Solved

Security Devices sequence

Posted on 2014-02-25
3
477 Views
Last Modified: 2014-03-17
we have firewall, IDS/IPS and a proxy and i would like to optimize security. is there a best practice in which sequence how those devices should be placed?

1.      firewall
2.      IDS/IPS
3.      Proxy


any suggestions?
0
Comment
Question by:DukewillNukem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39887569
you will normally have an extranet DMZ, internal DMZ and intranet. The design of tier architecture split into web, apps and database in traditional fashion and they are individual segregated via three physical firewall. There is another a single firewall segregating the tiers via VLAN or even in virtual world via the hypervisor as FW appliance or virtual FW.

Coming back we have to look at these devices as to defend or detect against the threats, that are their primary roles. Starting from external DMZ, threats comes widely from two categories namely network and application DDoS, & web and application probes and attacks. Some may put IPS/IDS to front the whole enterprise perimeter since it is supposed to be more savvy on threat with signature but typically for situation awareness, this is rare but viable. The most common will be to have Firewall fronting and filter the blacklist and network DDoS, for application based DDoS, there can be on premise Anti-DDoS appliance or it can be managed security services such as CDN or ISP gearing up forefront first. Even the NGFW or UTM is coming more visible at the front perimeter.

IPS/IDS can be passive inline followed by the proxy (in forward) which perform more of content filtering and restricting certain web browsing category or site visits.  The above is the simple scenario assuming the default capability of the traditional FW, IPS and proxy. There are different classes of each type and varies. You can catch this article as well depicting the Perimeter FW design and categories

http://technet.microsoft.com/en-us/library/cc700828.aspx

The point is also always ask ourselves, where do we want to have visibility and any blind spot possible such as VPN/SSL traffic (where to start decrypting to allow inspection downstream), outbound filtering to be verified (inbound is check but not forget possible leakage and exploit using reverse shell) and other possible point of ingress/egress out of reach of the perimeter like wireless, 3G lan, WAN etc. The same defends should be placed to make sure traffic is inspected and filtered as needed.

The summing up is really stick by principle such as
- Defense in depth (deter and make the attacker work harder)
- Security domains (ensure access is segregated e.g. trusted and non trusted enclaves)
- Resiliency (high availability such that the device is not single point of failure or deteriorate the performance)

Some reference  specific to the device include
NIST SP800 publication @ http://csrc.nist.gov/publications/PubsSPs.html
- SP 800-41 Rev. 1 Guidelines on Firewalls and Firewall Policy
- SP 800-94: Guide to Intrusion Detection and Prevention Systems (IDPS)
- SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs)

AUS DSD publication @ http://www.asd.gov.au/publications/
- Network Segmentation and Segregation
- Denial of Service Attacks: Strategies for Mitigation
- Wireless Network Security – Technical Advice
- Additional Security Considerations and Controls for Virtual Private Networks (VPNs)
0
 

Author Comment

by:DukewillNukem
ID: 39919908
we have a DMZ.
but just very simple,what would be a senseful placement?
FW,IDS,proxy and the AV. any suggestions?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39920015
Simple is good. quick suggestion below

>FW- perimeter and tier - it define boundary of DMZ, filter IP/Ports, and appl/services
>IDS - inside DMZ (and sub segment inside DMZ), can be either inline (more for IPS) or passive tap
>proxy - behind FW, guard all egress from DMZ exit boundary - filter content exiting from DMZ
>AV - behind FW, behind proxy, inside DMZ - need to be online for signature update
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question