I’ve deployed a new IPS sensor to one of our offices and have been tuning it for the last week. That office has one of our external-facing DNS servers in the DMZ. Behind the firewall sits one leg of the IPS and behind that sits the DNS server.

When I first started tuning the IPS I thought it was wired or configured wrong because the IPS wasn’t triggering any alerts for the DMZ leg. However, I realized that’s because the IPS is behind the firewall. Its only going to see attacks that make it past the firewall. Since I only allow UDP/53 through the firewall, any attacks on the DNS must be over UDP port 53.

It’s like sitting in a sniper tower surveilling the enemy probing perimeter defenses but not being able to take a shot until they’ve breached the front gate.

For more information about this topic

• No Related Post