It is definitely possible to enforce signature-based blocking or inline patching farther upstream from the server....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Using layer-7 protection technologies like Web application firewalls or in-line intrusion prevention systems (IPS) will help mitigate or resolve virus or other malware threats before they reach the server.
However, I would not place such a product in front of the firewall connection, given the amount of noise generated by unfiltered Internet traffic. Ideally, these products would be placed as a layer-2 bridge on the link between the firewall and the switch infrastructure hosting the servers.
As this blocking is being handled further upstream -- outside of the virtual environment -- it is effective at protecting multiple virtual servers hosted on the same physical hardware.
Dig Deeper on Network Firewalls, Routers and Switches
Related Q&A from Anand Sastry
While encrypting production servers may seem like a good security move, according to Anand Sastry, doing so may not be worth the resources it uses.continue reading
Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to ...continue reading
When setting up a site-to-site VPN, where should the VPN endpoint be in the DMZ? Learn more in this expert response.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.