I posted a thread on this topic.... But I could not get the satisfactory answer... and the discussion too routed to wrong side.....

So again I am asking some of the questions which make me worry..... This time I am going more lucidly and simply.......


(1) Why IPS is needed iff firewall is already there to prevent attacks.....
Some may say that firewall dont check over Transport layer..... which IPS do....

But todays firewall are much more sophosticated and they check till 7 th and last application layer.... This is called Deep Packet Investigation....

So why is there need to deploy firewall???


This is my most annoying question.....

Humbly saying, I will ask more questions only when I get satisfactory answers.... because discussion gets diverted when too many questions are there.........

If you are already deploying an IPS, you probably do not need (and maybe do not want) to deploy a firewall also.

This Wikipedia article says ...

Thanks sundialsvcs, I wanna ask now my another question.......

(2) Iff I am deploying both- Firewall (By IPTABLES) and IPS (By SNORT) than where should I deploy it???.........I mean weather I put IPS before Firewall or after Firewall???

I'd put the FW at the perimeter and the IPS after the firewall. That way the load is scaled and the IPS can focus more on the internal application threats, which is probably the bigger worry (IMO). If you put the IPS before the FW or in place of the FW, you'll have to worry about if the IPS will be overloaded (I've seen it happen).

What IPS are you considering (vendor-wise)? What FWs are you asking about? What are you looking to block/route? How big is the network you're looking to protect? What content are you looking to protect?

Regarding your initial comments, the reason the answers were detailed and possibly confused you is because there is no simple answer. The answers will usually involve details. I'd rather have too much info on security than not enough. You can always pick what answers are pertinent to your needs and work with what you think are the best answers.

Hmmm Thanks....

But I am using windows and debian as virtual OS... I have configured a virtual IP 192.168.1.9 in it.

and I have blocked the packets coming to my virtual Debian by,

sudo iptables -A INPUT -i eth0 -j DROP
sudo iptables -A OUTPUT -o eth0 -j DROP

and then I started snort by
sudo snort -i eth0 -dv

But I got packet impressions on consoole.....which means that IPS is capturing packets before it reaches to firewall....

So by default IPS is before FW??????????????????????????????????????????????

I'd assumed that the FW and IDS were dedicated machines. I believe that it's going to be difficult (if not impossible) to split FW and IPS duties from one shared machine, unless you buid a virtual machine onto the virtual machine.

I ran into the same issue with Linode. They are my vhost. I run apache and have iptables and snort running on that server. Linode uses UML to provide hosting services. Part of my issue is that the FW and snort have to run on the same interfaces. If you could get dedicated interfaces for routing traffic, you could also dedicate an interface for sniffing/blocking. Unfortunately, Linode only offers one dedicated interface. They do offer IPs, but they alias those IPs to the dedicated interface.

I'm thinking your hosting provider may be the same way. The only way around this (and I may be wrong) is to purchase another account or run another virtual instance.

One of the reasons for that is that you do not seem to know the terminology well enough so that others understand the question that you ask in the way that you apparently want them to.

Firstly note that snort is better known as and IDS than an IPS; although there is one mode in which snort can act as an IPS, this is not, traditionally, the mode in which it has been most used.

So, assuming that we are talking about the right mode of snort, note from http://openmaniak.com/inline.php (and for netfilter, read iptables if you like).

He wants Snort's IPS functionality, which would make it an IPS (Sourcefire actually markets their IPS solution as an official IPS), but to argue this would risk confusing him and taking the thread on a tangent.

Ya I know that snort --enable-inline makes it working as IPS..... In that manner only I am asking

I think that the original OP is confusing the host firewall with the perimeter firewall, and even putting snort inside the host instead of between the firewall and the LAN switch.

I am talking about perimeter firewall...... Especially concerning UTM machine...... Means suppose that I have my private network and I am using UTM (Unified Threat Module) machine which contains Firewall with Deep packet Investigation feature and an IPS too......and lot more other tools like proxy server, anti virus, anti spyware etc.

I am talking about that terminology.....