Problem solve Get help with specific problems with your technologies, process and projects.

Security/virtualization concerns: Where to place a firewall connection

Is it worthwhile to place signature-based blocking technology before a firewall connection? Learn more in this expert response from Anand Sastry.

Is it possible to implement a virus-deterrent technology before the firewall connection? In particular, would this help add security to virtual servers?

It is definitely possible to enforce signature-based blocking or inline patching farther upstream from the server. Using layer-7 protection technologies like Web application firewalls or in-line intrusion prevention systems (IPS) will help mitigate or resolve virus or other malware threats before they reach the server.

However, I would not place such a product in front of the firewall connection, given the amount of noise generated by unfiltered Internet traffic. Ideally, these products would be placed as a layer-2 bridge on the link between the firewall and the switch infrastructure hosting the servers.

As this blocking is being handled further upstream -- outside of the virtual environment -- it is effective at protecting multiple virtual servers hosted on the same physical hardware.

This was last published in February 2011

Dig Deeper on Network device security: Appliances, firewalls and switches

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.