for DMZ security. What he's describing is ingress and egress filtering
for the DMZ.
Similarly, you want to tune your DMZ IDS in the same
way. You don't need specialized rules for MyDoom or SQL exploits if all
that's in your DMZ is a web server. Instead, turn on the signatures for
web exploits and create a signature or two to catch anything not
HTTP-based. Come to think of it, you're also going to see some DNS as
the server does name resolution on your visitors but, unless you're
running a DNS server in the DMZ, it will only be outbound queries.
point is that you should know what's needed for your DMZ to function,
you should know what "normal" traffic looks like (keep metrics!) and you
should configure your protections accordingly.
Post a Comment