The placement of security solutions on a network

The placement of security solutions on a network

I would like to know if you are aware of any diagram(s) which may show various types of security solutions (firewalls, VPNs, IDSs, etc.) and their place of deployment on a typical network. I would appreciate any help/leads that you could offer.


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I'm sure there are such pictures somewhere on the Internet, but I could not find them quickly. So, below is a picture that I put together. I am not an artist, so please excuse the lack of fancy objects.

Diagram
Security solutions and their place of deployment on a typical network.

The most common place to insert a firewall or VPN device is right behind the gateway router that connects to the Internet. Typically, if both are used, they are used in parallel. I have also seen situations where a second firewall was added where the 'B' arrow is pointing. There are also devices which contain both a firewall and a VPN in the same box.

Intrusion-detection systems (IDSs) can actually be placed at many points. One of the most important spots is where the 'A' arrow is pointing. This can then detect intrusions that successfully get through either your VPN or firewall. Another location would be to place it between the gateway router and the Internet, to detect potential intrusions before they come into your network. If you place one there, do not neglect the inside IDS, as the outer one will not be able to detect any intrusions that may originate in other parts of your VPN, as that traffic will still be in the encrypted tunnel at that point. You can also have host-based IDS that, of course, will be installed on each of the hosts shown on the diagram.

It is also important to note that many modern routers have some firewall functionality, and some firewalls can also act as routers. In addition, both of those, plus VPN devices, provide logging that can be fed to an IDS. So, the picture presented is a very simplistic view of a network. However, it does provide a workable solution.

To determine what is best for your network, you should have a network security consultant work with your network engineer to come up with the best combination of products and services. You always need to balance security, throughput and cost in any risk management decision.


This was first published in August 2001