English Forums > Intrusion Detection and Prevention

Direction

(1/1)

csmall:
With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?

hbc:
IPS (suricate) filters before firewall rules. In general, you filter inbound traffic.

This is more cpu friendly. Why waste cpu cycles with routing decisions, shapping, processing etc. and then you drop the packet.

ruffy91:
This goes both ways, why inspect inbound WAN traffic if you gonna drop 99% of all unsolicited traffic by the firewall.

hbc:

--- Quote from: ruffy91 on May 22, 2019, 06:40:50 am ---This goes both ways, why inspect inbound WAN traffic if you gonna drop 99% of all unsolicited traffic by the firewall.

--- End quote ---

The outbound traffic of your wan interface is the inbound traffic of your lan interfaces. Why  let the traffic pass your firewall stack, when you drop it in the last step?

Navigation

[0] Message Index