I am bit confused on a placement of an IPS device......considering a
500 user network with two servers(in DMZ) for online business with a
firewall at the gateway I wanted to where would it be best to place a
IPS device...it it best to keep it in front of firewall or behind the
firewall....please help me out n recommend which IPS to go about.

thanks..

Arjun wrote:

> I am bit confused on a placement of an IPS device......considering a
> 500 user network with two servers(in DMZ) for online business with a
> firewall at the gateway I wanted to where would it be best to place a
> IPS device...it it best to keep it in front of firewall or behind the
> firewall....please help me out n recommend which IPS to go about.

Well, if you already bought an IPS device, then consider it as a sunk cost
and place it inside the trash can, so at least it doesn't mess up anything.

If you haven't bought any yet, then please reconsider the idea. Reconsider
it once more, and then dump the obviously stupid idea of IPS.

"Sebastian G." <seppi@seppig.de> writes:

> Arjun wrote:
>
> > I am bit confused on a placement of an IPS device......considering a
> > 500 user network with two servers(in DMZ) for online business with a
> > firewall at the gateway I wanted to where would it be best to place a
> > IPS device...it it best to keep it in front of firewall or behind the
> > firewall....please help me out n recommend which IPS to go about.
>
> Well, if you already bought an IPS device, then consider it as a sunk
> cost and place it inside the trash can, so at least it doesn't mess up
> anything.
>
> If you haven't bought any yet, then please reconsider the
> idea. Reconsider it once more, and then dump the obviously stupid idea
> of IPS.

Oh give us your reasons mighty Sebastian, for this week's edition of
"contrarian pedantry."

It's certainly true that IPS does little to prevent attackers that are
specifically targeting your organization. With enough time, the right
spoofable network connectivity, and a large enough botnet someone
targeting you isn't going to be chased away by IPS. However, IPS does
raise the level of the overall network such that you're no longer low
hanging fruit or nearly as vulnerable to the script kiddies in the
event of a misconfiguration.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H. wrote:

> "Sebastian G." <seppi@seppig.de> writes:
>
>> Arjun wrote:
>>
>>> I am bit confused on a placement of an IPS device......considering a
>>> 500 user network with two servers(in DMZ) for online business with a
>>> firewall at the gateway I wanted to where would it be best to place a
>>> IPS device...it it best to keep it in front of firewall or behind the
>>> firewall....please help me out n recommend which IPS to go about.
>> Well, if you already bought an IPS device, then consider it as a sunk
>> cost and place it inside the trash can, so at least it doesn't mess up
>> anything.
>>
>> If you haven't bought any yet, then please reconsider the
>> idea. Reconsider it once more, and then dump the obviously stupid idea
>> of IPS.
>
> Oh give us your reasons mighty Sebastian, for this week's edition of
> "contrarian pedantry."


Very simple: Spoofing. Either you block legitimate hosts which have been
spoofed, or you let attacks from spoofed hosts through.

> However, IPS does
> raise the level of the overall network such that you're no longer low
> hanging fruit or nearly as vulnerable to the script kiddies in the
> event of a misconfiguration.


In terms of spoofing, it creates a wonderful DoS condition that even the
most stupid script kiddie can trigger. However, defense against
misconfiguration by other means (validation, anomaly analysis, policies).

"Sebastian G." <seppi@seppig.de> writes:

> Todd H. wrote:
>
> > "Sebastian G." <seppi@seppig.de> writes:
> >
> >> Arjun wrote:
> >>
> >>> I am bit confused on a placement of an IPS device......considering a
> >>> 500 user network with two servers(in DMZ) for online business with a
> >>> firewall at the gateway I wanted to where would it be best to place a
> >>> IPS device...it it best to keep it in front of firewall or behind the
> >>> firewall....please help me out n recommend which IPS to go about.
> >> Well, if you already bought an IPS device, then consider it as a sunk
> >> cost and place it inside the trash can, so at least it doesn't mess up
> >> anything.
> >>
> >> If you haven't bought any yet, then please reconsider the
> >> idea. Reconsider it once more, and then dump the obviously stupid idea
> >> of IPS.
> > Oh give us your reasons mighty Sebastian, for this week's edition of
> > "contrarian pedantry."
>
>
> Very simple: Spoofing. Either you block legitimate hosts which have
> been spoofed, or you let attacks from spoofed hosts through.
>
> > However, IPS does
> > raise the level of the overall network such that you're no longer low
> > hanging fruit or nearly as vulnerable to the script kiddies in the
> > event of a misconfiguration.
>
>
> In terms of spoofing, it creates a wonderful DoS condition that even
> the most stupid script kiddie can trigger. However, defense against
> misconfiguration by other means (validation, anomaly analysis,
> policies).

Which might be an acceptable risk for certain environments. Bad
for an ecommerce website, perhaps a value add for, say, a university
campus where an IP being locked out for 15 minutes isnt' the end of
the world.

One size doesn't fit all, and without knowing the OP's environment, I
think yer an ass and technically inaccurate to toss the entire
technology out as "stupid."

Best Regards,
--
Todd H.
http://www.toddh.net/

> One size doesn't fit all, and without knowing the OP's environment, I
> think yer an ass and technically inaccurate to toss the entire
> technology out as "stupid."


