Direction

Started by csmall, May 21, 2019, 07:20:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 21, 2019, 07:20:51 PM
With IPS, generally speaking, does it make more sense to do it on outbound traffic or inbound?

Doing it on both sounds like a performance impact will be greater.

But, if your firewall is already restricting inbound traffic to specific ports for services.. then would outbound make more sense so you can see and prevent nasty stuff that is actually on your network?

May 21, 2019, 09:00:20 PM #1
IPS (suricate) filters before firewall rules. In general, you filter inbound traffic.

This is more cpu friendly. Why waste cpu cycles with routing decisions, shapping, processing etc. and then you drop the packet.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
May 22, 2019, 06:40:50 AM #2
This goes both ways, why inspect inbound WAN traffic if you gonna drop 99% of all unsolicited traffic by the firewall.
May 22, 2019, 09:15:57 AM #3
Quote from: ruffy91 on May 22, 2019, 06:40:50 AM
This goes both ways, why inspect inbound WAN traffic if you gonna drop 99% of all unsolicited traffic by the firewall.

The outbound traffic of your wan interface is the inbound traffic of your lan interfaces. Why  let the traffic pass your firewall stack, when you drop it in the last step?
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Print
Go Up Pages1
User actions