02-17-2015 05:38 AM - edited 03-10-2019 06:20 AM
Hi,
I would like to confirm the apt placement of IDS/IPS, whether it should be before or after firewall. I have Cisco IPS (two) which inspects packet till layer 7 which are in front of firewall and hence after inspection of traffic for malicious content, the traffic is further passed on to firewall (two), which further performs layer 4 inspection and deny the traffic based on access-list configured.
Hence, as per my knowledge, the IDS/IPS should be after firewall, so only legitimate traffic will be inspected which will further reduce load on IDS as well.
However, it was advised to me that in order to prevent firewall from attacks, IPS is installed in front of firewall.
02-18-2015 04:01 PM
One can make an argument either way in certain use cases. but the generally accepted practice is to put an IDS/IPS after the firewall (from the point of view of incoming traffic - i.e. closer to the interior or private network).
Firewalls are generally designed to be on the network perimeter and can handle dropping a lot of the non-legitimate traffic (attacks, scans etc.) very quickly at the ingress interface, often in hardware.
An IDS/IPS is, generally speaking, doing more deep packet inspections and that is a much more computationally expensive undertaking. For that reason, we prefer to filter what gets to it with the firewall line of defense before engaging the IDS/IPS to analyze the traffic flow.
In an even more protected environment, we would also put a first line of defense in ACLs on an edge router between the firewall and the public network(s).
07-25-2019 11:14 PM
The IPS sits directly in the communication path between the source and the destination, it analyzes traffic and takes actions like sending alerts, dropping malicious packets, blocking traffic, and resetting connections. Because of this IPS can degrade your network performance if it hasn’t been configured correctly. Your IPS will generally be placed at an edge of the network, such as immediately after a firewall/router, or in front of a server farm. Position the IPS where it will see the bare minimum of traffic it needs to, in order to keep performance issues under tight control.
The IDS is a passive system that scans internal network traffic and reports back about potential threats. The most obvious location is at the network perimeter, just inside the firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide