Security Appliance Placement

---

The selection of effective controls is the process of choosing the type and placement of security controls to ensure the goals of the CIA triad and compliance with any framework requirements.

• aim is to:
  • enforce segmentation
  • apply access controls
  • monitor traffic for policy violations
• governed by the principle of defense in depth
  • means that security-critical zones are protected by diverse preventive, detective, and corrective controls operating at each layer of the OSI model
  • ensured through device placement within the network topology
  • 3 options:
    • preventative controls
      • often placed at the border of a network segment or zone
      • enforce security policies on traffic entering and exiting the segment
        • ensure confidentiality and integrity
      • load balancer control ensures high availability for access to the zone
    • detective controls
      • may be placed within the perimeter to monitor traffic exchanged between hosts within the segment
      • provides alerting of malicious traffic that has evaded perimeter controls
    • corrective controls
      • may be placed within the traffic to correct detected errors or irregularities
  • preventative, detective, and corrective controls
    • may be installed on hosts as a layer of endpoint protection in addition to the network infrastructure controls

Placement of Security Controls for Defense in Depth

1. At the network border, a preventive control such as a firewall enforces access rules for ingress and egress traffic.
2. A sensor placed inline behind the border firewall relays traffic to an intrusion detection system to implement detective control and identify malicious traffic that has evaded the firewall.
3. Access control lists configured on internal routers enforce rules for traffic being forwarded between internal zones and hosts.
4. Incoming traffic for public-facing servers can be mediated by a load balancer, providing a corrective control to mitigate denial of service attacks.
5. Sensors attached to mirrored switch ports enable intrusion detection for the most sensitive privilege level hosts or zones.
6. On each host, endpoint protection software applies a range of preventive, detective, and corrective controls to mitigate threats that have evaded network controls. Endpoint software can implement host firewalls, anti-virus, intrusion detection, and data loss prevention.