A midsized enterprise is designing a layered network perimeter that currently includes an edge router, a stateful firewall, and internal routing and switching for user and server segments. Management wants to add a network-based intrusion prevention system (IPS) to detect and automatically block sophisticated attacks. To maximize detection accuracy while minimizing unnecessary processing overhead and latency, where in this topology should the IPS be physically installed?
Inline with the edge router so that it inspects every packet entering or leaving the organization.
At the primary datacenter ingress to monitor high-bandwidth server-to-server communications.
Immediately behind the perimeter firewall, before traffic reaches any internal routers or switches.
On a core switch close to user workstations to track possible lateral movement and insider threats.
Placing the IPS directly behind (internal to) the external firewall allows the firewall to drop obviously disallowed traffic first, so the IPS only analyzes traffic that has already met basic policy rules. This reduces the IPS workload, decreases false positives, and still stops threats before they can reach internal routers, switches, and hosts. Positioning the IPS outside the firewall forces it to inspect all Internet noise, while placing it deep inside the LAN or only at a datacenter ingress leaves gaps during initial ingress and can overwhelm the sensor with east-west traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the main difference between a firewall and an IPS?
Open an interactive chat with Bash
What is east-west traffic and why can it overwhelm an IPS?
Open an interactive chat with Bash
How does placing an IPS behind a firewall improve performance?