Intrusion Prevention provides a powerful tool to protect your network from attack. The network location where you deploy this technology, however, greatly impacts its effectiveness. For example, assume you are protecting the network shown in Figure7-2. Figure 7-2. Sample Network ConfigurationTo prevent attacks against your network, your IPS devices must bridge the traffic between the two systems involved in the attack: the attacker and the victim. If you examine the network shown in Figure7-2, you find three attack vectors:
Protecting against #1 and #3 is easy to accomplish by placing your IPS device between the switch and the router (see Figure7-3). Any traffic entering the internal network or leaving the internal network now passes through the IPS device and is inspected. Figure 7-3. IPS Solution for Attacks Between Internal and External SystemsProtecting against #2 using Intrusion Prevention is more difficult. You need an IPS device between the switch and each internal system (see Figure7-4) to guarantee the attack traffic from any two systems passes through the IPS device. Figure 7-4. IPS Solution for Internal to Internal AttackIn this situation, it is more effective to use a traditional IDS to passively monitor the traffic going between all the internal systems. A single IDS sensor can perform this monitoring functionality as long as the traffic between the internal systems does not exceed the bandwidth limitations of the monitoring device. You can also utilize a Host-based Intrusion System in conjunction with your Network IPS to effectively monitor all the systems on a single subnet. |