You are currently configuring and tuning a new IPS on your development network. You have confirmed that traffic to and from the internet is being inspected by the IPS, but traffic between the local LAN segments are not being inspected by the IPS. What could be the problem?
- You neglected to enable some of the Snort rules.
- You neglected to enable anomaly-based processing.
- You placed the IPS on a network segment that has no access to the traffic between the local LAN segments.
- You placed the IPS in detection mode instead of prevention mode.
| Explanation & Hint:
The issue you’re experiencing is likely due to the placement of the IPS: You placed the IPS on a network segment that has no access to the traffic between the local LAN segments. An Intrusion Prevention System (IPS) needs to be positioned such that it can analyze the traffic it is meant to inspect. If the IPS is only placed in the path of traffic to and from the internet, it will not be able to see or inspect the traffic that is strictly local to the LAN, which often doesn’t need to pass through the gateway where the IPS might be located. To rectify this, you need to ensure that the IPS is also inline with the internal traffic you wish to monitor or that it has access to mirrored traffic from those segments. |