[Snort-inline-users] To bridge or to route ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi

I am new to IPS and I have been doing some research  to try to 
understand what is the most effective way deploy IPS.  I read this below

There can be problems introduced by IPS and the primary one is comprised 
of a denial of service attack. For example, if I know a specific IP 
address is running an active intrusion blocking system, I can spoof an 
attack from microsoft and google, which the active IPS will respond by 
putting the appropriate IP addresses into a block list, either timed or 
permanent, depending on the configuration. As if that's not bad enough, 
what if I could cause it to block out your upstream DNS? Or a zone 
server? Or your upstream router? Yes, I can find that out with a 
traceroute. Or your default gateway? I can guess that one in 255 
attempts. This has traditionally been why network admins have been 
reluctant to install active intrusion blocking. Perhaps SonicWall has 
mitigated all of these risks. I would want to know this before I 
implemented one.

If attacks can be made be utilising I have one simple question is it 
easier or more effective to deploy IPS on a bridge or a router?

chris