You the security administrator at Certkiller Inc are working on design alternatives to the network. Which two are design alternatives in the SAFE SMR midsize network design corporate Internet module? (Choose two)
A.
A design alternative is to set up a small filtering router between the management stations and the rest of the network.
B.
A design alternative is to eliminate HIDS.
C.
A design alternative is to place a URL filtering server on the public services segment.
D.
A design alternative is to eliminate the router between the firewall and the campus module.
Explanation:
Alternatives
This module has several alternative designs. Rather than implementing basic filtering on the edge router to the medium network, a network administrator may choose to implement a stateful firewall on this device as well. Having two stateful firewalls provides more of a defense in depth approach to security within the module. Depending on the network administrator’s attitude toward attack awareness, a NIDS appliance might be required in front of the firewall. With the appropriate basic filters, the IDS outside the firewall can provide important alarm information that would otherwise be dropped by the firewall Because the amount of alarms generated on this segment is probably large, alarms generated here should have a lower severity than alarms generated behind a firewall. Also, consider logging alarms from this segment to a separate management station to ensure that legitimate alarms from other segments get the appropriate attention. With the visibility that NIDS outside the firewall provides, evaluation of the attack types your organization is attracting can be better seen. In addition, evaluation of the effectiveness of ISP and enterprise edge filters can be performed. Two other alternatives are available. First is the elimination of the router between the firewall and the campus module. Although its functions can be integrated into the campus module Layer 3 switch, this setup would eliminate the ability of the corporate Internet module to function without relying on Layer 3 services from another area of the network. Second is the addition of content inspection beyond the mail-content inspection already specified. For example, a URL filtering server could be placed on the public services segment to filter the types of Web pages that employees can access.
Reference:
SAFE: Extending the Security Blueprint to Small, Midsize, and Remote-User Networks