Explanation/Reference:
Section: Considerations for Expanding an Existing Network Explanation
Explanation:
The Intrusion Prevention System (IPS) in this scenario will be unable to monitor traffic flows from the demilitarized zone (DMZ) to the LAN and from the LAN to the DMZ. An IPS provides real-time monitoring of malicious traffic and can prevent malicious traffic from infiltrating the network. An IPS functions similarly to a Layer 2 bridge; a packet entering an interface on the IPS is directed to the appropriate outbound interface without regard to the packet's Layer 3 information. Instead, the IPS uses interface or virtual LAN (VLAN) pairs to determine where to send the packet. This enables an IPS to be inserted into an existing network topology without requiring any disruptive addressing changes. Because traffic flows through an IPS, an IPS can detect malicious traffic as it enters the IPS device and can prevent the malicious traffic from infiltrating the network.
In this scenario, the IPS is deployed inline between the firewall and the edge router. Because traffic flows between the LAN and DMZ do not pass through the firewall, the IPS will be unable to monitor them.
However, the IPS will be able to monitor traffic flows between the LAN and the Internet and between the DMZ and the Internet. In addition, because the IPS is deployed on the outside of the firewall, it will have visibility into traffic flows that will ultimately be dropped by the firewall. This insight can be useful during an active attack; however, it comes at the cost of additional resource utilization since the IPS will be processing more traffic than will ultimately be passing through the firewall.
Reference:
CCDA 200-310 Official Cert Guide, Chapter 13, IPS/IDS Fundamentals, pp. 534-535