Solved

Security Devices sequence

Posted on 2014-02-25
3
464 Views
Last Modified: 2014-03-17
we have firewall, IDS/IPS and a proxy and i would like to optimize security. is there a best practice in which sequence how those devices should be placed?

1.      firewall
2.      IDS/IPS
3.      Proxy


any suggestions?
0
Comment
Question by:DukewillNukem
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39887569
you will normally have an extranet DMZ, internal DMZ and intranet. The design of tier architecture split into web, apps and database in traditional fashion and they are individual segregated via three physical firewall. There is another a single firewall segregating the tiers via VLAN or even in virtual world via the hypervisor as FW appliance or virtual FW.

Coming back we have to look at these devices as to defend or detect against the threats, that are their primary roles. Starting from external DMZ, threats comes widely from two categories namely network and application DDoS, & web and application probes and attacks. Some may put IPS/IDS to front the whole enterprise perimeter since it is supposed to be more savvy on threat with signature but typically for situation awareness, this is rare but viable. The most common will be to have Firewall fronting and filter the blacklist and network DDoS, for application based DDoS, there can be on premise Anti-DDoS appliance or it can be managed security services such as CDN or ISP gearing up forefront first. Even the NGFW or UTM is coming more visible at the front perimeter.

IPS/IDS can be passive inline followed by the proxy (in forward) which perform more of content filtering and restricting certain web browsing category or site visits.  The above is the simple scenario assuming the default capability of the traditional FW, IPS and proxy. There are different classes of each type and varies. You can catch this article as well depicting the Perimeter FW design and categories

http://technet.microsoft.com/en-us/library/cc700828.aspx

The point is also always ask ourselves, where do we want to have visibility and any blind spot possible such as VPN/SSL traffic (where to start decrypting to allow inspection downstream), outbound filtering to be verified (inbound is check but not forget possible leakage and exploit using reverse shell) and other possible point of ingress/egress out of reach of the perimeter like wireless, 3G lan, WAN etc. The same defends should be placed to make sure traffic is inspected and filtered as needed.

The summing up is really stick by principle such as
- Defense in depth (deter and make the attacker work harder)
- Security domains (ensure access is segregated e.g. trusted and non trusted enclaves)
- Resiliency (high availability such that the device is not single point of failure or deteriorate the performance)

Some reference  specific to the device include
NIST SP800 publication @ http://csrc.nist.gov/publications/PubsSPs.html
- SP 800-41 Rev. 1 Guidelines on Firewalls and Firewall Policy
- SP 800-94: Guide to Intrusion Detection and Prevention Systems (IDPS)
- SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs)

AUS DSD publication @ http://www.asd.gov.au/publications/
- Network Segmentation and Segregation
- Denial of Service Attacks: Strategies for Mitigation
- Wireless Network Security – Technical Advice
- Additional Security Considerations and Controls for Virtual Private Networks (VPNs)
0
 

Author Comment

by:DukewillNukem
ID: 39919908
we have a DMZ.
but just very simple,what would be a senseful placement?
FW,IDS,proxy and the AV. any suggestions?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39920015
Simple is good. quick suggestion below

>FW- perimeter and tier - it define boundary of DMZ, filter IP/Ports, and appl/services
>IDS - inside DMZ (and sub segment inside DMZ), can be either inline (more for IPS) or passive tap
>proxy - behind FW, guard all egress from DMZ exit boundary - filter content exiting from DMZ
>AV - behind FW, behind proxy, inside DMZ - need to be online for signature update
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now