Assume you are adding a NIDS to a three-interface firewall design. If you have budget for only one sensor, where should it go?


If you have budget for only one sensor, the answer varies depending on your firewall policy and the security sensitivity of the devices on your public services segment. The default answer is to put it on the public services segment because that is where the most publicly reachable systems can be found.


Assume the same design as the previous question, but now you have budget for two NIDS sensors. Where do you put them?


The right answer is to put one on the public services segment and another on the segment connecting your firewall to the internal network.


Your boss has asked you to select a device to provide connectivity to 50 branch offices. Each branch office requires VPN connectivity, routing, firewalling, and an IDS. Budget and manageability are key concerns. Which device, or devices, should you recommend?


The answer to this question depends on a number of factors. What is the performance requirement at each branch? Which traffic types will be passing over the VPN? Will a central team manage the entire connection, or do you have dedicated security staff for the security components? Based on the answers to these questions, you can wind up with one of two options. First, deploy a security device (VPN/firewall) and a router as separate components. Second, deploy a router with integrated security. The latter option is preferable if the performance requirements can be met by the router and the teams responsible for the different elements of the connection are happy with the management interfaces the router provides.


Which future technology might make using NIDS to stop attacks more viable?


Inline NIDS is the most likely candidate. However, figuring out how to stop false positives (and negatives) still must be solved. Putting NIDS inline just exacerbates the problem rather than making it go away.


When might you want to have more than one public services segment on your Internet edge?


When you have services that have different trust levels and access to the rest of the network. Using private VLANs can mitigate the risk of intermingling these systems if having multiple segments isn't an option. See Chapter 6, "General Design Considerations," for more details.


What is the most important component of any security technology deployed on an open source, noncommercially supported platform?


Ensuring that your company maintains thorough documentation that is kept up-to-date is an important component of any security plan and is absolutely essential for those involving open source tools with no commercial support.

Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies



Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process


Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net