Security Management Strategies for the CIOWhat are some of the mechanisms that can protect a DMZ network's application servers and Web servers? What software products are available for such a purpose?
Requires Free Membership to View
Your question is an important one. I'm a firm believer in the concept of "defense in depth." This principle espouses a layered approach to security that makes use of a number of independent security controls, all designed to protect against a failure in any one layer. What you're asking, essentially, is "What layers of security should I put in place to complement my network firewall?"
Looking to offer private applications to users on an internal network? Mike Chapple explains where some security folks go wrong.
WIth public mail servers located in a DMZ, what keeps a firewall from stopping an organization's internal mail?
There are a number of different technologies worthy of consideration when building a secure DMZ. Some commonly deployed ones include:
- Antivirus software for servers. AV software is so commonplace that it's now a no-brainer, but it's still worthy of mention. Be sure you have active antivirus software on all servers and that signature files are properly updated on a daily basis. This software should be centrally managed so that you have a consolidated view into the antivirus environment in your data center.
- Intrusion detection/prevention system. A good quality IDS/IPS monitors your network for the telltale signs of malicious activity. It's an important component of any layered defense.
- File integrity monitoring software. Tripwire, the classic file integrity-monitoring package, for example, monitors a file system for changes and compares those changes to the organization's security policy. It alerts administrators to unauthorized file alterations that may be a signal of malicious activity.
- Vulnerability scanning system. It pays to have a "security patrol" for your network that's roaming the DMZ, looking for any doors left accidentally unlocked. Vulnerability scanners test the security configuration of your servers and alert you to any potential flaws.
Those are just a few examples of the security controls that can contribute to your defense-in-depth posture. There are many more possibilities, and the exact mix you choose will depend upon your security requirements and the resources (financial and human) available to you.
For more information:
This was first published in January 2008
Join the conversationComment
Share
Comments
Results
Contribute to the conversation