If I've spotted a number of "suspicious" (ie those source IP has no legitimate reason to access our servers,
possibly from places like N Korea or Russia) in our firewall & IPS logs, what is usually the best practice?
Block at the proxy server facing the internet, or block at the outermost (ie perimeter) firewall, block at
our network IPS or at the innermost endpoint IPS (ie IPS software running inside our servers) ?
Taking analogy from traditional warfare, I would attempt to block invaders at the outermost forts rather
than attempting to defend when invaders have come closer to us ie I'm inclined to block at the outermost
defense ie the proxy & perimeter firewalls. By blocking at outer defenses, we won't see so much logs
in the inner defenses (ie IPSes). Am I in the right direction?
Are proxy server (eg Bluecoat) usually placed at the outer most or the perimeter firewall?
I felt Inner defenses are more for granular defenses like certain signatures
Can CDN providers (ie those that provide clean pipes) block blacklisted source IP?