0

I am a system architecture working on projects - mostly CDN related projects - and I am currently a bit confused about where the IPS/IDS should be placed. We have a NGINX-based webserver for the edge which is being protected and monitored with NAXSI as its WAF. All servers are using SELinux, and they are using firewalld as their system firewall. Requests should be directly sent to the NGINX edge-server, and I am trying so hard to avoid network dumps.

The question is, where should the IPS/IDS be placed. Should it be on the edge-server itself or it should be on another machine? Performance is the most essential consideration that we should have.

|          |
|          |                            --->> OTHER SERVERS
| FIREWALL |                           /
|          |                          /
|          |  ---->>>    NGINX EDGE  ------>> OTHER SERVERS
|          |                          \
|          |                           \
|          |                            --->> OTHER SERVERS
|          |    
|          |   should IPS be on NGINX EDGE? Or should I add another
|          |   machine in front of NGINX EDGE - Closer to Firewall ?
Parsa Samet
  • 246
  • 2
  • 10

2 Answers2

1

Not far from a matter of taste... More exactly it really depends on too many factors to allow a definitive answer. Just some hints:

  • the sooner is better if you want to be warned against attacks against the edge server or the firewall itself
  • after the edge can be better if you have very high traffic to avoid a bottleneck at the IDS/IPS
  • after the edge can make sense if you have HTTPS traffic decrypted at the edge level and want to analyse it

But you could also imagine a Network IDS close to the firewall for non TLS encrypted traffic and Host IDS on the application servers for the TLS encrypted part

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Thank you so much for the hints, they are seriously helpful. But one question, consider having TLS and so I'm going to use IDS after the edge, should I have my IDS on another independent server?? – Parsa Samet May 10 '17 at 08:32
  • 1
    @ParsaSamet: It depends on servers resources, cost of an additional server, traffic, etc. The IDS/IPS must be functionnaly independant of the edge server and the application servers, but its physical implantation can be where you have enough resources to host it. – Serge Ballesta May 10 '17 at 09:33
1

IDPS can have multiple sensors located in multiple network locations, depending on the information you would like to use to detect anomalies or stop the attacks. You should take a look at NIST SP 800-94, a guide on this exact topic. Architectures for network IDPS are covered in sections 4.2 and 6.1. Passive sensors should have minimal impact on the performance.

Michał Staruch
  • 396
  • 2
  • 4