Intrusion Prevention Best Practice - IPS Placement

By deploying IPS, organizations are able to identify, classify, and stop malicious traffic, including worms, spyware / adware, network viruses, and application abuse before they affect business continuity.

Internet Border & DMZ

The most common place to insert IPS is at an organizations' internet border(s) and DMZ(s). The following represents some of the options for placement of an IPS to protect an internet border and DMZ.

IPS Outside of Firewall

This architecture places the IPS outside of the internet firewall.This architecture was one of the first proposed when IPS came to market, but is not very common for today's environments.

Pros:

• Early indication of reconnaissance/scanning activities
• Requires less interfaces to inspect traffic sourced/destined to the DMZ and Internal Network

Cons:

• Destination/Victims addresses will be NATed, causing research to determine which device inside the organization is being attacked. 
• Source/Attacker addresses from the inside of the organization will be NATed causing additional research to track down the source of any malicious traffic coming from the organization.
• Inspection of traffic that will be dropped by the firewall will create excess false positives.
• No visibility of insider traffic destined to dmz

Figure 1 - IPS Placed Outside of the Firewall

IPS Inside of Firewall for DMZ and Internal Network

This architecture places the IPS inside of the internet firewall protecting both the Internal Network and DMZ segments.

Pros:

• Only inspects traffic that the firewall allows into the network. (Minimizing False Positives)
• Events will include real IP addresses and not NATed IPs.
• Differentiate traffic to/from DMZ and Internal Segments.

Cons:

• Requires 2 IPSs or an IPS with enough interfaces to protect both segments.
• Traffic between internal and DMZ will be inspected twice.

Figure 2 - IPS Placed Inside the Firewall

IPS Software or Module in the Firewall

With the growing popularity of Unified Threat Management (UTM), this architecture is becoming extremely common. It places the IPS functionality inside the internet firewall protecting both the Internal Network and DMZ segments without a separate appliance.

Pros:

• No additional appliance required, saving rack space and energy.
• Events will include real IP addresses and not NATed IPs.
• Differentiate traffic to/from DMZ and Internal Segments.

Cons:

• Some manufacturers limit the throughput of integrated IPS (just be sure that the integrated IPS will support the required bandwidth)

Figure 3 - IPS Software or Module in the Firewall

Source: http://www.caysec.com/2010/09/intrusion-prevention-best-practice-ips.html?m=

Firewalls in the Data Center: Main Strategies and Metrics

For those who are involved in "Sizing" a "Next Generation Firewall", I would like to share with you this paper:

Firewalls in the Data Center: Main Strategies and Metrics
Joel Snyder, PhD
Senior Partner, Opus One

Abtract:
Measuring performance in networks has usually involved looking at one number: throughput. Since the first days of switches and routers, organizations have added up the performance they need, compared it to a total on a manufacturer’s data sheet, and used those values to decide whether or not they had the right hardware.

Unfortunately for security and network practitioners, the same basic metric of throughput cannot be used to
evaluate firewall performance. Because a security appliance actively participates in connections from Layer 2 up to Layer 7, you cannot simply look at bits-per-second throughput to predict how a firewall will behave in the data center.

In this document, you will learn key metrics you should use to evaluate firewall performance in the data center and why raw throughput is almost never the most important performance metric to use in your planning. Selecting a firewall does not mean simply picking the fastest firewall, but the one that is designed to handle the rapidly evolving,
network-intensive application environment of the data center.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/Opus_One_Layout-928.pdf