Security Zones: Definition & Purpose | Study.com
Mục Lục
Security Layers
A network can have multiple security zones with several layers of security in each zone. The security levels are dependent on the data that needs to be protected. Critical data will have the highest levels of security features with the most restrictions. The main objectives of security zones are to protect the network, detect intruders, contain attacks, and prevent these interferences from reaching the internal network. Even with security zones in place on the network, each zone must still be able to maintain a level of communication. The systems and components on a network, regardless of the security zone they fall under, still share resources on the network, such as system logging, system audits, and access controls.
Within each security zone, there is a layer of trust or a trust zone that allows for the sharing of resources and communication between a higher level security zone and a lower level security zone. Take, for example, a web server that must be able to communicate with the application servers in order to ensure the data is published for users. In turn, the application servers must be able to communicate with the database servers in order to retrieve the necessary data. Even though each server is in a different security zone with different levels of security features, there is a trust zone in place that allows for the shared resources between each server.
Types of Security Zones
Before implementing security zones, you have to identify what you want to protect on your network. From there you can start establishing the different security zones. Let’s discuss some of the security zones that can be established.
Uncontrolled Zone
The uncontrolled zone is public domain, such as the internet. It cannot be controlled by an internal organization and so this zone is deemed as un-trusted because it can be considered as a major security risk due to the limited controls that can be put into place in this type of zone.
Controlled Zone
The controlled zone might be an organization’s intranet network or a demilitarized zone (DMZ). A DMZ is a sub-network of an organization’s network. It can be physical or logical. A DMZ allows access to an un-trusted zone, such as the internet, but cannot reach back to the internal network system. An intranet is the internal network of an organization that is secured behind one or more firewalls and has a medium level of restrictions with certain controls in place to monitor network traffic. For example, a user might not be able to access a certain website from their normal workstation that is connected to the intranet. However, they may be able to access the website on a DMZ system, due to the lower level of restrictions.
Restricted Zone
The restricted zone is a highly controlled zone that must not have any type of access to an un-trusted zone. This zone can have mission-critical data and systems operating on it. This zone will have the highest level of security features and strict firewall rules in place to control all incoming and outgoing traffic.
Establishing Security Zones
When establishing security zones on a network, there are several factors that should be considered. These factors include identifying requirements, mapping communication patterns, creating an IP address schema for the enterprise, identifying network segmentation, identifying control points, and implementing access controls.
An enterprise organization must define what data and systems they want to cluster together, from the most critical data and system to the least critical data. After the clusters are defined, they organize and establish the communication guide between each zone. This can be determined by the requirements and is critical to ensure the success of the security zone communications.
Now the organization needs to establish an IP address schema. This will help with access controls and will be used for auditing, logging, firewall rules, access control lists (ACL) for routers, and will help define the security policies that will need to be implemented for each zone.
Network segmentation is the next step. Though it may seem similar to security zones, it is completely different and works in conjunction with creating security zones. Network segmentation is the physical or logical isolation of one or more layers within a security zone. Once these segments have been identified, you can begin to identify your control point for each zone. This step is also where you identify supplementary controls such as features for monitoring and alerts for traffic.
The last step is implanting access controls. There are two types of access controls, active and passive. Active controls are actively blocking unwanted traffic, while passive controls are just monitoring the traffic.
Lesson Summary
In this lesson, we defined security zones and their importance in an organization’s network. We also discussed types of security zones, uncontrolled, controlled, and restricted. We defined a DMZ and an intranet on an organizations network. Last, we discussed factors to consider when establishing security zones.