A security checklist: How to build a solid DMZ

BROWSE BY TAG Network Security,   DMZ Setup and Configuration,   NAC and Endpoint Security Management,   Enterprise Network Security,   VIEW ALL TAGS

RELATED CONTENT Network Security How to set up a split-tunnel VPN in Windows Vista What is the difference between static and dynamic network validation? Port scan attack prevention best practices Securing the intranet with remote access VPN security How to prevent network sniffing and eavesdropping How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth How to edit group policy objects to give a user local admin rights How to prevent operating system cloning with AES 256-bit encryption How to securely connect a LAN POS to a remote point-of-sale device DMZ Setup and Configuration Endpoint protection best practices manual: Combating issues, problems How to set up a DMZ How to configure firewall ports for webmail system implementation When should a database application be placed in a DMZ? How will many firewalls serving as the default gateway affect the DMZ? Should a domain controller be placed within the DMZ? If one server in a DMZ network gets attacked from outside, will the other servers be corrupted? Should an ISP keep corrupted machines off of a network? Server considerations for internal network application setup How is internal mail channeled through an enterprise firewall?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DMZ  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Mike Chapple, featured expert Pose a Question Other Security Categories Meet all Security Experts Become an Expert for this site

ANSWERED December 2007:
Your question is an important one. I'm a firm believer in the concept of "defense in depth." This principle espouses a layered approach to security that makes use of a number of independent security controls, all designed to protect against a failure in any one layer. What you're asking, essentially, is "What layers of security should I put in place to complement my network firewall?"

There are a number of different technologies worthy of consideration when building a secure DMZ. Some commonly deployed ones include:

• Antivirus software for servers. AV software is so commonplace that it's now a no-brainer, but it's still worthy of mention. Be sure you have active antivirus software on all servers and that signature files are properly updated on a daily basis. This software should be centrally managed so that you have a consolidated view into the antivirus environment in your data center.
• Intrusion detection/prevention system. A good quality IDS/IPS monitors your network for the telltale signs of malicious activity. It's an important component of any layered defense.
• File integrity monitoring software. Tripwire, the classic file integrity-monitoring package, for example, monitors a file system for changes and compares those changes to the organization's security policy. It alerts administrators to unauthorized file alterations that may be a signal of malicious activity.
• Vulnerability scanning system. It pays to have a "security patrol" for your network that's roaming the DMZ, looking for any doors left accidentally unlocked. Vulnerability scanners test the security configuration of your servers and alert you to any potential flaws.

Those are just a few examples of the security controls that can contribute to your defense-in-depth posture. There are many more possibilities, and the exact mix you choose will depend upon your security requirements and the resources (financial and human) available to you.

For more information: