Quantcast

Firewall and IPS Deployment

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Firewall and IPS Deployment

Ressa
Hi,

i was wondering is there any consideration for deploying firewall and IPS. If the IPS should in front of firewall or behind the firewall, and please also add the pros and cons.

Regards,


Ressa
Registered Linux User Number 336566
Linux Newbie

The information is provided as is without warranty of any kind. In no event shall the writer be liable for any incidental, indirect or consequential damages of any kind, including, but not limited to : loss of business profits, police knocking on your door, computer crashes, sharks attack, temporary short-term memory loss (some cases reported recently), death of your pet or alien invasion...


     
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

Sam Stelfox-3
I strongly recommend you put it behind your firewall. By putting it
behind your firewall you will only get alerts for traffic that has
gotten through your firewall and as such the only things you should
really be concerned about. Either way an intrusion prevention system
will block all of the traffic that matches one of its rules. Since
intrusion prevention/detection systems tend to be rated for only a
certain amount of bandwidth throughput, it is a good idea strictly from
a hardware point of view to put it behind your firewall so less traffic
reaches it.

The only thing you gain by having the ips/ids outside of your firewall
is you will see /all/ of the bad traffic that floats around the
internet. We know its there. We know it's not going to go away. Having
an ips/ids outside of your firewall is essentially like having a police
officer waiting in the middle of the street stopping every car and
running background checks on the drivers rather than just the ones who
pull up in your driveway. Weird analogy I know but its the best I could
come up with.

Ressa wrote:

> Hi,
>
> i was wondering is there any consideration for deploying firewall and IPS. If the IPS should in front of firewall or behind the firewall, and please also add the pros and cons.
>
> Regards,
>
>
> Ressa
> Registered Linux User Number 336566
> Linux Newbie
>
> The information is provided as is without warranty of any kind. In no event shall the writer be liable for any incidental, indirect or consequential damages of any kind, including, but not limited to : loss of business profits, police knocking on your door, computer crashes, sharks attack, temporary short-term memory loss (some cases reported recently), death of your pet or alien invasion...
>
>
>      
>  

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re: Firewall and IPS Deployment

praveen_recker
In reply to this post by Ressa
The flow for IDS should look like

Internetwork---->Firewall---->IDS

Firewall is used to block IP Addresses, Ports etc.

IDS/IPS on the other hand brings granularity. Suppose you are maintaining a web server then you'll allow data on port 80. Some malilicious user sends attack towards ur web-server. Firewall will allow that data but IDS will and raise an alarm if respective Signature exists and in the case of IPS it might even RESET the session based upon the Signature.

If you put the IDS infront of the firewall the it has to analyse all the data (from port 0 to 65535)which is real wastage and IDS/IPS might not have good performance. IT IS ALWAYS PREFERABLE TO USE IDS/IPS AFTER FIREWALL.

Praveen Darshanam,
Security Researcher,
INDIA
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re: Firewall and IPS Deployment

stcroix111
In reply to this post by Ressa
I agree that an IPS should be kept inside the firewall. I like to deploy an IDS outside of the firewall tuned specifically for critical traffic to/from critical devices. For example, I want to see who or what is trying to peer with our BGP sessions.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

dan.crowley
In reply to this post by Ressa
Apparently this question was posted to this list some time ago. A good reply post can be found at:

http://seclists.org/basics/2004/May/0158.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

David Gadoury
In reply to this post by Ressa
I'll piggy back on this question. What are the lists thoughts IPS
built into firewalls?

Thanks

On Fri, Feb 13, 2009 at 2:36 AM, Ressa <[hidden email]> wrote:

> Hi,
>
> i was wondering is there any consideration for deploying firewall and IPS. If the IPS should in front of firewall or behind the firewall, and please also add the pros and cons.
>
> Regards,
>
>
> Ressa
> Registered Linux User Number 336566
> Linux Newbie
>
> The information is provided as is without warranty of any kind. In no event shall the writer be liable for any incidental, indirect or consequential damages of any kind, including, but not limited to : loss of business profits, police knocking on your door, computer crashes, sharks attack, temporary short-term memory loss (some cases reported recently), death of your pet or alien invasion...
>
>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

aditya mukadam
In reply to this post by Ressa
Ressa,

Im sure you would have got some idea based on the responses received
to your question.

