IPS Placement

IPS Placement

am 31.01.2008 08:52:41 von arjunhegde

I am bit confused on a placement of an IPS device......considering a
500 user network with two servers(in DMZ) for online business with a
firewall at the gateway I wanted to where would it be best to place a
IPS device...it it best to keep it in front of firewall or behind the
firewall....please help me out n recommend which IPS to go about.

thanks..

Re: IPS Placement

am 31.01.2008 12:30:57 von Sebastian Gottschalk

Arjun wrote:

> I am bit confused on a placement of an IPS device......considering a
> 500 user network with two servers(in DMZ) for online business with a
> firewall at the gateway I wanted to where would it be best to place a
> IPS device...it it best to keep it in front of firewall or behind the
> firewall....please help me out n recommend which IPS to go about.

Well, if you already bought an IPS device, then consider it as a sunk cost
and place it inside the trash can, so at least it doesn't mess up anything.

If you haven't bought any yet, then please reconsider the idea. Reconsider
it once more, and then dump the obviously stupid idea of IPS.

Re: IPS Placement

am 31.01.2008 18:20:18 von comphelp

"Sebastian G." writes:

> Arjun wrote:
>
> > I am bit confused on a placement of an IPS device......considering a
> > 500 user network with two servers(in DMZ) for online business with a
> > firewall at the gateway I wanted to where would it be best to place a
> > IPS device...it it best to keep it in front of firewall or behind the
> > firewall....please help me out n recommend which IPS to go about.
>
> Well, if you already bought an IPS device, then consider it as a sunk
> cost and place it inside the trash can, so at least it doesn't mess up
> anything.
>
> If you haven't bought any yet, then please reconsider the
> idea. Reconsider it once more, and then dump the obviously stupid idea
> of IPS.

Oh give us your reasons mighty Sebastian, for this week's edition of
"contrarian pedantry."

It's certainly true that IPS does little to prevent attackers that are
specifically targeting your organization. With enough time, the right
spoofable network connectivity, and a large enough botnet someone
targeting you isn't going to be chased away by IPS. However, IPS does
raise the level of the overall network such that you're no longer low
hanging fruit or nearly as vulnerable to the script kiddies in the
event of a misconfiguration.

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: IPS Placement

am 31.01.2008 23:03:40 von Sebastian Gottschalk

Todd H. wrote:

> "Sebastian G." writes:
>
>> Arjun wrote:
>>
>>> I am bit confused on a placement of an IPS device......considering a
>>> 500 user network with two servers(in DMZ) for online business with a
>>> firewall at the gateway I wanted to where would it be best to place a
>>> IPS device...it it best to keep it in front of firewall or behind the
>>> firewall....please help me out n recommend which IPS to go about.
>> Well, if you already bought an IPS device, then consider it as a sunk
>> cost and place it inside the trash can, so at least it doesn't mess up
>> anything.
>>
>> If you haven't bought any yet, then please reconsider the
>> idea. Reconsider it once more, and then dump the obviously stupid idea
>> of IPS.
>
> Oh give us your reasons mighty Sebastian, for this week's edition of
> "contrarian pedantry."


Very simple: Spoofing. Either you block legitimate hosts which have been
spoofed, or you let attacks from spoofed hosts through.

> However, IPS does
> raise the level of the overall network such that you're no longer low
> hanging fruit or nearly as vulnerable to the script kiddies in the
> event of a misconfiguration.


In terms of spoofing, it creates a wonderful DoS condition that even the
most stupid script kiddie can trigger. However, defense against
misconfiguration by other means (validation, anomaly analysis, policies).

Re: IPS Placement

am 01.02.2008 00:20:34 von comphelp

"Sebastian G." writes:

> Todd H. wrote:
>
> > "Sebastian G." writes:
> >
> >> Arjun wrote:
> >>
> >>> I am bit confused on a placement of an IPS device......considering a
> >>> 500 user network with two servers(in DMZ) for online business with a
> >>> firewall at the gateway I wanted to where would it be best to place a
> >>> IPS device...it it best to keep it in front of firewall or behind the
> >>> firewall....please help me out n recommend which IPS to go about.
> >> Well, if you already bought an IPS device, then consider it as a sunk
> >> cost and place it inside the trash can, so at least it doesn't mess up
> >> anything.
> >>
> >> If you haven't bought any yet, then please reconsider the
> >> idea. Reconsider it once more, and then dump the obviously stupid idea
> >> of IPS.
> > Oh give us your reasons mighty Sebastian, for this week's edition of
> > "contrarian pedantry."
>
>
> Very simple: Spoofing. Either you block legitimate hosts which have
> been spoofed, or you let attacks from spoofed hosts through.
>
> > However, IPS does
> > raise the level of the overall network such that you're no longer low
> > hanging fruit or nearly as vulnerable to the script kiddies in the
> > event of a misconfiguration.
>
>
> In terms of spoofing, it creates a wonderful DoS condition that even
> the most stupid script kiddie can trigger. However, defense against
> misconfiguration by other means (validation, anomaly analysis,
> policies).

Which might be an acceptable risk for certain environments. Bad
for an ecommerce website, perhaps a value add for, say, a university
campus where an IP being locked out for 15 minutes isnt' the end of
the world.

One size doesn't fit all, and without knowing the OP's environment, I
think yer an ass and technically inaccurate to toss the entire
technology out as "stupid."

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: IPS Placement

am 01.02.2008 08:38:59 von Burkhard Ott

> One size doesn't fit all, and without knowing the OP's environment, I
> think yer an ass and technically inaccurate to toss the entire
> technology out as "stupid."


Sebstian is totally right, would you say a technology is smart if you
don't need much brain to sabotage it.

cheers

Re: IPS Placement

am 01.02.2008 14:43:12 von Ansgar -59cobalt- Wiechers

Todd H. wrote:
> "Sebastian G." writes:
>> In terms of spoofing, it creates a wonderful DoS condition that even
>> the most stupid script kiddie can trigger. However, defense against
>> misconfiguration by other means (validation, anomaly analysis,
>> policies).
>
> Which might be an acceptable risk for certain environments.

No.

> Bad for an ecommerce website, perhaps a value add for, say, a
> university campus where an IP being locked out for 15 minutes isnt'
> the end of the world.

Try a "host 198.41.0.4" (or "nslookup 198.41.0.4"). Does that name ring
a bell?

Now let us assume someone were to trigger the IPS condition by sending a
maliciously crafted packet with this source address (as well as twelve
more packets with addresses of the other twelve servers). Let us further
assume that said someone were to repeat sending these thirteen (in words
"thirteen") packets every, say, 15 minutes.

What do you think would happen to your university campus' internet
access in a situation like that?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich