Where Does The IPS Go?
Intrusion Prevention Systems are designed to detect possible attacks that are occurring over the network and act upon them in some way. They are not unlike firewalls, but they tend to approach the problem a bit differently. Whereas your typical network firewall is a “deny by default” system (i.e. deny all traffic except those which pass certain criteria), an IPS tends to be an “allow all by default” system (i.e. allow all traffic except those things that look dangerous). Also, firewalls tend to be routers to serve as a network choke point, whereas the IPS is a “bump in the wire” looking at all traffic passing through. It is usually deployed in-line with the firewall, either on an ingress or egress point.
Joel Esler, one of the professional services guys for Sourcefire, who sell IPS solutions (Nokia, my employer, is a Sourcefire partner), wrote an interesting blog post decrying the typical practice of deploying the IPS outside the Internet-facing firewall. His basic message: if your Internet-facing firewall is properly configured and your important machines are properly ensconced behind it, you don’t need an IPS on the outside of your firewall. The IPS should be placed inside the firewall.
While I agree that IPS is needed inside the external firewall, I think IPS has a useful place outside the firewall as well. It is not always feasible to put everything behind a firewall. For example, it may not be possible/feasible to subnet your external network so you can put stuff behind a firewall. You might be using a service that does not play nice with a firewall. Or any number of other technical or political reasons.
Even if you can manage to get everything behind a stateful inspection firewall, what’s looking after the firewall? Sure, a properly configured firewall will deflect anything the Internet is likely to throw at it, but even a properly configured firewall might be susceptible to a security vulnerability.
To throw another viewpoint into the mix, perhaps the place to integrate IPS functionality is right in the firewall itself. Check Point was clearly starting down this road with SmartDefense in the NG AI release of VPN-1. Now in the R70 release of Check Point’s Security Gateway product, we have the IPS software blade, which is a full-blown IPS.
The bottom line is that if you’re going to use an IPS, you need it everywhere bad stuff could happen–inside or just outside your security parameter. Or on the firewall itself