Friday, February 19, 2016

Networking security zones

One of the security best practices is to ensure you have segregation in your network design. Ensuring you place certain servers in certain network sections to ensure network segregation. Most people do understand the DMZ principle and apply this when creating an architecture for deploying new servers and services into a network. Having a DMZ is indeed good practice, however you can build upon this principle.

Having a enterprise wide definition of network zoning is a good practice. Even though people will have different opinions about the setup and one a case by case basis you can create different "blueprints". The below zoning model for network segragation is an example of how this can be done. As stated, not "the" model, rather a possible model which an give you some guidance in creating your own zoning model which is applicable to your enterprise situation.


The following zones are defined:

Un-trusted zone:
Un-trusted zone can hold systems that connect to “unknown” parties in a uncontrolled area. As an example, the un-trusted zone can hold systems that are connected to the public internet. The Un-trusted zone cannot hold data and can only hold stateless systems. Systems in the un-trusted zone can connect (in a controlled manner) to systems in the semi-trusted zone directly.

Semi-trusted zone:
Semi-trusted zone can hold systems that connect to “unknown” parties in a controlled area. As an example, the semi-trusted zone can hold systems that connect to a customer network or a third party network. The semi-trusted zone cannot hold data and can only hold stateless systems. Systems in the semi-trusted zone can connect (in a controlled manner) to systems in the trusted zone directly.

Trusted zone:
Trusted zone can hold systems that connect to the semi-trusted zone and is generally used for hosting databases and data-storage applications. As an example, the trusted zone can hold a database which provides support to applications in the semi-trusted zone. Systems in the trusted zone can connect (in a controlled manner) to systems in the fully trusted zone directly.

Fully trusted zone:
Fully trusted zone holds generic systems that are used for management, support and control. As an example Oracle Enterprise Manager will be hosted in the trusted zone.

No comments: