Where Does The IPS Go?

Intrusion Prevention Systems are designed to detect possible attacks that are occurring over the network and act upon them in some way. They are not unlike firewalls, but they tend to approach the problem a bit differently. Whereas your typical network firewall is a "deny by default" system (i.e. deny all traffic except those which pass certain criteria), an IPS tends to be an "allow all by default" system (i.e. allow all traffic except those things that look dangerous). Also, firewalls tend to be routers to serve as a network choke point, whereas the IPS is a "bump in the wire" looking at all traffic passing through. It is usually deployed in-line with the firewall, either on an ingress or egress point.

Joel Esler, one of the professional services guys for Sourcefire, who sell IPS solutions (Nokia, my employer, is a Sourcefire partner), wrote an interesting blog post decrying the typical practice of deploying the IPS outside the Internet-facing firewall. His basic message: if your Internet-facing firewall is properly configured and your important machines are properly ensconced behind it, you don't need an IPS on the outside of your firewall. The IPS should be placed inside the firewall.

While I agree that IPS is needed inside the external firewall, I think IPS has a useful place outside the firewall as well. It is not always feasible to put everything behind a firewall. For example, it may not be possible/feasible to subnet your external network so you can put stuff behind a firewall. You might be using a service that does not play nice with a firewall. Or any number of other technical or political reasons.

Even if you can manage to get everything behind a stateful inspection firewall, what's looking after the firewall? Sure, a properly configured firewall will deflect anything the Internet is likely to throw at it, but even a properly configured firewall might be susceptible to a security vulnerability.

To throw another viewpoint into the mix, perhaps the place to integrate IPS functionality is right in the firewall itself. Check Point was clearly starting down this road with SmartDefense in the NG AI release of VPN-1. Now in the R70 release of Check Point's Security Gateway product, we have the IPS software blade, which is a full-blown IPS.

The bottom line is that if you're going to use an IPS, you need it everywhere bad stuff could happen--inside or just outside your security parameter. Or on the firewall itself ;)

Reblog this post with Zemanta

Nokia Announces IP2450 Intrusion Prevention With Sourcefire

You want to know what I do at Nokia? Support platforms like these guys. Firewalls, intrusion detection, VPNs. Yup, that's what I do.

Today, our little corner of Nokia officially announces the availability of the Nokia IP2450 geared specifically at the IDS marketThe Nokia IP2450 has been available as a firewall platform for the past several months. Not a new platform, therefore, but new for the IDS market.

This 2U badboy will push 4 gigabits of data in a passive or inline mode and is expandable to 24 copper or fiber gigabit Ethernet ports. This means the box can sit inline on 11 different segments or monitor 23 segments passively. And yes, you can mix and match inline and passive mode ports.

The IDS on these boxes is provided by Sourcefire, which are the folks behind the popular open-source snort IDS tool. It runs on Nokia's Linux-based IPSO-LX OS. And, of course, it's backed by Nokia's worldwide technical support organization, of which I am a part of.

Don't ask me what these badboy's cost. I work in support, not sales. ;) Seriously, if you're interested, Contact Nokia or a Nokia partner for more details.