[fw-wiz] A few sql 2000 related questions
From: Foley, Denys (Denys.Foley_at_xerox.com)
To: <firstname.lastname@example.org> Date: Sun, 13 Feb 2005 13:01:28 -0500
>One proposal I have is the following
>inet-->IPS-->fw->dmz (ssl) web server->fw->(ssl)sql server->vpn(with
>acls)->back office fw dmz->(ssl)back office feeder servers
>other proposal is
>inet-->IPS-->fw->(ssl) inverse proxy->fw->(ssl) web server ->(ssl)sql
>server->vpn(with acls)->back office fw dmz->(ssl)back office feeder servers
The problem with your two proposals is that the IPS is only able to see SSL encrypted packets. It will never see most attacks that are targeted at the application. You need to have another IPS sensor inside the DMZ and yet another in your backend area.
The sensor outside your FW will be sounding alerts non stop all day and all night. You should log them and review them but don't get too excited.
The one inside your DMZ is a bit more important and will not trigger as often - these alerts need attention. Most attacks against WEB servers that are running SSL will not be seen until the server is compromised and it starts behaving in an unusual manner.
The sensor that is back in your secure zone should be fairly quiet. When it goes off you do want to react and react fast. This one should go to your pager and wake you up in the middle of the night.
Host based IDS systems will catch attacks on individual servers running SSL - You can run both Network IDS and Host IDS and it is not the same level of paranoia as wearing a belt and suspenders.
firewall-wizards mailing list