Defense in Depth
Results 1 to 6 of 6

Thread: Defense in Depth

  1. #1
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193

    Post Defense in Depth

    Let's see how people are handling this challenge.

    All comments welcome on how you did it or plan to.

    Trappedagainbyperfectlogic.

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Well...lets see...I have designed and worked in so many diferent environments, I don't know where to start. I guess I will list a typical scenario from the Internet looking in:

    *Cisco 7500 series routers running HSRP with basic ACL's
    *Some type of content switches
    *Redunt Checkpoint firewall pair

    DMZ
    -----------------------------------
    *Cisco 6506 or 6509 switches at layer 3 with VLAN's and ACL's
    *Proxy servers (Cacheflow or Netscape)
    *Network IDS sensors (usually Snort)
    *Web and application servers w/HIDS agents
    *Additional Checkpoint firewall failover pair

    LAN
    ----------------------------------
    *Additional NIDS sensors
    *HIDS agents on critical servers
    *DB servers


    I know this is very vague...but it would take me about 2 weeks to explain in detail. Not to mention about 100 pages that nobody would want to read....

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    No actually it's not vague - I'm with you on all of it.

    On the dmz part how did you solve the session deaths? Local dirs, sticky, cluster?
    Trappedagainbyperfectlogic.

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    Oh and did you use stonebeat or something like that for your ckp failover?
    Trappedagainbyperfectlogic.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    for active session failover, i have used Stonebeat..yes. I have also tried Nokia's VRRP, and now we are using Cisco Arrowpoint content switches to do the job.

  6. #6
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    Not used but seen the nokia at the vendor. Seems ok. That content switch sounds like it works on the same principle as local directors/mgmt switches. I haven't used content switches but it sounds good.

    Sounds like you've got a lot to contribute to this forum iNViCTuS. Well done.

    Trappedagainbyperfectlogic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •