Hello. I am very strict when it comes to applying UTM profiles and in some cases I wonder if it is necessary or if I am doing it wrong. Specially when I talk about IPS sensor. In some cases I double analyze the traffic that enters (and comes out) the network that I manage and I am going to give you some examples in which I have doubts if I am doing it correctly.
1)Internet to DMZ server web A--> In this case I have no doubt. I apply IPS sensors, HTTP antivirus deep inspection etc.
2)Intranet to DMZ server web A-->In this case I apply too IPS Sensor, HTTP antivirus. I apply an IPS sensor in case the server, although it is protected as indicated in example 1 for the internet connections, has been infected by a worm in the DMZ itself. Does it seem correct to you or do you think that in this case IPS would no longer be necessary
3)User networks to DMZ server web A--> I apply IPS and Antivirus. I apply an IPS sensor in case the server, although it is protected as indicated in example 1, has been infected by a worm in the DMZ itself. Does it seem correct to you or do you think that in this case I can do it better this?
4)DMZ server SQL to SQL intranet server-->I apply IPS sensor with SQL signatures. ¿This is correct or an IPS exploit cannot by pass witouth user interaction?
5)Finally I protect all direct connections from intranet user/servers to internet. For example SMTP connection to Office365 server. Even if the connection originates from my network. I use IPS sensor and Antivirus, in case the destination to which we make the TCP connection had a problem and could enter through that tcp connection to my network.
Could you give me your opinion about the use I make, especially of the IPS sensors in the examples that I indicate?
Thank you for your help ¡¡¡¡