dfox168@hotmail.com>, <focus-ids@securityfocus.com>
I can't answer your question regarding why the TippingPoint didn't fire
when you portscanned. However, it sounds like a rule wasn't enabled.
As to where to deploy an IPS, in my opinion this depends greatly on what
you're using to monitor it. Using traditional monitoring tools, or even
most SIM products, it makes sense to place the IPS behind the firewall.
When placed before the firewall, you'll be overwhelmed with event logs.
On the other hand, if you're using a monitoring solution that is aware
of the network topology, like Cisco's MARS, then it often does make
sense to place an IPS or IDS before the firewall. This is because your
monitoring solution will use the IDS/IPS to classify the traffic that is
arriving on the outside interface of the firewall, and correlate it with
the denied traffic being logged from the firewall, effectively reducing
the number of security events that need to be analyzed by a human. It
is able to determine that this bad traffic was denied entry to your
network. Bad traffic (as determined by the IDS/IPS) that the firewall
allows to pass will be treated differently, and you'll be able to report
on it. You'll also be able to correlate that traffic with any security
events generated by the traffic from other monitored devices on the
network, including things like Host-based IPS, antivirus, web server
logs, router and switch logs, and OS logs.
Gary
-----Original Message-----
From: Doug Fox [mailto:dfox168@hotmail.com]
Sent: Wednesday, October 19, 2005 1:58 PM
To: focus-ids@securityfocus.com
Subject: location of an IPS
I'm sorry for this dumb question, which may have been answered many
times.
Where should one place an TippingPoint Unity 50 IPS device? Behind or
in front of a firewall?
I have a/the TippingPoint behind a Check Point firewall. Even though we
externally and internally port-scanned the firewall and the IPS many
times, the activity log did not contain any record of the "attacks".
What am I missing here? Any pointers are appreciated.
Thanks,
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Gary Halleen (ghalleen): "RE: Cisco IDS 4250 vs Sourcefire IS3000 + RNA Sensor"
- Maybe in reply to: Doug Fox: "location of an IPS"
- Next in thread: FinAckSyn: "Re: location of an IPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
