interfaces allocations?

alsayed · ‎12-13-2009

Hello Guys

let say am using IPS 4240,and i have servers on DMZ,here is it possible to allocates sensors ,1 on inside,and 1 on outside and 1 DMZ and C&C let say on inside..pls advise

Thanks

Reza Sharifi · ‎12-13-2009

Hello alsayed,

IPS/IDS in mostly deployed on the outside perimeter devices and inside of perimeter devices.

Here is a document on understanding IDS/IPS for Defense in Depth:

http://www.sans.org/reading_room/whitepapers/detection/understanding_ips_and_ids_using_ips_and_ids_together_for_defense_in_depth_1381?show=1381.php&cat=detection

HTH

Reza

alsayed · ‎12-13-2009

Hello riza

what about the sensing in DMZ?i have i-banking server in the dmz,,do i need to iniate a sensing in DMZ?pls explain

Thanks

Reza Sharifi · ‎12-13-2009

I think if you protect the outside before even getting to DMZ is good enough. You could add another device in your DMZ, but do you have enough man power to monitor all the devices and go through their logs? Putting a device is not so much of issue, but management and monitoring is.

I have seen when there is too much logs to look at, they don't get look at at all.

Reza

alsayed · ‎12-13-2009

hello Riza

as a conclusion,i ll out 1 sensore on the outside and 1 sensor in inside and the c&c also in inside,and the IPS run in inline mode

Pls advise

Thanks

Reza Sharifi · ‎12-13-2009

Yes, in addition you can also use host based IDS on your end users workstations.

HTH

Reza

alsayed · ‎12-13-2009

Thanks for ur Time Freind