Trying to understand when and when not to enable IPS on zones
I'm starting to work on evaluating how we have IDS/IPS setup along with DPI-SSL. Right now I am questioning how we have our IPS enabled on different zones. Mainly, I'm trying to understand when you would enable IPS and when you wouldn't enable IPS on a zone. Yes, the simple answer is "enable IPS on a zone you want intrusion prevention" - but thinking about it in a more nuanced way, I think there's more to it then that. For example, you wouldn't just turn on IPS for EVERY zone in the name of being most secure, would you?
So naturally you'd want to have IPS enabled on WAN zones since the internet is the main source of attacks. However, say I have a zone added that contains all my user's computers and printers, would I also want IPS on that? Maybe... what about a custom zone with voip devices or another one with say door lock systems.
Currently, here is my config:
- WAN (2 interfaces for Internet)
- LAN (servers)
- PC LAN (workstations and printers)
- WLAN (wireless internet main interface)
IPS Not Enabled:
- VOIP (voice servers and devices)
- WLAN Employee (WLAN sub-interface) (for company employees)
- WLAN Guest (WLAN sub-interface) (for customers)
Or would it be simple enough to just enable IPS only on WAN zones and call it good?