Thanks for the info Rick.. My logic didnt work out ;)

Raj

Thnaks Raj for your logic although it is not right:) and thanks Rick for your answer.

Actually, this makes sense that the firewall works first for it to take care of decrypting inbound VPN traffic before being inspected by the IPS, as the IPS cannot inspect encrypted traffic. In addition to that, having the firewall first will filter out undesired traffic and as consequence will minimize unneeded logs in the IPS.

Regards,

Haitham

Hello,

I wanted to debate on this a little...

IPS normally gives one additional layer of protection to firewalls... if you take the previous scenarios , with external IPS, it made more sense, because it normally sits between the firewall and the internet router.. Any traffic , even before entering your network (firewall), is blocked, if not the right one... This can actually save a lot of CPU for the firewall, which does work well, and is the most critical component in your network... For eg, say an intruder puts a ICMP bomb or DDOS on the external interface of the firewall & if the IPS is behind firewall, all the intrusions hit the firewall, can increase the CPU and disrupt it before the IPS comes into picture... but if the IPS works first, then there will be absolute protection to the firewall hardware !!!!

and.. haitham.. i really dont think the VPN traffic should be done intrusion prevention.. VPN is already encrypted and is from a valid source (your own network).. so you should trust your source and allow it without IPS.. thats what i feel !!!!

If the firewall works first and denies any source of attack, which it cant fully do , how will you know that there is a faulty PC on your network, which IPS cannot identify ... IPS should basically protect the firewall and the network, and it should not be viceversa, since in an ASA box, firewall is the main functionality and IPS is just an addon !!!

Any thoughts ??

Raj

Hi .. I just would like to say a word .. about implementing IPS between the firewall and the ISP router .. even thought it might protect the firewall from some type of attacks as mentioned by Raj at the same time it might be a waste of IPS processing and event logs while signatures are fired for traffic that could be denied by the firewall anyway .. this will be a pain regarding the ammount of false positives that might be logged ..

In regards to the "trusting encrypted traffic without IPS " I respectfully disagree as it is generally accepted that most attacks come from within your network .. just my 20 cents !!!