Network Intrusion Prevention Limitations

Intrusion Prevention provides a powerful tool to protect your network from attack. The network location where you deploy this technology, however, greatly impacts its effectiveness. For example, assume you are protecting the network shown in Figure7-2.

To prevent attacks against your network, your IPS devices must bridge the traffic between the two systems involved in the attack: the attacker and the victim. If you examine the network shown in Figure7-2, you find three attack vectors:

1. Attacker located on the Internet launching an attack against a system on the internal network

2. Attacker located on the internal network launching an attack against another system on the internal network

3. Attacker located on the internal network launching an attack against a system on the Internet

Protecting against #1 and #3 is easy to accomplish by placing your IPS device between the switch and the router (see Figure7-3). Any traffic entering the internal network or leaving the internal network now passes through the IPS device and is inspected.

Protecting against #2 using Intrusion Prevention is more difficult. You need an IPS device between the switch and each internal system (see Figure7-4) to guarantee the attack traffic from any two systems passes through the IPS device.

In this situation, it is more effective to use a traditional IDS to passively monitor the traffic going between all the internal systems. A single IDS sensor can perform this monitoring functionality as long as the traffic between the internal systems does not exceed the bandwidth limitations of the monitoring device. You can also utilize a Host-based Intrusion System in conjunction with your Network IPS to effectively monitor all the systems on a single subnet.