Intrusion Prevention Systems are designed to detect possible attacks that are occurring over the network and act upon them in some way. They are not unlike firewalls, but they tend to approach the problem a bit differently. Whereas your typical networkĀ firewallĀ is a "deny by default" system (i.e. deny all traffic except those which pass certain criteria), anĀ IPSĀ tends to be an "allow all by default" system (i.e. allow all traffic except those things that look dangerous). Also, firewalls tend to be routers to serve as a network choke point, whereas the IPS is a "bump in the wire" looking at all traffic passing through. It is usually deployed in-line with the firewall, either on an ingress or egress point.
Joel Esler, one of the professional services guys forĀ Sourcefire, who sell IPS solutions (Nokia, my employer, is a Sourcefire partner), wrote an interesting blog postĀ decrying the typical practice of deploying the IPS outside the Internet-facing firewall. His basic message: if your Internet-facing firewall is properly configured and your important machines are properly ensconced behind it, you don't need an IPS on the outside of your firewall. The IPS should be placedĀ insideĀ the firewall.
While I agree that IPS is needed inside the external firewall, I think IPS has a useful placeĀ outsideĀ the firewall as well. It is not always feasible to putĀ everythingĀ behind a firewall. For example, it may not be possible/feasible to subnet your external network so you can put stuff behind a firewall. You might be using a service that does not play nice with a firewall. Or any number of other technical or political reasons.
Even if you can manage to get everything behind aĀ stateful inspection firewall, what's looking after the firewall? Sure, a properly configured firewall will deflect anything the Internet is likely to throw at it, butĀ even a properly configured firewall might beĀ susceptibleĀ to a security vulnerability.
To throw another viewpoint into the mix, perhaps the place to integrate IPS functionality is right in the firewall itself.Ā Check PointĀ was clearly starting down this road with SmartDefense in the NG AI release ofĀ VPN-1. Now in the R70 release of Check Point's Security Gateway product, we have theĀ IPS software blade, which is a full-blown IPS.
The bottom line is that if you're going to use an IPS, you need it everywhere bad stuff could happen--inside or just outside your security parameter. Or on the firewall itself ;)
