Positioning Engines
The Engine is a perimeter defense, positioned between networks with different security levels.
Engines generally control traffic between:
- External networks (the Internet) and your internal networks.
- External networks (the Internet) and DMZ (demilitarized zone) networks.
- Between internal networks (including DMZs).
Engines separate the different networks by enforcing rules that control access from one network to another.
Figure: The Engine in different types of network segments
Not all organizations necessarily have all types of networks that are shown here. One Engine can cover all enforcement points simultaneously if it is practical in the network environment and compatible with the organization’s security requirements.
In multi-layer deployment, a Engine can have both layer 2 physical interfaces and layer 3 physical interfaces. Layer 2 interfaces on Engines allow the engine to provide the same kind of traffic inspection that is supported on IPS engines and Layer 2 Engines.
Figure: The Engine in a multi-layer deployment
- 1
- Traffic inspection only
- 2
- Routed traffic and traffic inspection
- 3
- Layer 3 physical interface
- 4
- Layer 2 physical interface of the inline IPS interface or inline Layer 2 Engine interface type
- 5
- Layer 2 physical interface of the capture interface type
- 6
- DMZ network
- 7
- Department A internal network
- 8
- Department B internal network
- 9
- Internal network
- 10
- External networks