Sebstian is totally right, would you say a technology is smart if you
don't need much brain to sabotage it.

cheers

Todd H. <comphelp@toddh.net> wrote:
> "Sebastian G." <seppi@seppig.de> writes:
>> In terms of spoofing, it creates a wonderful DoS condition that even
>> the most stupid script kiddie can trigger. However, defense against
>> misconfiguration by other means (validation, anomaly analysis,
>> policies).
>
> Which might be an acceptable risk for certain environments.

No.

> Bad for an ecommerce website, perhaps a value add for, say, a
> university campus where an IP being locked out for 15 minutes isnt'
> the end of the world.

Try a "host 198.41.0.4" (or "nslookup 198.41.0.4"). Does that name ring
a bell?

Now let us assume someone were to trigger the IPS condition by sending a
maliciously crafted packet with this source address (as well as twelve
more packets with addresses of the other twelve servers). Let us further
assume that said someone were to repeat sending these thirteen (in words
"thirteen") packets every, say, 15 minutes.

What do you think would happen to your university campus' internet
access in a situation like that?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

hi all...

thanks for your suggetions ...

continuing with my mail for ips placement ...actually people
recommended me to use ips on availability(for lesses downtime for
online access for my servers) perspective(like prevention of ddos n
buffer overflow attacks) ....is firewall enough for this...

arjun

Ansgar -59cobalt- Wiechers wrote:

> Try a "host 198.41.0.4" (or "nslookup 198.41.0.4"). Does that name ring
> a bell?

Name: a.root-servers.net
Address: 198.41.0.4

> Now let us assume someone were to trigger the IPS condition by sending a
> maliciously crafted packet with this source address (as well as twelve
> more packets with addresses of the other twelve servers). Let us further
> assume that said someone were to repeat sending these thirteen (in words
> "thirteen") packets every, say, 15 minutes.
>
> What do you think would happen to your university campus' internet
> access in a situation like that?
?

i don't get it, why would my dns server have to ask a root server, let alone the clients?
they would ask my ISP's dns server, wouldn't they.

M

mak <mak@nospam.com> wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> Try a "host 198.41.0.4" (or "nslookup 198.41.0.4"). Does that name
>> ring a bell?
>
> Name: a.root-servers.net
> Address: 198.41.0.4
>
>> Now let us assume someone were to trigger the IPS condition by
>> sending a maliciously crafted packet with this source address (as
>> well as twelve more packets with addresses of the other twelve
>> servers). Let us further assume that said someone were to repeat
>> sending these thirteen (in words "thirteen") packets every, say, 15
>> minutes.
>>
>> What do you think would happen to your university campus' internet
>> access in a situation like that?
>
> i don't get it, why would my dns server have to ask a root server, let
> alone the clients?

Because that's how DNS works. If your nameserver can't resolve a name by
itself it will ask one of the root servers. The root server returns the
authoritative server for the TLD of the name in question. Next your
nameserver then asks the authoritative nameserver for the TLD, which
will return the authoritative nameserver for the SLD. And so forth until
you get to the nameserver that is authoritative for the name in
question. This process is called "DNS recursion".

> they would ask my ISP's dns server, wouldn't they.

Of course a nameserver can forward all queries it can't resolve by
itself to upstream nameservers (like the ISP's nameservers). However,
that doesn't change anything about the problem at hand. All an attacker
needs to do is to spoof the IP addresses of the ISP's nameservers
instead of the IP addresses of the root servers. The result will be the
exact same.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

On Mon, 04 Feb 2008, in the Usenet newsgroup comp.security.firewalls, in article
<1202132991.855986@nntpcache01.si.eunet.at>, mak wrote:

>Ansgar -59cobalt- Wiechers wrote:

>> Now let us assume someone were to trigger the IPS condition by
>> sending a maliciously crafted packet with this source address (as
>> well as twelve more packets with addresses of the other twelve
>> servers). Let us further assume that said someone were to repeat
>> sending these thirteen (in words "thirteen") packets every, say, 15
>> minutes.

Easy to do as well, as this is likely to be UDP, and possibly easy
to spoof. Some firewall techniques may work better against this, as
there is little likelihood of receiving unsolicited packers from
such servers.

>> What do you think would happen to your university campus' internet
>> access in a situation like that?

Because many name servers cache the information they receive, there
would be a problem with "new" name resolution (and maybe reacquiring
data after the old information times out) but it wouldn't totally
shut things down. Obviously, this isn't the only attack method that
could trigger an IPS condition that would cause you to shoot yourself
in the wobbly bits.

>i don't get it, why would my dns server have to ask a root server,
>let alone the clients?

Certainly your clients would not be talking to the root servers, but
your name server probably would - especially if you aren't running the
server as a caching/forwarder. But again, this isn't the only attack
mechanism.

>they would ask my ISP's dns server, wouldn't they.

Depends on how your name server is configured. I have no figures about
how many people are running "their" name server as a forwarder (that
forwards queries it can't resolve to some up-stream server) verses
those running a real stand-alone recursive name server. Your home or
small operator probably is defaulting to a forwarding mode, and that's
probably a huge number. In that case, let the attacker spoof the IP of
the name server you are forwarding to - somewhat harder because there
are a lot more of them, but almost certainly more effective, and likely
to nail the icon-clicker type of admin whose brain is struggling to
spell DNS, never mind understanding how name resolution works.

Old guy

mak wrote:


> i don't get it, why would my dns server have to ask a root server, let alone the clients?


You don't have a clue how DNS works?

> they would ask my ISP's dns server, wouldn't they.


Maybe. What exactly stops me from spoofing this host either?