When you place an IPS sensor in front of a firewall (on the Internet, or external, side of the firewall), you allow the IPS sensor to monitor all incoming and outgoing network traffic. However, when deployed in this manner, the IPS sensor does not detect internal network traffic (such as traffic between two internal hosts). An internal attacker taking advantage of vulnerabilities in internal network services would remain undetected by the external IPS sensor. Placing an IPS sensor (a monitoring or sniffing interface) behind a firewall shields the IPS sensor from any policy violations that the firewall rejects.
Was this article helpful?