What are some of the mechanisms that can protect a DMZ network's application servers and Web servers? What software...
products are available for such a purpose?
Your question is an important one. I'm a firm believer in the concept of "defense in depth." This principle espouses a layered approach to security that makes use of a number of independent security controls, all designed to protect against a failure in any one layer. What you're asking, essentially, is "What layers of security should I put in place to complement my network firewall?"
There are a number of different technologies worthy of consideration when building a secure DMZ. Some commonly deployed ones include:
- Antivirus software for servers. AV software is so commonplace that it's now a no-brainer, but it's still worthy of mention. Be sure you have active antivirus software on all servers and that signature files are properly updated on a daily basis. This software should be centrally managed so that you have a consolidated view into the antivirus environment in your data center.
- Intrusion detection/prevention system. A good quality IDS/IPS monitors your network for the telltale signs of malicious activity. It's an important component of any layered defense.
- File integrity monitoring software. Tripwire, the classic file integrity-monitoring package, for example, monitors a file system for changes and compares those changes to the organization's security policy. It alerts administrators to unauthorized file alterations that may be a signal of malicious activity.
- Vulnerability scanning system. It pays to have a "security patrol" for your network that's roaming the DMZ, looking for any doors left accidentally unlocked. Vulnerability scanners test the security configuration of your servers and alert you to any potential flaws.
Those are just a few examples of the security controls that can contribute to your defense-in-depth posture. There are many more possibilities, and the exact mix you choose will depend upon your security requirements and the resources (financial and human) available to you.
- Looking to offer private applications to users on an internal network? Mike Chapple explains where some security folks go wrong.
- WIth public mail servers located in a DMZ, what keeps a firewall from stopping an organization's internal mail?
Dig Deeper on Enterprise network security
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading