Positioning IPS engines and Layer 2 Firewalls in DMZ networks

DMZ networks (demilitarized zone networks, also known as perimeter networks) allow inbound access to a wide range of users, but are unified environments in terms of devices.

The services offered are limited in number as well and their allowed usage is often strictly defined.

Table 1. DMZ considerations for IPS engines
  Description Considerations for IPS engines
Main purpose DMZs provide a limited number of services for external users. The services are often business-critical and open for public access. DMZs are a tempting target for attacks because of their accessibility, importance, and visibility. IPS engines provide crucial protection in DMZs, unless the DMZs are already protected by firewalls.
Hosts Often a uniform environment consisting mainly of servers. No outbound communication is initiated from the DMZ to the public networks. Most sources are not trusted and IP address spoofing is a possibility. Internal networks can be considered more trustworthy if there is a Firewall that prevents IP address spoofing.
Users Most services are public, but some services might also be offered to specific users. Administrators have wider permissions. For recognized users, allowed and forbidden activities can be specified in great detail for each type of access.
Traffic volume Low to medium, generally the full bandwidth of all Internet links combined (shared with other local networks). Traffic to other local networks can be high in volume. Hardware requirements vary greatly depending on the environment. Clustering allows flexible adjustments to the inspection performance.
Traffic type Rather uniform traffic, with only well-known applications and servers communicating within and into the networks. The limited, well-defined set of protocols and applications means inspection can be tuned in great detail. If servers provide HTTPS services, decrypting the traffic for inspection might require heavy processing.
Network security A network between the trusted and untrusted security zones allowing access for authorized and public use. External access to services makes the servers in a DMZ a tempting target for attacks. Connections between the DMZs and other networks facilitate further attacks.