From the DMZ network diagram example, explain it's infrastructure.

147    Asked by AmitSinha in Cyber Security , Asked on Apr 7, 2022

When searching with Google for network architectures with a DMZ, I found different representations and I got even more confused. So my question is, how should a DMZ be placed in a highly secure network architecture? Is the first representation OK from a security point of view?

Answered by Amit Sinha

Regarding the DMZ network diagram example - All designs have their own pros and cons, but it all comes down to TWO PRIMARY DIFFERING BUSINESS DRIVERS: If the business is making requirements with statements like:

"We need an Internet / DMZ security design that is ...
*cost-effective, lowest cost, basic, simple design, simple to manage, cheap & dirty, adequate protection...*etc."
Then the 3-LEGGED FW (example #2) will be the model you should use as the basis for your design. And in a world where "SAVE $$$" "Reduce Costs" are often the #1 drivers, it is the primary factor why the 3-LEGGED FW Design is by far the most popular deploy - even for larger organisations.

If the business is making requirements with statements like: "We need an Internet / DMZ security design that is ... highly / extremely secured, provides the best internet protection regardless of cost, protection of our internal corporate systems are A MUST... etc."

Then the FW-Sandwich / 2-Tier FW / Layered DMZ (example #1) The model is the one you should be using as a base for your design. The reason is extremely simple... Layered DMZ security adds additional unique barriers to entry for the Internet hacker. If he gets through the first FW, he lands at the next layer, and the next, and then the backend Internal FW before he has finally got to the crown-jewels of the corporate data. The 3-LEGGED FW model is 1 layer of protection whereby if a poorly / misconfigured FW is compromised - he has direct access into the internal network. BAD !

  My past designs are more complex than a front and back FW. In an extremely highly secured ISP/DMZ design, I architected FW, IPS, front VIP network, DMZ VIP Load Balancers, Private Farm networks, then the back-end Internal Facing FWs. Each of these layers adds a unique additional barrier to entry for the hacker to get through. We also set strong design rules that state "one layer in the design must only talk to the next layer and not bypass that layer as a shortcut"

This design is surely more costly, but for large scale enterprises whereby banking, financial, large databases of client information, etc MUST BE PROTECTED, it would be foolish to use a 3-Legged FW that makes it the single barrier between the hackers and these crown jewels.



Your Answer

Interviews

Parent Categories