RE: [BULK] - Designing Network Security

["Arora, Manoj" <marora () torys com>]

If I was in your position I would architect two DMZ's off a single
firewall (HA) and host Web server in a dedicated DMZ. I would have an
IDS/IPS sniffing in both the DMZ's (might need dual license for that).
Set up a syslog server setup outside the DMZ (behind the second firewall
if you have two tier's of firewall) with read-only permission collecting
and correlating logs from the servers, firewall's and the IDS ( IDS
logging can get a little noisy, so it will need to be tuned ). If its
logging too much data, set up a scheduled task to split it and zip it on
a daily basis.

Some organization like to have an IDS placed in front of the firewall
facing the internet and in the DMZ's while some prefer to have it only
in the DMZ, but this is a call you need to take. You'll definitely have
to harden all your core/critical servers especially those in the DMZ.

This article might show you the right direction, but you will have to
work out the best possible solution for your infrastructure as its going
to be unique in its own way.

http://www.cert.org/security-improvement/practices/p053.html

Good luck !

Manoj Arora 
Security Analyst 
Torys LLP 
marora () torys com  




-----Original Message-----
From: kaushik [mailto:kaushik.mamania () dg2l com] 
Sent: January 6, 2006 1:44 AM
To: pen-test () securityfocus com
Subject: [BULK] - Designing Network Security

Hello List,

May be this is not the right list to post. Since we need to protect
ourselves from crackers, malicious traffic am taking the liberty to post
here.

We need to redesign the network. We need to place a web server, mail
server , VOIP server within the DMZ and also put an IDS in place.

How should one go about designing the same.

Have to concentrate on protecting the Intellectual Property as well
since we are a R&D center.
Will need some good policies for the same.

Can some one direct me to good online resources in the vast sea
available.

Warm Regards
Kaushik

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.


------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your 
website. Up to 75% of cyber attacks are launched on shopping carts,
forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are 
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before
hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


This email and any attachments are for the sole use of the intended recipients and may be privileged or confidential. 
Any distribution, printing or other use by anyone else is prohibited. If you are not an intended recipient, please 
contact the sender immediately, and permanently delete this email and attachments.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------