Positioning IPS engines and Layer 2 Firewalls in internal networks
In internal networks, access is permissive for purely internal communications, but there are strict controls at the perimeter firewall that separates the internal network from public networks.
Inbound traffic from public networks to internal networks is forbidden with few exceptions.
| Description | Considerations for IPS engines and Layer 2 Firewalls | |
|---|---|---|
| Main purpose | Network services and connectivity for authorized users. Back-end servers that serve other networks and user groups. | IPS engines and Layer 2 Firewalls can be used within internal networks and for strengthening the perimeter defense with additional layers of inspection. |
| Hosts | Mixed environment consisting of servers, laptops, desktops, network printers, and copiers. | IPS engines and Layer 2 Firewalls can control access between internal hosts uncontrolled by other devices. Connections between internal network zones are of particular interest for inspection. |
| Users | Authorized personnel. Access in and out of the network controlled by a Firewall. | End-user-controlled devices can be distinguished from other hosts to create more accurate and fine-grained rules. |
| Traffic volume | Varies from low to high. Grows highest at network choke-points in large environments. | Installation at network choke-points where traffic levels are high requires high-performance hardware. Clustering and load balancing can be applied to increase performance and provide high availability in critical locations. |
| Traffic type | Diverse with many different applications communicating within and in/ out of the network. | A wide range of permitted applications means that the policy has a wide scope. Access control and inspection can be fine-tuned based on the security levels of the different network segments or zones. TLS inspection can be activated to inspect SSL/TLS encrypted traffic. The IPS engines and Layer 2 Firewalls can also detect and control Application use. |
| Network security | A “trusted network” where the users and the traffic are considered to be authorized. | The primary line of defense is at the perimeter. It is possible that authorized users in the trusted network become willingly or accidentally involved in a security incident. |