The Best Damn Firewall Book Period

DMZ design includes a number of important steps that make the overall design process smoother and less subject to breach. These steps include the capability and duty to perform a complete physical and logical security analysis of the systems to be protected, followed by the adoption of an enterprise security policy to detail the path of management, monitoring, enforcement, and responsibility for various areas of the enterprise's security. Once we have completed a security analysis and have a security policy that has been supported and is in place, we can begin to think about the design of the DMZ structure.

Generically, we create the basic DMZ structure after we have identified the assets and resources that need protection. This generic plan is followed by an evaluation of how the information currently flows in the organization and how it should be handled in a secure sense to isolate and protect the systems from compromise.

When the generic tasks have been completed, the design begins to take shape as we configure and define the various levels of the DMZ structure to provide necessary services to customers, employees, and partners. There are nearly infinite possibilities in the use of various equipment and configurations, and we're charged with creating a design that is functional and economically feasible in the reduction of risk. Here we begin to consider not only the best logical design but also the design that might be the most feasible to protect our data.

We find as we proceed that the level of service that we are providing and the connectivity needs of the various partners and operations greatly affect the level of configuration within the DMZ structure. We also find that it is possible to allow connectivity in multiple levels for various services while always striving to protect the internal network from harm.

Категории