Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Network Security Perimeter: How to choose the correct firewall and IPS for your environment?

Published: 2010-11-08
Last Updated: 2010-11-09 01:56:46 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
6 comment(s)

Last week my company decided to upgrade our data network bandwidth of 1 GB to 10 GB. The last time we update the design, we found that the bandwidth of the 45 vlan more secure servers, taking into account that each uplink has the 1 GB limit, we gave as 2.8 Gbps total consumption, so we chose a FWSM blade inside a Catalyst 6513. Please look the following diagram:

 Core collapsed network security perimeter design

Now with our network with expanded bandwidth to 10 GB, forced us to change the proposed design to implement security features through a service switch that is connected to the users and the server farm. Please look the following diagram:

Distributed Network Security Perimeter Design

 My big problem is I can not find a Cisco device (Firewall and IPS) capable of handling a traffic level large enough. If I would choose Cisco, I would need to place multiple firewalls and IPS, which is not acceptable to me because of the administration overload. This led me to think again about the factors that would fulfill the perimeter security devices to protect the information assets of my company. The factors are:

  • Sufficient traffic throughput: If the bandwidth supported by firewalls and IPS are exceeded, they can become the bottleneck of the network, causing trauma to the its services and availability. Remember that one of the key criteria for network design is the scalability and any security services in place need to preserve it.
  • Supported protocols: TCP and UDP are not the only protocols that are supported on IP [1]. The firewall and IPS you choose must support the protocols that travel over your network and be able to make decisions about them and not limited only to forward the packets. What would happen if you need a specific type of multicast for your brand new conference system that your firewall and IPS are not capable to support?
  • IDS/IPS evation: Is the IPS you are looking for capable of control the most common techniques for IPS/IDS evation? A simple google search can give you a decent list to work with.
  • Management platform: If we have a perimeter security plan for a large company, you need a management solution that enables the following features: security event management, dynamic network protection and real-time visualization of attacks attempts and successful attacks. Here we must involve an event correlation system that can interact with devices from the network security perimeter that consolidates the information and make reports to enable trends. These trends will allow to implement controls effectively to reduce identified risks.
  • ARP attacks: Is your firewall/IPS able to notice and block fast ARP changes commonly used for man in the middle attacks?

 Do you have any other criteria you want to share with us? Use the comment page or our contact form.

[1] See http://www.networksorcery.com/enp/protocol/ip.htm#Protocol

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

6 comment(s)

DST to EST error summary

Published: 2010-11-08
Last Updated: 2010-11-08 03:29:50 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
11 comment(s)

We talked about the DST change in our diary http://isc.sans.edu/diary.html?storyid=9898. We have received reports that iphone will not recognize the date change and similar problems with other cellphone companies. It is worth checking whether your phone, computer and other electronic devices automatically switched their date to have no further problems. Do not forget to let us know through our contact form if you encountered problems in this regard.

More information at http://edition.cnn.com/2010/TECH/mobile/11/05/apple.alarm.daylight.savings/

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

11 comment(s)
Diary Archives