030
ENTERPRISE SECURITY BLUEPRINT
CONTROL LAYER
02
In this example, hosts on the Internal Servers segment contain security software controls such
as firewall, anti-malware, full disk encryption and centralized logging. Mobile devices have
firewall, encryption, logging and VPN controls. A VPN trusted channel is used to connect
mobile devices to the enterprise over the Internet (
see Appendix - Design Pattern: Mobile
).
The Internet-facing security gateway implements the most extensive set of controls
because the differential between the publicly accessible Internet and the organizational
perimeter security profiles is the most significant. This robust design includes (1)
Inbound Access Control: firewall, IPS and DDoS protection; (2) Pre-infection Threat
Prevention: anti-malware; (3) Post-infection Threat Prevention: anti-bot; (4) Outbound
Access Control: application control and URL filtering ; (5) Data Protection: Data Loss
Prevention (DLP) and VPN. In the case of the internal servers, the virtual systems are
populated only with Inbound Access Control and Threat Prevention (firewall and IPS)
because the differential of security profiles is less.
All enforcement points in this example also implement event logging for pervasive
monitoring.
Applying security controls
at enforcement points
Figure 2-D
Figure 2-d: Applying security controls at enforcement points
INTERNET
DEPARTMENTAL
SERVERS
MPLS
LAN
INTERNAL
SERVERS
SENSITIVE
SERVERS
V
V
V V V
LOG
LOG
LOG
LOG
SECURITY
GATEWAY
VIRTUALIZED
SECURITY GATEWAY
LOG
DMZ
LOG
LOG
LOG
Logging
Pre-infection Threat Prevention
Post-infection Threat Prevention
Inbound Access Control
Outbound Access Control
Data Protection
Figure 2-d: Applying security controls at enforcement points
INTERN T
DEPARTMENTAL
SERVERS
MPLS
LAN
INTERNAL
SERVERS
SENSITIVE
SERVERS
V
V
V V V
LOG
LOG
LOG
LOG
SECURITY
GATEWAY
VIRTUALIZED
SECURITY GATEWAY
LOG
DMZ
LOG
LOG
LOG
Logging
Pre-infection Threat Prevention
Post-infection Threat Prevention
Inbound Access Control
Outbound Access Control
Data Protection
