We currently have a 3 layer DMZ environment, plus the Inside and Outside. Currently there is a proposal to combine servers in these 3 DMZ layers into one physical VMWare box, and then connection to the 3 layers using 3 separate NICS on the server.
Is this a good architecture from a security perspective? Will this environment be more vulnerable, remain the same, etc. Any detailed thoughts opinions, experience would be much appreciated.
Thanks for the response. Given that we will have the IPS, HIDS, AV, etc is this better than having 3 separate physical boxes with all the necessary security software?
My concern is that if the underlying vmware or linux system is compromised than all servers at all 3 layers may get compromised, whereas if they are separate boxes then the breach can be contained in the layer it happened in.
Any thoughts on that or am I being overly cautious?
>>Is this a good architecture from a security perspective?
Not as good as physical separation;-) The question is whether it's good enough, and that's a decision only you can make. Even if we assume that it is impossible to access other instances (probably pretty naive), you should consider whether there is additional risk due to accidents (vmware misconfiguration, plugging into the wrong port, etc).
But again, you need to really justify the risk vs proper security and how you qualify the possible threats and possible mitigations.
It doesn't meant that the system is 100% secure once you have all those gadgets monitoring/guarding your system. That's why you need to always update the IPS signature, AV & CSA, review firewall policy, perform penetration test and so on. Like what is stressed in Cisco SAFE Blueprint, security is an ongoing process, not a one-time deployment - need constant review & check.
Separate servers indeed more secure that consolidate everything into a single box. Any attacked can be contained into a single server. But still you have to compare it with your readiness to maintain it.
There is no right or wrong, it's the readiness, how you mitigate all possible threats and how the impact can affect you/your organization.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...