Problem solve Get help with specific problems with your technologies, process and projects.

Security/virtualization concerns: Where to place a firewall connection

Is it worthwhile to place signature-based blocking technology before a firewall connection? Learn more in this expert response from Anand Sastry.

Is it possible to implement a virus-deterrent technology before the firewall connection? In particular, would this help add security to virtual servers?

It is definitely possible to enforce signature-based blocking or inline patching farther upstream from the server....

Using layer-7 protection technologies like Web application firewalls or in-line intrusion prevention systems (IPS) will help mitigate or resolve virus or other malware threats before they reach the server.

However, I would not place such a product in front of the firewall connection, given the amount of noise generated by unfiltered Internet traffic. Ideally, these products would be placed as a layer-2 bridge on the link between the firewall and the switch infrastructure hosting the servers.

As this blocking is being handled further upstream -- outside of the virtual environment -- it is effective at protecting multiple virtual servers hosted on the same physical hardware.

This was last published in February 2011

Dig Deeper on Network device security: Appliances, firewalls and switches

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.