Register now or log in to join your professional community.
1. If possible , block unnecessary subnets based on country (like china , Russia ) where lots of attacks came from these countries (implement standard ACL on the edge router for better performance)
2. Use stateful type of firewall to inspects packets deeply as they flow through it, unlike the stateless firewalls which statically to permit or block network traffic simply based on the its source and/or destination ip address and/or port number without looking any deeper into the packet.
3. If your switches support PVLAN (i.e cisco c3750), go ahead and implement this excellent layer2 isolation technique within your DMZ network.
By this way, your DMZ VLAN will be segmented into3 types of secondary VLANS (Promiscuous, isolated, and community vlans)
Attach your gateway, firewall, IDS , IPS nodes into Promiscuous switch interfaceto permit all traffic to pass through (it acts as a trunk)
Attach your cluster servers into separate community PVLANS ( ie : web cluster1 with DMZ:comm1 , web cluser2 with DMZ:comm2 )
Attach your standalone servers into separate isolated PVLANS (i.e. : ftp server1 with DMZ1:iso3 , ftp server2 with DMZ:iso4) .
4. On your servers , Install host based intrusion detection systems like OSSEC HIDS (it’s totally free) , install updates and patches regularly