EU-Vietnam Business Network (EVBN) > Noindex > Public DMZ network architecture

Public DMZ network architecture

I am not clear on what you mean by a “highly secure network
architecture”. You would need to consider in more detail what are your
security objectives, information security requirements and the threats
landscape in which you are evolving to design and implement
appropriate security controls.

I will however try to answer your question at a high level.

Yes, the first security architecture is OK from a security point of
view in general. There are variations of this architecture (e.g. do
you attach the DMZ to the external and/or internal firewalls and/or
in-between) but I do not believe it is relevant to your question at
this stage.

My understanding is that this architecture used to be more popular at
a time when firewalls had multiple known public vulnerabilities in
their implementation that would permit to bypass or even exploitation
of the firewalls themselves and in the absence of other mitigating
controls.

In using a different implementation for your external and internal
firewalls, you are just applying the principle of natural selection to
your architecture and it is generally a good thing: if one
implementation is vulnerable to a specific attack, the same attack may
not work on a different implementation if their respective traits are
dissimilar enough. You are hopefully removing a single point of
failure (from an implementation perspective) of the “firewall security
function”.

Of course, depending of your information availability requirements,
you may need to consider clustering your external and internal
firewalls among other things.

The second architecture is also valid from a security perspective and
I believe it is now more popular than the first one (cost
helping). You have a potential single point of failure of the firewall
security function. However, most organisations would have (hopefully)
realised by now that you cannot rely on your firewall only to provide
security services. Routers/switches/host firewalls/etc. can all
contribute to the security posture of an organisation thus mitigating
some or all the damage caused by a compromise of a (single) firewall
implementation. It also appears that firewalls are a bit more solid
nowadays and that attacks have shifted to higher but softer OSI layers
e.g. applications.

I would consider the second architecture for most deployments. I may
consider the first architecture in some specific circumstances
including but not limited to security objectives and requirements,
potential attackers’ motivations and more importantly, resources.

Bài viết liên quan
Bài viết mới
Thể Thao nổi bật