The Place of the IPS

mralhashim83mralhashim83 Posts: 11Member ■□□□□□□□□□
Greeting Gentlemen,

any one can help on where is the usual place to install the IPS appliance. is it in the middle between two networks or it could be anywhere as long as it is connected to the network like the Wireless Controller for example.

Thanks for support

Comments

  • gorebrushgorebrush Posts: 2,741Member
    IPS is usually placed inline - so one cable in, one out. Inline means that packets can be stopped and dropped transparently if they are deemed to be naughty.

    IDS on the other hand is placed somewhere away from the production network, and in general if a Cisco network is involved, I know that a SPAN port is configured to blindly send all traffic to the IDS.

    The difference here is that the IDS can only generate alerts based on traffic it has inspected, and does not have the ability to stop it.
  • mralhashim83mralhashim83 Posts: 11Member ■□□□□□□□□□
    gorebrush wrote: »
    IPS is usually placed inline - so one cable in, one out. Inline means that packets can be stopped and dropped transparently if they are deemed to be naughty.

    IDS on the other hand is placed somewhere away from the production network, and in general if a Cisco network is involved, I know that a SPAN port is configured to blindly send all traffic to the IDS.

    The difference here is that the IDS can only generate alerts based on traffic it has inspected, and does not have the ability to stop it.

    Thanks gorebrush for your help.

    in this case, is there any way to just connected to the network like WLC or some proxy servers?
  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    An IPS or IDS sensor can be placed anywhere on the network where you have concerns regarding security of important assets. Often it's at common network chokepoints like firewalls and routers (one or both sides), but that really depends on priorities of what you're trying to cover.

    Here's an old thread I commented on:

    http://www.techexams.net/forums/security/86553-ids-vs-ips.html

    While SPANs work fine, taps are more ideal. You don't see frame errors out of SPANs, for example, and technically if the switch providing the SPAN is oversubscribed on the backplane, you could be missing packets and your sensor visibility will be reduced. Being selective about which source ports are mirrored to the destination SPAN port helps in this regard when practical.

    In many cases, there are IPS modules available for firewall appliances (which technically makes them inline in a sense, but can be set for detection only), but in my experience these tend to be much more limited compared to purpose-built IPS/IDS appliances.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • mralhashim83mralhashim83 Posts: 11Member ■□□□□□□□□□
    Thanks gentlemen for your help.


    Ok. Here is the scenario; our scope of work is to add 11 building with access switches to an existing network. These access switches will be connected with redundant link to two PE routers of the MPLS owned by our client who is also requested to add IPS Appliance to the scope. The following options are in my mind and I would appreciate if you recommend which one is better.


    A) A) Install the IPS in one of the access building in Promiscuous Mode (sensing only).

    B)B) Install an IPS in each Access building in Promiscuous Mode (sensing only).

    C) C) Install the IPS in each access building in inline Mode between the Access switch and the PE Router.

    D) D) Install the IPS after the PE Router (not sure of it will work and filter only the traffic of the 11 access switches).


    [FONT=&quot]Thank you in advance[/FONT]
  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    It boils down to two major considerations:

    1) Inline or not. Is the IPS system going to be treated essentially as a set-and-forget approach with blind trust to the configured ruleset and factory tuning? Is the purpose to actually detect threats at a low-level, baseline the network, analyze events, and apply appropriate incident response processes? Most IPS users fall into one or the other. IPS systems have a higher potential of false positives depending on customer tuning and expected traffic conditions and payloads. If the vendor gets it wrong with their rules, a false positive means an inline operation will block legitimate traffic. On the other hand, an overly-relaxed ruleset will miss attacks. Intrusion prevention and detection is not the same as firewall management, although many network engineers tend to treat it as such.

    2) What are you trying to protect? Server/application assets? Clients? What are the risk values over these and their priorities? What is the size of the staff to watch over this system and how familiar are they with this technology? What is the required inspection throughput? The latter will also be dependent on how much inspection you plan to do when sizing your sensors and figuring the cost.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • mralhashim83mralhashim83 Posts: 11Member ■□□□□□□□□□
    docrice wrote: »
    It boils down to two major considerations:

    1) Inline or not. Is the IPS system going to be treated essentially as a set-and-forget approach with blind trust to the configured ruleset and factory tuning? Is the purpose to actually detect threats at a low-level, baseline the network, analyze events, and apply appropriate incident response processes? Most IPS users fall into one or the other. IPS systems have a higher potential of false positives depending on customer tuning and expected traffic conditions and payloads. If the vendor gets it wrong with their rules, a false positive means an inline operation will block legitimate traffic. On the other hand, an overly-relaxed ruleset will miss attacks. Intrusion prevention and detection is not the same as firewall management, although many network engineers tend to treat it as such.

    2) What are you trying to protect? Server/application assets? Clients? What are the risk values over these and their priorities? What is the size of the staff to watch over this system and how familiar are they with this technology? What is the required inspection throughput? The latter will also be dependent on how much inspection you plan to do when sizing your sensors and figuring the cost.

    Thanks for reply.

    Actually it's the first time for our client to use this technology, that why he just mention it in very general without even mentioning his specification or requirement, so we will assume the usual step since we are in the beginning of the design phase. selecting one of the options above will be the starting point which can be modified later on.
  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    Your client is probably looking at IPS systems as a checkbox without understanding how it really works. This is not uncommon, but something that I think impacts proper planning for sizing and deployment. It's all centered around what it is that these devices are intended to accomplish. Managing an IPS/IDS system is not a push-button experience (although many vendors will market their offerings as such) and doing it right requires a lot of in-depth understanding of protocols, payloads, attacks, evasions, and threat-centric mindset. There's risk if it's going to be treated as a magic black box that sits inline and processes traffic without having it understand the context of the network.

    Good luck.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.