Problem solve Get help with specific problems with your technologies, process and projects.

A security checklist: How to build a solid DMZ

As part of his monthly response to readers, Mike Chapple provides a list of security add-ons that no DMZ should be without.

What are some of the mechanisms that can protect a DMZ network's application servers and Web servers? What software...

products are available for such a purpose?

Your question is an important one. I'm a firm believer in the concept of "defense in depth." This principle espouses a layered approach to security that makes use of a number of independent security controls, all designed to protect against a failure in any one layer. What you're asking, essentially, is "What layers of security should I put in place to complement my network firewall?"

There are a number of different technologies worthy of consideration when building a secure DMZ. Some commonly deployed ones include:

  • Antivirus software for servers. AV software is so commonplace that it's now a no-brainer, but it's still worthy of mention. Be sure you have active antivirus software on all servers and that signature files are properly updated on a daily basis. This software should be centrally managed so that you have a consolidated view into the antivirus environment in your data center.
  • Intrusion detection/prevention system. A good quality IDS/IPS monitors your network for the telltale signs of malicious activity. It's an important component of any layered defense.
  • File integrity monitoring software. Tripwire, the classic file integrity-monitoring package, for example, monitors a file system for changes and compares those changes to the organization's security policy. It alerts administrators to unauthorized file alterations that may be a signal of malicious activity.
  • Vulnerability scanning system. It pays to have a "security patrol" for your network that's roaming the DMZ, looking for any doors left accidentally unlocked. Vulnerability scanners test the security configuration of your servers and alert you to any potential flaws.

Those are just a few examples of the security controls that can contribute to your defense-in-depth posture. There are many more possibilities, and the exact mix you choose will depend upon your security requirements and the resources (financial and human) available to you.

More on this topic

  • Looking to offer private applications to users on an internal network? Mike Chapple explains where some security folks go wrong.
  • WIth public mail servers located in a DMZ, what keeps a firewall from stopping an organization's internal mail?


This was last published in January 2008

Dig Deeper on Enterprise network security