From: Arora, Manoj (marora@torys.com)
Date: Fri Jan 06 2006 - 16:33:54 EST
If I was in your position I would architect two DMZ's off a single
firewall (HA) and host Web server in a dedicated DMZ. I would have an
IDS/IPS sniffing in both the DMZ's (might need dual license for that).
Set up a syslog server setup outside the DMZ (behind the second firewall
if you have two tier's of firewall) with read-only permission collecting
and correlating logs from the servers, firewall's and the IDS ( IDS
logging can get a little noisy, so it will need to be tuned ). If its
logging too much data, set up a scheduled task to split it and zip it on
a daily basis.
Some organization like to have an IDS placed in front of the firewall
facing the internet and in the DMZ's while some prefer to have it only
in the DMZ, but this is a call you need to take. You'll definitely have
to harden all your core/critical servers especially those in the DMZ.
This article might show you the right direction, but you will have to
work out the best possible solution for your infrastructure as its going
to be unique in its own way.
http://www.cert.org/security-improvement/practices/p053.html
Good luck !
Manoj Arora
Security Analyst
Torys LLP
marora@torys.com
-----Original Message-----
From: kaushik [mailto:kaushik.mamania@dg2l.com]
Sent: January 6, 2006 1:44 AM
To: pen-test@securityfocus.com
Subject: [BULK] - Designing Network Security
Hello List,
May be this is not the right list to post. Since we need to protect
ourselves from crackers, malicious traffic am taking the liberty to post
here.
We need to redesign the network. We need to place a web server, mail
server , VOIP server within the DMZ and also put an IDS in place.
How should one go about designing the same.
Have to concentrate on protecting the Intellectual Property as well
since we are a R&D center.
Will need some good policies for the same.
Can some one direct me to good online resources in the vast sea
available.
Warm Regards
Kaushik
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- This email and any attachments are for the sole use of the intended recipients and may be privileged or confidential. Any distribution, printing or other use by anyone else is prohibited. If you are not an intended recipient, please contact the sender immediately, and permanently delete this email and attachments. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:19 EDT