There is a lot to be said for putting the theory of IPS into action in a production network. The good news is that we will look at a few example policies that can be used to secure an enterprise network against internal and external threats. In this case study, we will examine the ability to provide protection under three different scenarios:
In the DMZ, several servers must be protected against attacks by clients, including HTTP, HTTPS, FTP, SMTP, and DNS servers. We also want to make sure these machines are not compromised and start to infect other machines in the network or the Internet at large with spyware, worms, Trojan horses, and viruses. The DMZ server can only talk outbound on HTTP and HTTPS for updates. All logs should be taken in this example. Assume that the DMZ zone uses the interface Reth4.
We want to protect internal clients against attacks from
malicious servers in the wild. These hosts will only be allowed to
communicate over HTTP, HTTPS, FTP, IM, and out to the Internet; all
other services are restricted by the firewall policy itself. We also
want to identify and block any hosts that are infected by spyware,
worms, Trojan horses, or viruses for two hours, along with setting
alert flag in the logs.
Assume that the Internal-Clients zone is composed of Dept-A and
Dept-B with interfaces Reth2 and Reth3, respectively.
Clients are permitted to access a wide variety of services on the internal servers. Currently, ...