Well-designed networks group systems into network segments based upon their security level. In this video, learn about common security zones found on enterprise networks.
- [Instructor] Well designed networks group systems into network segments based upon their security level. Let's talk about some of the more common security zones. We'll begin with a network border firewall. Typical border firewalls have three network interfaces because they connect three different security zones together. One interface connects to the internet or another un-trusted network, this is the interface between the protected networks and the outside world.
Generally speaking firewalls allow many different kinds of connections out to this network when initiated by a system on a more trusted network but they block most inbound connection attempts from the internet, allowing only those that meet the organization's security policy. A second interface connects to the organization's intranet. This is the internal network where most systems reside. This intranet zone maybe further sub divided into segments for end point systems, wireless networks, guest networks, data center networks, and other business needs.
The firewall maybe configured to control access between those subnets or the organization may use additional firewalls to segment those networks. Then a third interface connects to the DMZ network. Short for demilitarized zone, the DMZ is a network where you can place systems that must accept connections from the outside world, such as a mail server or a web server. Those systems are placed in a separate security zone because they have a higher risk of compromise.
If an attacker compromises a DMZ system the firewall still blocks them from breaching the intranet. There are also three special purpose networks that we should discuss. Extranets are special intranet segments that are accessible by outside parties. For example if you need to allow vendors to access you ERP system you might have them use a VPN to connect to an extranet that allows the limited access that they need as business partners.
Honey nets are decoy networks designed to attract attackers, they appear to be lucrative targets but in reality don't contain any sensitive information and aren't connected to any other systems on the network. Security teams use honey nets to identify potential attackers, study their behavior, and block them from affecting legitimate systems. And finally ad hoc networks spring up whenever someone sets up a wired or wireless network outside of your standard security design.
These networks are often planned to be temporary in nature but sometimes last for longer than intended. Ad hoc networks may present a security risk especially if they are inter connected with other networks that lack strong security controls. For example, an employee who sets up a wireless point without using encryption and then connects it to the intranet, may inadvertently expose sensitive information to eavesdropping and create a potential path for an attacker to enter the organizations network.
As a security professional you should understand the security zones used in your organization's network and consult with engineering teams on the proper placement of devices and security zones and the design of controls for each zone.
Instructor Mike Chapple has designed the training around the most recent version of CompTIA Security+, SY0-501, which expands coverage of mobile and cloud technologies. By learning about the topics in this course, you'll be prepared to answer questions from the latest exam—and strengthen your own organization's systems and defenses. To join one of Mike's free study groups, visit certmike.com.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Developing security baselines
- Leveraging standards
- Delivering and measuring user training
- Designing a secure network
- Designing secure systems, from the OS to peripherals
- Secure staging and deployment
- Securing smart devices and embedded systems
- Developing secure software
- Cloud computing and virtualization
- Securing hardware, facilities, data centers, and other physical risks