Jan 172011

As the old fashioned firewall concept has morphed into one that is a multi faceted security perimeter, I have developed a series of questions that can uncover the correct answers to you as you continue to refine and define what the security edge should look like for you. Use the reference architecture for this post that I have built that you can find HERE

From an ease of digestion perspective, I am going to release this in two parts since there are 22 questions. As always, if you have questions email me at billm@cioes.org or post a question to my blog below. Thanks, Bill

Reference Architecture Intelligent Perimeters: Edge Sites, Private WAN, Internet, Public WAN, Cloud Access Control.

Sample Technologies covered are: Firewalls, UTM Firewalls, App Proxy, IDP/IDS, DLP Systems, SPAM Filters, Load Balancers, Content Filters

1. Are DMZs deployed for network segmentation for interfacing with Internet customers, and partners?

2. Confidence level of DMZ on a scale of 1-10. (10 is very confident)

3. Has a detailed cable trace been done to validate the DMZ?

4. Preferred Firewall manufacturer?
•Do the firewall rules explicitly deny traffic to and from the DMZ?
•Is the version level current with the offering of the manufacturer?

5. Are services like Ecommerce sites and other systems hosted in the DMZ?
Are there any concerns about architecture?

6. On a scale of 1-10 does your DMZ match the security policy of the organization?

7. Where does standard VPN access terminate? Have they been reviewed?

8. Firewall – Is it a UTM (Unified Threat Mgmt device) providing IPS, Gateway anti-virus, anti-spyware?
If no,
•What is the approach for IPS?
•What is being used for Anti-virus/
•What is the approach used for anti-spyware?

9. Do you have redundancy on the following?
•ISP – inbound
•ISP – outbound
•Load Balancers
•Content Filters

10. Is there a dedicated device for web content filtering?
•For What? Check all that apply? Web, Email, DLP
•Is it AD Aware?

11. How is Anti spam and Phishing handled?

High Availability for CIOs on a Budget

 Comments Off on High Availability for CIOs on a Budget
May 202010

Recently I was involved in helping a client with decisions related to HA on their corporate LAN for systems they wanted about 30 plus thousand users to access in a DMZ. The primary business concern was that if this system failed the board would know very quickly and he just couldn’t afford to have a failure of this sort. He had already addressed the HA of his T1 links with a product from Fatpipe. His primary concern was application load balancing and High Availability to protect against failure of the systems themselves and also to give them the ability to perform maintenances and patching on systems without taking all systems off line or effecting performance due to a decreased ability to serve the user population. The analysis covered low budget options to higher budget options. The 4 considered were:

  1. Native Windows Load Balancing
  2. Sonicwall Firewall Web server load balancing (see pdf attached to this blog)
  3. Coyote Point Systems
  4. Citrix CAG

 As each solution was explored, the client realized that they wanted more and more automation and ease and depth of reporting. Each solution progressively higher price tag and with this one gets more and more automation, reporting, etc. We did leave F5 off since in my opinion they have a ridiculous price point except for the most exotic of requirements.  As the client went through the process of reviewing requirements, they realized that they did in fact want the highest priced solution primarily because their staff was more comfortable with the day to day maintenance of a Citrix solution since they are a Citrix shop. I liked the SonicWALL solution in particular since the new UTM firewall would allow them to forgo yet another edge device, but the reporting is more limited than the dedicated load management products. This is not meant to be an exhaustive review of all options but just to give a busy exec a chance to see options that are available.On a final note the Coyote Point solution has a very appealing Virtual System Load Balancing solution which I think is great. If anyone has questions about more technical details just email me at billm@redzonetech.net.