How to design enterprise internet interfaces ?
The question seems to have very straight forward answer. Access routers, firewalls, security proxies, and optional intrusion detection systems (IDS) or intrusion prevention systems (IPS) and DMZ … That’s enough? For a small to medium size enterprise, maybe yes. However, for a MNC with tens of offices worldwide, the thing becomes much more complicated.
Generally speaking, almost every security manager or IT manager agree that Internet interfaces are one of most important security threat sources. Every Internet interface means money to protect them. In the orther hand, in CIO’s notebook, there has always been one strategy to make use of cheap and reliable Internet when possible. Local Internet access means lower WAN cost.
That’s something complex that need your balancing between security risk and protection cost and WAN cost. See diagram. A easy answer you’d better permit Internet for most of sites where the Internet is cheap and reliable, while choose different security safeguards at the Internet border and VPN borders. Back to your real world, that’s up to you, my friend.
If you can read Chinese, please read my presentation on CCClub gathering at April 18, Beijing. The pdf file at: http://www.i170.com/Attach/77911E9B-C5C2-40AA-AFCB-A51655D82DDB