It is definitely possible to enforce signature-based blocking or inline patching farther upstream from the server. Using layer-7 protection technologies like Web application firewalls or in-line intrusion prevention systems (IPS) will help mitigate or resolve virus or other malware threats before they reach the server.
However, I would not place such a product in front of the firewall connection, given the amount of noise generated by unfiltered Internet traffic. Ideally, these products would be placed as a layer-2 bridge on the link between the firewall and the switch infrastructure hosting the servers.
As this blocking is being handled further upstream -- outside of the virtual environment -- it is effective at protecting multiple virtual servers hosted on the same physical hardware.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Anand Sastry
While encrypting production servers may seem like a good security move, according to Anand Sastry, doing so may not be worth the resources it uses. Continue Reading
Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to ... Continue Reading
When setting up a site-to-site VPN, where should the VPN endpoint be in the DMZ? Learn more in this expert response. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.