Your network perimeter is the most important part of your network to harden. This is because it serves as the barrier between your valuable internal resources and a bevy of external hackers, crackers, and criminals looking for something to exploit.
A fundamental aspect of your network perimeter is the proper use of DMZs to provide restricted external access to resources. The most effective DMZ configurations are either the DMZ on a stick deployment or the dual-firewall deployment.
The perimeter of your network plays host to a number of unique needs and requirements. The most effective method of granting secure access for these different needs is to employ a modular design approach, building modules specific to the perimeter task and functionality required. Six modules are commonly implemented:
Internet access module This module serves primarily to provide external Internet access to your internal users as well as to provide external access to common public services such as SMTP, WWW, and DNS services. In addition, the Internet access module serves as a hub for other access modules that require Internet connectivity. Security is provided through the use of firewalls and IDS/IPS.
VPN/remote connectivity access module This module serves primarily to provide IPsec-based VPN access for remote hosts and site-to-site connections. In addition, this module provides dial-in and ISDN access for remote users. Security is provided through the use of VPN concentrators , firewalls, and IDS/IPS.
WAN module This module serves primarily to provide access to remote sites via leased line, packet-switched, or cell -switched service provider networks. Security is provided through the use of firewalls or IPsec tunnels between locations.
Extranet access module This module serves to provide remote access to strategic business partners and vendors , allowing secure access to shared systems through the use of firewalls, IDS/IPS, and sometimes VPN concentrators.
Wireless access module This module serves to provide wireless access to users of your corporate network. Security is provided through the use of wireless security protocols such as WEP, WPA, and 802.1x and by requiring authenticated wireless clients to establish a VPN connection to gain access to internal resources. Firewalls and IDS/IPS can also be deployed to control the traffic to and from the wireless clients .
E-commerce access module The e-commerce access module is the most complex of all of the modules, functioning as a hybrid somewhere between the Internet access module and the extranet access module. This module is designed in a three-tiered architecture that uses firewalls to ensure that external connections can be made only to the first-tier devices, that first-tier devices can connect only to second-tier devices, and that second-tier devices can connect only to third- tier devices. All other communication is blocked, and IDS/IPS are extensively deployed to monitor and analyze the traffic in this module.