adam's notes

Network Security Zones

Network segmentation enforcement is a means of enforcing a security zone by separating a segment of the network from access by the rest of the network.

  • done at layers 2 and 3
  • applied using
    • VLANs
    • subnets
  • each segment is a separate broadcast domain
  • traffic between segments must be routed

A zone is a security term for the main unit of a logically segmented network.

  • area of the network where the security configuration is the same for all hosts within it
  • all hosts have the same level of trust
  • network traffic between zones should be restricted by policies and rules
    • enforced by a security device
  • trust depends on the extent to which a zone is managed and monitored
    • zone with highly trusted hosts
      • have minimal attack surface
        • permitted traffic is strictly defined
        • has extensive security controls
    • zone with low trust hosts
      • may expose large attack surface
        • need to establish diverse connections with other zones with different trust levels

Example

General security zones as a basis for security policies and rules:

  • Private server administrative networks
    • Devices are subject to strict hardening and configuration management policies
    • Hosts, user accounts, and traffic in the zone are continually monitored to ensure compliance with security policies
  • Private client network
    • devices subject to security policies and monitoring
    • diverse range of tech and permissions to use public networks makes zone less than fully trusted
  • Guest
    • unmanaged devices are allowed to connect
    • subject to some restrictions and monitoring
    • typically untrusted and not allowed access to trusted networks
  • Public server network
    • devices are fully managed
    • but accept connections from unmanaged public clients
    • hosts are partially trusted
  • Public
    • zone is unmanaged and untrusted
  • Zones with different trust levels and security rules are typically configured to protect the integrity and confidentiality of different asset groups
    • e.g.,
    • servers storing financial records can be their own VLAN
    • marketing servers another VLAN
    • a remote access trojan (RAT) should not spread from one VLAN to the other without passing through firewall

Graph View

Backlinks