Shulou(Shulou.com)06/01 Report--

Deployment of firewalls, waf, ips, and ddos

Online copy back and forth, the original and actual cases are not many. I wrote down a few experiences about the deployment of my company.

1. Firewalls should be isolated and set up firewalls in all areas: Internet access area, production area, management area and pre-production area. Transparent mode is better.

The deployment of 2.waf can use bypass mode at the beginning of construction, and then use serial connection. Reverse proxy mode is generally not selected. Because there are load balancer servers in the backend, there will be reverse proxies, and it is troublesome to involve domain names. Deal with it separately.

3.ips can take

4. In addition, there is the problem of access order. Waf access is close to the web server. Ensure that all traffic to the web passes through the waf. Ddos is deployed at the front end, and if it is connected to the firewall, the firewall will be killed if the traffic is large. So the general order is ddos "ips" firewall. If you keep * * out, the firewall does not need to deal with * packets and improve performance.

5. Because all the serial bridge devices are used, in the deployment, the most important thing is that the core switch must have, and the following network segments must be connected to the core switch. If not, it will not be able to fully cover the whole network. For example, if there are two core switches, two bridges are needed. However, if there is no direct connection to the incoming routing device, it can lead to nowhere to deploy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.