Q: How decide the placement of Host Based Intrusion prevention System & VPN Concentrator
What is criteria to decide the placement of HIPS and VPN Concentrator.
A: Hi XXXXX,
Your question generated more questions than answers : )
Here is how I think on where host based IPS should be:
- HIPS should be installed on hosts which need IPS (based on risk assessment).
- HIPS should not be installed on hosts where installing a 3rd party agent may decrease the reliability of the services on the host system
- HIPS should not be installed on hosts where installing a 3rd party agent may slow down the speed of the host system due to extra resource utilization, added latency etc.
- HIPS should be installed when it is possible to manage HIPS. In large scale deployments remote installation, central management etc are usually more important than security.
Here are the important points of VPN Concentrator placement:
- It is recommended that your VPN concentrator has trusted and untrusted segments (It is also possible to deploy one-arm single interface deployments – but for management and audit I do recommend 2 segments – where untrusted segment is Internet facing
- Untrusted segment should be protected by a firewall (usually in a dedicated DMZ) even if all VPN vendors claim to be very secure. Make sure that the firewall protecting your VPN supports IPSEC pass through (if you are using IPSEC).
- Instead of hooking the trusted (Internal) segment into your (internal) networks, connect your trusted segment back to the firewall so that decrypted traffic is firewalled. If you have an IPS make sure that IDS/IPS is inspecting decrypted traffic.
- Make sure that you have a dedicated management network to manage the VPN concentrator. If you do not have an extra management interface, use trusted interface for management. Do not allow management over untrusted interface.
- Do not deploy NAT before the VPN traffic hits your concentrator, try to use real public IP address (es) on the untrusted /public side of your concentrator since using private addresses may create configuration nightmares
- Check destination networks for VPN clients / or remote VPN sites on your network. Analyze the protocols. Sometimes based on the nature of the traffic (e.g. complex VOIP) you may need to hook your concentrator directly into your network. Always check reverse routing for VPN networks.
- Verify IP addressing assignments for VPN clients, choose a subnet that will not create internal routing problems (e.g. overlapping IP address space. Dynamic routing etc). If you are dealing with site to site VPNs make sure that you address overlapping IP address spaces.
- Check the location of authentication servers. The placement of the concentrator must be is close/redundant proximity to authentication servers (AD, RADIUS, TACACS, LDAP etc). Make sure that the communication with auth servers is not a n issue
- Verify multiple entry points, if you are deploying concentrators in HA, make sure that failover works properly, and NAT issues, IP address assignments for different concentrators are configured properly. Also make sure that your access logs can be unified.
Let me know if you have a specific question,
Cheers,
- yinal
- yinal
No comments:
Post a Comment