Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What are good suggestions to secure a DMZ zone?

user-image
Question added by Deleted user
Date Posted: 2013/07/09
Wasim Parkar
by Wasim Parkar , Senior Information Security Analyst , Leading Bank in Kuwait

There are Multiple solutions to secure DMZ.
You Should make sure all servers in DMZ are hardened and only required services are running on those servers.
All Servers should be patched.
DMZ should be protected by Firewall and IPS.

Osama Al Otoom
by Osama Al Otoom , Network information Security Manager , unicom group for telecommunication technology

1.     If possible , block unnecessary subnets based on country (like china , Russia ) where lots of attacks came  from these countries (implement standard  ACL on the edge router  for better performance)

 

2.       Use stateful type of firewall to inspects packets deeply as they flow through it, unlike the  stateless firewalls which statically to permit or block network  traffic  simply based on the  its source and/or destination ip address and/or port number without  looking  any deeper into the packet.

 

3.       If your switches support PVLAN  (i.e cisco c3750), go ahead and implement this excellent           layer2 isolation technique within your DMZ network.

 

By this way, your DMZ VLAN will be segmented into3 types of secondary VLANS (Promiscuous, isolated, and community vlans)

Attach your gateway, firewall, IDS , IPS nodes into Promiscuous switch interfaceto permit all traffic to pass through (it acts as a trunk)

Attach your cluster servers into separate community PVLANS ( ie : web cluster1 with DMZ:comm1 , web cluser2 with DMZ:comm2 )

Attach your standalone servers into separate isolated PVLANS (i.e. : ftp server1 with DMZ1:iso3 , ftp server2 with DMZ:iso4) .

 

 

 

4.     On your servers , Install host based intrusion detection systems like OSSEC HIDS (it’s totally free) , install updates and patches regularly

 

Deleted user
by Deleted user

I found a new solution that we call it honeypot ...

musab islam
by musab islam , inventory officer , computer xperts

yes

Muraleedharan Karumathil
by Muraleedharan Karumathil , Operation Manager , SBM NAUVATA SBM Nauvata Indi

It is true that we should keep only the essential applications/ services running in DMZ zone.
Over and above make sure that all your systems remains patched always, constant monitoring of network rules..

More Questions Like This