Solved

Security Devices sequence

Posted on 2014-02-25
3
470 Views
Last Modified: 2014-03-17
we have firewall, IDS/IPS and a proxy and i would like to optimize security. is there a best practice in which sequence how those devices should be placed?

1.      firewall
2.      IDS/IPS
3.      Proxy


any suggestions?
0
Comment
Question by:DukewillNukem
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39887569
you will normally have an extranet DMZ, internal DMZ and intranet. The design of tier architecture split into web, apps and database in traditional fashion and they are individual segregated via three physical firewall. There is another a single firewall segregating the tiers via VLAN or even in virtual world via the hypervisor as FW appliance or virtual FW.

Coming back we have to look at these devices as to defend or detect against the threats, that are their primary roles. Starting from external DMZ, threats comes widely from two categories namely network and application DDoS, & web and application probes and attacks. Some may put IPS/IDS to front the whole enterprise perimeter since it is supposed to be more savvy on threat with signature but typically for situation awareness, this is rare but viable. The most common will be to have Firewall fronting and filter the blacklist and network DDoS, for application based DDoS, there can be on premise Anti-DDoS appliance or it can be managed security services such as CDN or ISP gearing up forefront first. Even the NGFW or UTM is coming more visible at the front perimeter.

IPS/IDS can be passive inline followed by the proxy (in forward) which perform more of content filtering and restricting certain web browsing category or site visits.  The above is the simple scenario assuming the default capability of the traditional FW, IPS and proxy. There are different classes of each type and varies. You can catch this article as well depicting the Perimeter FW design and categories

http://technet.microsoft.com/en-us/library/cc700828.aspx

The point is also always ask ourselves, where do we want to have visibility and any blind spot possible such as VPN/SSL traffic (where to start decrypting to allow inspection downstream), outbound filtering to be verified (inbound is check but not forget possible leakage and exploit using reverse shell) and other possible point of ingress/egress out of reach of the perimeter like wireless, 3G lan, WAN etc. The same defends should be placed to make sure traffic is inspected and filtered as needed.

The summing up is really stick by principle such as
- Defense in depth (deter and make the attacker work harder)
- Security domains (ensure access is segregated e.g. trusted and non trusted enclaves)
- Resiliency (high availability such that the device is not single point of failure or deteriorate the performance)

Some reference  specific to the device include
NIST SP800 publication @ http://csrc.nist.gov/publications/PubsSPs.html
- SP 800-41 Rev. 1 Guidelines on Firewalls and Firewall Policy
- SP 800-94: Guide to Intrusion Detection and Prevention Systems (IDPS)
- SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs)

AUS DSD publication @ http://www.asd.gov.au/publications/
- Network Segmentation and Segregation
- Denial of Service Attacks: Strategies for Mitigation
- Wireless Network Security – Technical Advice
- Additional Security Considerations and Controls for Virtual Private Networks (VPNs)
0
 

Author Comment

by:DukewillNukem
ID: 39919908
we have a DMZ.
but just very simple,what would be a senseful placement?
FW,IDS,proxy and the AV. any suggestions?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39920015
Simple is good. quick suggestion below

>FW- perimeter and tier - it define boundary of DMZ, filter IP/Ports, and appl/services
>IDS - inside DMZ (and sub segment inside DMZ), can be either inline (more for IPS) or passive tap
>proxy - behind FW, guard all egress from DMZ exit boundary - filter content exiting from DMZ
>AV - behind FW, behind proxy, inside DMZ - need to be online for signature update
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ensuring effective and secure communication in the age of healthcare BYOD.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question