Problem solve Get help with specific problems with your technologies, process and projects.

The placement of security solutions on a network

I would like to know if you are aware of any diagram(s) which may show various types of security solutions (firewalls,...

VPNs, IDSs, etc.) and their place of deployment on a typical network. I would appreciate any help/leads that you could offer.

I'm sure there are such pictures somewhere on the Internet, but I could not find them quickly. So, below is a picture that I put together. I am not an artist, so please excuse the lack of fancy objects.

Security solutions and their place of deployment on a typical network.

The most common place to insert a firewall or VPN device is right behind the gateway router that connects to the Internet. Typically, if both are used, they are used in parallel. I have also seen situations where a second firewall was added where the 'B' arrow is pointing. There are also devices which contain both a firewall and a VPN in the same box. Intrusion-detection systems (IDSs) can actually be placed at many points. One of the most important spots is where the 'A' arrow is pointing. This can then detect intrusions that successfully get through either your VPN or firewall. Another location would be to place it between the gateway router and the Internet, to detect potential intrusions before they come into your network. If you place one there, do not neglect the inside IDS, as the outer one will not be able to detect any intrusions that may originate in other parts of your VPN, as that traffic will still be in the encrypted tunnel at that point. You can also have host-based IDS that, of course, will be installed on each of the hosts shown on the diagram. It is also important to note that many modern routers have some firewall functionality, and some firewalls can also act as routers. In addition, both of those, plus VPN devices, provide logging that can be fed to an IDS. So, the picture presented is a very simplistic view of a network. However, it does provide a workable solution. To determine what is best for your network, you should have a network security consultant work with your network engineer to come up with the best combination of products and services. You always need to balance security, throughput and cost in any risk management decision.
This was last published in August 2001

Dig Deeper on Real-time network monitoring and forensics