In today's organizations, attacks come from everywhere. As cliche as
it sounds, networks are borderless and because of this organizations
face more sophisticated threats. As networks evolve, many organizations
struggle to have intrusion prevention or other security architecture
evolve at the same pace. Visibility is everything: you must be able to
detect and respond to threats before they cause significant damage. The
following entry is all about how to gain visibility at the different
areas of the network.
IPS Overview
Wikipedia defines Intusion Prevention Systems as a "network security appliance that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity."
By deploying IPS, organizations are able to identify, classify, and stop malicious traffic, including worms, spyware / adware, network viruses, and application abuse before they affect business continuity.
Internet Border & DMZ
The most common place to insert IPS is at an organizations' internet border(s) and DMZ(s). The following represents some of the options for placement of an IPS to protect an internet border and DMZ.
IPS Outside of Firewall
This architecture places the IPS outside of the internet firewall.This architecture was one of the first proposed when IPS came to market, but is not very common for today's environments.
Pros:
IPS Overview
Wikipedia defines Intusion Prevention Systems as a "network security appliance that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity."
By deploying IPS, organizations are able to identify, classify, and stop malicious traffic, including worms, spyware / adware, network viruses, and application abuse before they affect business continuity.
Internet Border & DMZ
The most common place to insert IPS is at an organizations' internet border(s) and DMZ(s). The following represents some of the options for placement of an IPS to protect an internet border and DMZ.
IPS Outside of Firewall
This architecture places the IPS outside of the internet firewall.This architecture was one of the first proposed when IPS came to market, but is not very common for today's environments.
Pros:
- Early indication of reconnaissance/scanning activities
- Requires less interfaces to inspect traffic sourced/destined to the DMZ and Internal Network
Cons:
- Destination/Victims addresses will be NATed, causing research to determine which device inside the organization is being attacked.
- Source/Attacker addresses from the inside of the organization will be NATed causing additional research to track down the source of any malicious traffic coming from the organization.
- Inspection of traffic that will be dropped by the firewall will create excess false positives.
- No visibility of insider traffic destined to dmz
 |
| IPS Placed Outside of the Firewall |
IPS Inside of Firewall for DMZ and Internal Network
This architecture places the IPS inside of the internet firewall protecting both the Internal Network and DMZ segments.
Pros:
- Only inspects traffic that the firewall allows into the network. (Minimizing False Positives)
- Events will include real IP addresses and not NATed IPs.
- Differentiate traffic to/from DMZ and Internal Segments.
Cons:
- Requires 2 IPSs or an IPS with enough interfaces to protect both segments.
- Traffic between internal and DMZ will be inspected twice.
 |
| IPS Placed Inside the Firewall |
IPS Software or Module in the Firewall
With
the growing popularity of Unified Threat Management (UTM), this
architecture is becoming extremely common. It places the IPS
functionality inside the internet firewall protecting both the Internal
Network and DMZ segments without a separate appliance.
Pros:
Pros:
- No additional appliance required, saving rack space and energy.
- Events will include real IP addresses and not NATed IPs.
- Differentiate traffic to/from DMZ and Internal Segments.
Cons:
- Some manufacturers limit the throughput of integrated IPS (just be sure that the integrated IPS will support the required bandwidth)
 |
| IPS Software or Module in the Firewall |
Data Center
One of the most important assets an organization has is its data. Most data is stored on servers located in a data center. This is why placing IPS between users and the data center is becoming a must have for organizations.
Most designs will include placing the IPS at the most central point for the data center(typically distribution or core layers). The challenges faced when deploying IPS in data centers are making sure you keep the same levels of redundancy and throughput of the data center. This can be accomplished through using etherchannel load balancing of separate IPS Appliances. For more information on Cisco IPS in the Data Center with etherchannel load-balancing, please read Jamey Heary's blog post on the topic.
Remote Sites
Often forgotten, remote sites are an important part of an IPS deployment strategy. Advancements in WAN technology, like MPLS, allows for any to any access causing a gap in visibility. The challenges of deploying IPS to remote sites include: power, rack space, operations support, and cost. The following are the options associated with deploying IPS to remote sites:
One of the most important assets an organization has is its data. Most data is stored on servers located in a data center. This is why placing IPS between users and the data center is becoming a must have for organizations.
Most designs will include placing the IPS at the most central point for the data center(typically distribution or core layers). The challenges faced when deploying IPS in data centers are making sure you keep the same levels of redundancy and throughput of the data center. This can be accomplished through using etherchannel load balancing of separate IPS Appliances. For more information on Cisco IPS in the Data Center with etherchannel load-balancing, please read Jamey Heary's blog post on the topic.
Remote Sites
Often forgotten, remote sites are an important part of an IPS deployment strategy. Advancements in WAN technology, like MPLS, allows for any to any access causing a gap in visibility. The challenges of deploying IPS to remote sites include: power, rack space, operations support, and cost. The following are the options associated with deploying IPS to remote sites:
IPS Appliance for each remote site
Pros:
- Full featured IPS
- Scalable bandwidth for all sizes of remote offices.
Cons:
- Cost for a dedicated appliance, rack space and power
- Management and Deployment of the appliance
IOS IPS running on the router at each remote site
Pros:
- Low Cost
- No Additional HW
- Manage with existing router management tools
Cons:
- Does not have full featured IPS code
- Limited number of signatures
- Can effect performance of the router
- Must run supported software and router
IPS Module inside the router at each remote site
Pros:
- Full featured IPS
- Low Cost
- No additional rack mount units (module fits in the router)
Cons:
- Bandwidth is limited
- Must have a supported router
You
might also like these recent post -
Cisco Identity Services Engine - Now your network know "who you are" - Read This
Wireless Redefined with new 802.11ac - Read This
Aruba Virtual Branch Network (VBN) explained - Read This
OpenFlow/
Software Designed Networking - What & What Not - Read This
Voice
over IP (VoIP) is for war zones - Read This
Found it useful, Consider
sharing it with your friends -