I am bit confused on a placement of an IPS device......considering a
500 user network with two servers(in DMZ) for online business with a firewall at the gateway I wanted to where would it be best to place a IPS device...it it best to keep it in front of firewall or behind the firewall....please help me out n recommend which IPS to go about.
Oh give us your reasons mighty Sebastian, for this week's edition of "contrarian pedantry."
It's certainly true that IPS does little to prevent attackers that are specifically targeting your organization. With enough time, the right spoofable network connectivity, and a large enough botnet someone targeting you isn't going to be chased away by IPS. However, IPS does raise the level of the overall network such that you're no longer low hanging fruit or nearly as vulnerable to the script kiddies in the event of a misconfiguration.
Very simple: Spoofing. Either you block legitimate hosts which have been spoofed, or you let attacks from spoofed hosts through.
In terms of spoofing, it creates a wonderful DoS condition that even the most stupid script kiddie can trigger. However, defense against misconfiguration by other means (validation, anomaly analysis, policies).
Which might be an acceptable risk for certain environments. Bad for an ecommerce website, perhaps a value add for, say, a university campus where an IP being locked out for 15 minutes isnt' the end of the world.
One size doesn't fit all, and without knowing the OP's environment, I think yer an ass and technically inaccurate to toss the entire technology out as "stupid."
Try a "host 18.104.22.168" (or "nslookup 22.214.171.124"). Does that name ring a bell?
Now let us assume someone were to trigger the IPS condition by sending a maliciously crafted packet with this source address (as well as twelve more packets with addresses of the other twelve servers). Let us further assume that said someone were to repeat sending these thirteen (in words "thirteen") packets every, say, 15 minutes.
What do you think would happen to your university campus' internet access in a situation like that?
continuing with my mail for ips placement ...actually people recommended me to use ips on availability(for lesses downtime for online access for my servers) perspective(like prevention of ddos n buffer overflow attacks) ....is firewall enough for this...
Because that's how DNS works. If your nameserver can't resolve a name by itself it will ask one of the root servers. The root server returns the authoritative server for the TLD of the name in question. Next your nameserver then asks the authoritative nameserver for the TLD, which will return the authoritative nameserver for the SLD. And so forth until you get to the nameserver that is authoritative for the name in question. This process is called "DNS recursion".
Of course a nameserver can forward all queries it can't resolve by itself to upstream nameservers (like the ISP's nameservers). However, that doesn't change anything about the problem at hand. All an attacker needs to do is to spoof the IP addresses of the ISP's nameservers instead of the IP addresses of the root servers. The result will be the exact same.
Easy to do as well, as this is likely to be UDP, and possibly easy to spoof. Some firewall techniques may work better against this, as there is little likelihood of receiving unsolicited packers from such servers.
Because many name servers cache the information they receive, there would be a problem with "new" name resolution (and maybe reacquiring data after the old information times out) but it wouldn't totally shut things down. Obviously, this isn't the only attack method that could trigger an IPS condition that would cause you to shoot yourself in the wobbly bits.
Certainly your clients would not be talking to the root servers, but your name server probably would - especially if you aren't running the server as a caching/forwarder. But again, this isn't the only attack mechanism.
Depends on how your name server is configured. I have no figures about how many people are running "their" name server as a forwarder (that forwards queries it can't resolve to some up-stream server) verses those running a real stand-alone recursive name server. Your home or small operator probably is defaulting to a forwarding mode, and that's probably a huge number. In that case, let the attacker spoof the IP of the name server you are forwarding to - somewhat harder because there are a lot more of them, but almost certainly more effective, and likely to nail the icon-clicker type of admin whose brain is struggling to spell DNS, never mind understanding how name resolution works.