I am a system architecture working on projects - mostly CDN related projects - and I am currently a bit confused about where the IPS/IDS should be placed. We have a NGINX-based webserver for the edge which is being protected and monitored with NAXSI as its WAF. All servers are using SELinux, and they are using firewalld as their system firewall. Requests should be directly sent to the NGINX edge-server, and I am trying so hard to avoid network dumps.
The question is, where should the IPS/IDS be placed. Should it be on the edge-server itself or it should be on another machine? Performance is the most essential consideration that we should have.
| |
| | --->> OTHER SERVERS
| FIREWALL | /
| | /
| | ---->>> NGINX EDGE ------>> OTHER SERVERS
| | \
| | \
| | --->> OTHER SERVERS
| |
| | should IPS be on NGINX EDGE? Or should I add another
| | machine in front of NGINX EDGE - Closer to Firewall ?