© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
Figure 4: IPS on the border of a network or zone.
The management interface, shown with a black dashed line, is once again an option
but still commonly used to manage the system remotely.
Updating signatures and
otherwise adapting the system to defend against the latest threats is an ongoing
task. Because of this, having an efficient means of administering the device is
important.
The cons of having a system connected inline have been covered earlier in this
document. However, some companies build systems to address this failure
potential.
For instance, TippingPoint Technologies Inc. sells products named Zero
Power High Availability devices, designed to pass traffic even in the event their IPS
loses electrical power. As you can imagine, during this type of failure the IPS is
passing unfiltered traffic; much better than dropping all network connectivity. An
optimally configured IPS will block unwanted traffic and, as a consequence, when the
Nicholas Pappas
19
@ 2021 SANS Institute
Author Retains Full Rights
© SANS Institute 200
8
,
Author retains full rights.
© SANS Institute 200
8
, Author retains full rights.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Network IDS & IPS Deployment Strategies
IPS fails the network will typically see an increase in activity. Something for network
engineers and intrusion analysts alike to consider when a significant unexplained
spike in network activity is noticed on internal networks.
Connecting an IPS is rather simple.
After reading this section, you may wonder
what can be done to monitor traffic when an IPS either fails entirely, or allows
malicious traffic through; perhaps from not being strict enough. A layered approach
is introduced in the next section.