My view:

The deployment depends on:
1) security requirement
2) amount of traffic on the outside and inside segment
3) type of equipment you want to use

* It is highly recommended to deploy IPS between your local LAN and
the Corporate/Internet Firewall.
* IPS can be deployed in front of the Internet Firewall however,you
need to determine the amount of traffic this IPS would get. For
example if you expect lot of internet worms/virus etc traffic then you
need a higher end IPS facing internet.
* Separate signature/filtering profiles can be for different segments.

Hope this helps.

Thanks,
Aditya Govind Mukadam

On Fri, Feb 13, 2009 at 1:06 PM, Ressa <[hidden email]> wrote:

> Hi,
>
> i was wondering is there any consideration for deploying firewall and IPS. If the IPS should in front of firewall or behind the firewall, and please also add the pros and cons.
>
> Regards,
>
>
> Ressa
> Registered Linux User Number 336566
> Linux Newbie
>
> The information is provided as is without warranty of any kind. In no event shall the writer be liable for any incidental, indirect or consequential damages of any kind, including, but not limited to : loss of business profits, police knocking on your door, computer crashes, sharks attack, temporary short-term memory loss (some cases reported recently), death of your pet or alien invasion...
>
>
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

Javier Reyna Padilla
In reply to this post by David Gadoury
IMHO
I think is fine to have some IPS functionalities in a firewall, afterall , firewalls will evolve somehow.
But this builtin IPS functionality, is never so acurae as a dedicated system. Talking about Checkpoint, I like some
features from SmartDefense, but, if SD is extensible used, FW-1 will crash some things. let an IPS do IPS
job, and Firewall to do FW job.  Nowadays, venders are affering a lot of UTM appliances, firewall, ips,
antispam, antivirus, antieverything, capuchinno, machiato and esspresso. At the end of the day you disable the
half of properties, because the trouhgput became mayhem.

On Tue, Feb 17, 2009 at 06:34:20PM -0500, David Gadoury wrote:

> I'll piggy back on this question. What are the lists thoughts IPS
> built into firewalls?
>
> Thanks
>
> On Fri, Feb 13, 2009 at 2:36 AM, Ressa <[hidden email]> wrote:
> > Hi,
> >
> > i was wondering is there any consideration for deploying firewall and IPS. If the IPS should in front of firewall or behind the firewall, and please also add the pros and cons.
> >
> > Regards,
> >
> >
> > Ressa
> > Registered Linux User Number 336566
> > Linux Newbie
> >
> > The information is provided as is without warranty of any kind. In no event shall the writer be liable for any incidental, indirect or consequential damages of any kind, including, but not limited to : loss of business profits, police knocking on your door, computer crashes, sharks attack, temporary short-term memory loss (some cases reported recently), death of your pet or alien invasion...
> >
> >
> >
> >

--
Saludos!
________________

Javier Reyna
 ,,__
 o" )~
 ''''
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

fadils
In reply to this post by aditya mukadam
Guys,

What about the all-in-one firewalls. Don't you guys think that it is
better to implement one? You will have a better TCO and less
maintenance anyways, right? Or wrong?

