Positioning IPS engines and Layer 2 Firewalls in DMZ networks
DMZ networks (demilitarized zone networks, also known as perimeter networks) allow inbound access to a wide range of users, but are unified environments in terms of devices.
The services offered are limited in number as well and their allowed usage is often strictly defined.
| Description | Considerations for IPS engines | |
|---|---|---|
| Main purpose | DMZs provide a limited number of services for external users. The services are often business-critical and open for public access. | DMZs are a tempting target for attacks because of their accessibility, importance, and visibility. IPS engines provide crucial protection in DMZs, unless the DMZs are already protected by firewalls. |
| Hosts | Often a uniform environment consisting mainly of servers. No outbound communication is initiated from the DMZ to the public networks. | Most sources are not trusted and IP address spoofing is a possibility. Internal networks can be considered more trustworthy if there is a Firewall that prevents IP address spoofing. |
| Users | Most services are public, but some services might also be offered to specific users. Administrators have wider permissions. | For recognized users, allowed and forbidden activities can be specified in great detail for each type of access. |
| Traffic volume | Low to medium, generally the full bandwidth of all Internet links combined (shared with other local networks). Traffic to other local networks can be high in volume. | Hardware requirements vary greatly depending on the environment. Clustering allows flexible adjustments to the inspection performance. |
| Traffic type | Rather uniform traffic, with only well-known applications and servers communicating within and into the networks. | The limited, well-defined set of protocols and applications means inspection can be tuned in great detail. If servers provide HTTPS services, decrypting the traffic for inspection might require heavy processing. |
| Network security | A network between the trusted and untrusted security zones allowing access for authorized and public use. | External access to services makes the servers in a DMZ a tempting target for attacks. Connections between the DMZs and other networks facilitate further attacks. |