The placement of security solutions on a network
I would like to know if you are aware of any
diagram(s) which may show various types of security solutions
(firewalls, VPNs, IDSs, etc.) and their place of deployment on
a typical network. I would appreciate any help/leads that you could offer.
I'm sure there are such pictures somewhere on the
Internet, but I could not find them quickly. So, below is a picture
that I put together. I am not an artist, so please excuse the lack
of fancy objects.
|Security solutions and their place of deployment on
a typical network.|
The most common place to insert a firewall or VPN device
is right behind the gateway router that connects to the Internet.
Typically, if both are used, they are used in parallel. I have also
seen situations where a second firewall was added where the
'B' arrow is pointing. There are also devices which contain
both a firewall and a VPN in the same box.
Intrusion-detection systems (IDSs) can actually be placed at many
points. One of the most important spots is where the 'A' arrow is
pointing. This can then detect intrusions that successfully get through
either your VPN or firewall. Another location would be to place
it between the gateway router and the Internet, to detect potential
intrusions before they come into your network. If you place one there,
do not neglect the inside IDS, as the outer one will not be able to
detect any intrusions that may originate in other parts of your VPN, as
that traffic will still be in the encrypted tunnel at that point. You can
have host-based IDS that, of course, will be installed on each of the hosts
shown on the diagram.
It is also important to note that many modern routers have some
firewall functionality, and some firewalls can also act as routers.
In addition, both of those, plus VPN devices, provide logging that
can be fed to an IDS. So, the picture presented is a very simplistic
view of a network. However, it does provide a workable solution.
To determine what is best for your network, you should have a network security
consultant work with your network engineer to come up with the best
combination of products and services. You always need to balance
security, throughput and cost in any risk management decision.
This was first published in August 2001