Thanks,
Fadil

On 2/19/09, aditya mukadam <[hidden email]> wrote:

> Ressa,
>
> Im sure you would have got some idea based on the responses received
> to your question.
>
> My view:
>
> The deployment depends on:
> 1) security requirement
> 2) amount of traffic on the outside and inside segment
> 3) type of equipment you want to use
>
> * It is highly recommended to deploy IPS between your local LAN and
> the Corporate/Internet Firewall.
> * IPS can be deployed in front of the Internet Firewall however,you
> need to determine the amount of traffic this IPS would get. For
> example if you expect lot of internet worms/virus etc traffic then you
> need a higher end IPS facing internet.
> * Separate signature/filtering profiles can be for different segments.
>
> Hope this helps.
>
> Thanks,
> Aditya Govind Mukadam
>
> On Fri, Feb 13, 2009 at 1:06 PM, Ressa <[hidden email]> wrote:
>> Hi,
>>
>> i was wondering is there any consideration for deploying firewall and IPS.
>> If the IPS should in front of firewall or behind the firewall, and please
>> also add the pros and cons.
>>
>> Regards,
>>
>>
>> Ressa
>> Registered Linux User Number 336566
>> Linux Newbie
>>
>> The information is provided as is without warranty of any kind. In no
>> event shall the writer be liable for any incidental, indirect or
>> consequential damages of any kind, including, but not limited to : loss of
>> business profits, police knocking on your door, computer crashes, sharks
>> attack, temporary short-term memory loss (some cases reported recently),
>> death of your pet or alien invasion...
>>
>>
>>
>>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

Javier Reyna Padilla
On Thu, Feb 19, 2009 at 02:12:09AM +0700, Fadil S wrote:
> Guys,
>
> What about the all-in-one firewalls. Don't you guys think that it is
> better to implement one? You will have a better TCO and less
> maintenance anyways, right? Or wrong?

In my expierence, wrong, usually the admin will not use all the features, those UTM might work in a
small environment but for large networks, UTM are a mess.

>
> Thanks,
> Fadil
>
> On 2/19/09, aditya mukadam <[hidden email]> wrote:
> > Ressa,
> >
> > Im sure you would have got some idea based on the responses received
> > to your question.
> >
> > My view:
> >
> > The deployment depends on:
> > 1) security requirement
> > 2) amount of traffic on the outside and inside segment
> > 3) type of equipment you want to use
> >
> > * It is highly recommended to deploy IPS between your local LAN and
> > the Corporate/Internet Firewall.
> > * IPS can be deployed in front of the Internet Firewall however,you
> > need to determine the amount of traffic this IPS would get. For
> > example if you expect lot of internet worms/virus etc traffic then you
> > need a higher end IPS facing internet.
> > * Separate signature/filtering profiles can be for different segments.
> >
> > Hope this helps.
> >
> > Thanks,
> > Aditya Govind Mukadam
> >
> > On Fri, Feb 13, 2009 at 1:06 PM, Ressa <[hidden email]> wrote:
> >> Hi,
> >>
> >> i was wondering is there any consideration for deploying firewall and IPS.
> >> If the IPS should in front of firewall or behind the firewall, and please
> >> also add the pros and cons.
> >>
> >> Regards,
> >>
> >>
> >> Ressa
> >> Registered Linux User Number 336566
> >> Linux Newbie
> >>
> >> The information is provided as is without warranty of any kind. In no
> >> event shall the writer be liable for any incidental, indirect or
> >> consequential damages of any kind, including, but not limited to : loss of
> >> business profits, police knocking on your door, computer crashes, sharks
> >> attack, temporary short-term memory loss (some cases reported recently),
> >> death of your pet or alien invasion...
> >>
> >>
> >>
> >>
> >

--
Saludos!
________________

Javier Reyna
CCSE WCSE ISS-CS NSP JNCIA-FWV
Consultor en Seguridad
[hidden email]
www.onlinet.com.mx
 ,,__
 o" )~
 ''''
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Firewall and IPS Deployment

fadils
In reply to this post by fadils
Thanks a lot guys. That's a nice input you have there.

I should research more about this though. Yes, with UTM you will have
a single point of failure. But with performance? It was slow. But now,
it's getting better.

Anyway, do you know a nice article about this topic?

Thx,
Fadil
Loading...