What are some of the mechanisms that can protect a DMZ network's application servers and Web servers? What software products are available for such a purpose?
Your question is an important one. I'm a firm believer in the concept of "defense in depth." This principle espouses a layered approach to security that makes use of a number of independent security controls, all designed to protect against a failure in any one layer. What you're asking, essentially, is "What layers of security should I put in place to complement my network firewall?"
There are a number of different technologies worthy of consideration when building a secure DMZ. Some commonly deployed ones include:
- Antivirus software for servers. AV software is so commonplace that it's now a no-brainer, but it's still worthy of mention. Be sure you have active antivirus software on all servers and that signature files are properly updated on a daily basis. This software should be centrally managed so that you have a consolidated view into the antivirus environment in your data center.
- Intrusion detection/prevention system. A good quality IDS/IPS monitors your network for the telltale signs of malicious activity. It's an important component of any layered defense.
- File integrity monitoring software. Tripwire, the classic file integrity-monitoring package, for example, monitors a file system for changes and compares those changes to the organization's security policy. It alerts administrators to unauthorized file alterations that may be a signal of malicious activity.
- Vulnerability scanning system. It pays to have a "security patrol" for your network that's roaming the DMZ, looking for any doors left accidentally unlocked. Vulnerability scanners test the security configuration of your servers and alert you to any potential flaws.
Those are just a few examples of the security controls that can contribute to your defense-in-depth posture. There are many more possibilities, and the exact mix you choose will depend upon your security requirements and the resources (financial and human) available to you.
- Looking to offer private applications to users on an internal network? Mike Chapple explains where some security folks go wrong.
- WIth public mail servers located in a DMZ, what keeps a firewall from stopping an organization's internal mail?
Dig deeper on DMZ Setup and Configuration
Related Q&A from Mike Chapple, Enterprise Compliance
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.