Trying to understand when and when not to enable IPS on zones
lostbackups
Newbie ✭
I'm starting to work on evaluating how we have IDS/IPS setup along with DPI-SSL. Right now I am questioning how we have our IPS enabled on different zones. Mainly, I'm trying to understand when you would enable IPS and when you wouldn't enable IPS on a zone. Yes, the simple answer is "enable IPS on a zone you want intrusion prevention" - but thinking about it in a more nuanced way, I think there's more to it then that. For example, you wouldn't just turn on IPS for EVERY zone in the name of being most secure, would you?
So naturally you'd want to have IPS enabled on WAN zones since the internet is the main source of attacks. However, say I have a zone added that contains all my user's computers and printers, would I also want IPS on that? Maybe... what about a custom zone with voip devices or another one with say door lock systems.
Currently, here is my config:
IPS Enabled:
- WAN (2 interfaces for Internet)
- LAN (servers)
- PC LAN (workstations and printers)
- DMZ
- WLAN (wireless internet main interface)
IPS Not Enabled:
- VOIP (voice servers and devices)
- WLAN Employee (WLAN sub-interface) (for company employees)
- WLAN Guest (WLAN sub-interface) (for customers)
Or would it be simple enough to just enable IPS only on WAN zones and call it good?
Answers
@lostbackups I'm going to take a stab at this.
Yes, you want it on for "almost everything" and the way you have it set in your examples are good.
The key to IPS is how you've set the IPS Global settings themselves. My TZ appliance looks like this:
I have not configured any settings behind the Configure button.
As an MSP I believe this configuration (IPS on WAN, LAN, WLAN, and my two LAB zones) will provide a moderate amount of protection.
At no point would I ever countenance, "IPS only on the WAN" as a valid security solution.
Hey Larry, thanks for your reply. Let me ask you, do you also have DPI-SSL enabled on those interfaces? If not, then the IDS/IPS system and its reporting are very limited since the majority of traffic will be encrypted. Then, if you do have DPI-SSL enabled, do you ever run into issues with sites breaking? I'm just asking all these questions since I want to work on setting up IPS and DPI-SSL in the best/most-correct way possible while eliminating the chance that things will break for end users.
For the sites where DPI/SSL is enabled, and the documentation followed to the letter, I sometimes get calls from my clients about things not work.
And that's what exceptions are all about. I'll create the necessary override and let things work for the client after explaining - once again - why I am protecting them.
It is the initial setting of expectations: Yes, this will slow things down somewhat. Yes, this may interfere with access, but I'm a phone call or email away. Yes, we are protecting you because that's what you pay me for...
Hey again Larry, could you link me to the documentation you used? I have been reading through the Sonicwall KB and, so far, I can only find the links listed below. They seem to cover most of the DPI-SSL configuration, but I'm trying to do a testing phase right now and I'm a little confused about how to specify just one PC or a group of PCs. The Exclusion/Inclusion group table with "Address Object/Group", "ServiceObject/Group" and "User Object/Group" sort of makes sense but I don't understand how the different options stack or get applied.. basically I don't want to accidentally apply DPI-SSL to anyone beyond one computer/user right now.