Case Study

Figure 15-7 illustrates the security architecture for ABC, Inc.

The security components implemented are detailed as follows:

• Public firewall and the public (outside) router provide the first line of defense against network attackers. This "first line of defense" protects against well-known attacks on the network and its systems.

• The public server farm hosts World Wide Web sites, public file sharing servers (FTP), e-commerce servers, etc.

• A network-based intrusion detection system (NIDS) is placed on the public (outside) network segment augmenting the outside firewall and router in protecting the network and its systems.

• A second firewall (Cisco PIX, in this case) connects the outside (public) and inside (private) network segments. This firewall provides more stringent control regarding who can enter the private network in this case, only those users authorized by the organization to access private network resources, such as partner vendors and telecommuters.

• The private (inside) router provides routing services for the protected (internal) network.

  NOTE A firewall can be coupled with this private router to provide network and system isolation from other private network segments, such as other organizational sites, vendor partners, etc. This firewall implementation lends itself to a "watch those we trust" mentality.

• A second NIDS is placed on the internal network segment to monitor for internal intrusion or misuse activities.

• The private server farm hosts organizational intranet resources, such as corporate e-mail servers, intranet servers, database and accounting servers, etc.