Show Our organizational IT environments are constantly changing, driven by factors such as telecommuting, cloud technologies, and BYOD (Bring Your Own Device) policies. This requires modular and dynamic architectures in place, allowing flexibility while still maintaining a rigid security posture. One of the most foundational ways to accomplish this is through the use of network security zones, which we'll take a look at in this blog post. We'll cover common security zone types, and also zone filtering policy considerations for each. Network Security ZonesA security zone is a portion of a network that has specific security requirements set. Each zone consists of a single interface or a group of interfaces, to which a security policy is applied. These zones are typically separated using a layer 3 device such as a firewall. In a very broad sense, a firewall is used to monitor traffic destined to and originating from a network. Traffic is either allowed or denied based on a pre-determined set of rules called an access control list, or ACL for short. Although there are many different types of firewalls, a firewall must have the following properties:
The number of networks we can create on a firewall depends on the number of physical ports available. Generally speaking, a standard firewall implementation involves separating trusted traffic and untrusted traffic. Proper firewall implementation creates two basic security zones, known as inside and outside. The inside or trusted zone is also referred to as the private zone. As the name implies, this zone contains assets and systems that should not be accessed by anyone outside of the organization. This includes user workstations, printers, non-public servers, and anything else that considered to be an internal resource. Devices found here have private IP addresses assigned in the network. The outside or untrusted zone is also known as the public zone. This zone is considered to be outside the control of an organization and can be thought of as simply the public internet. The third basic security zone is called the DMZ, or demilitarized zone. Resources in the DMZ require external access from the outside zone. It is common to see public-facing servers in the DMZ, such as email, web, or application servers. A DMZ allows public access to these resources without putting the private, inside zone resources at risk. Zone Filtering PoliciesIn the case of network security zones, a firewall enforces the access control policy, determining which traffic is allowed to pass between the configured zones. With this common three-zone implementation, there are several recommended zone filtering policies that should be in place:
All the best, Charles Judd - Instructor CCNA Security, CCNA R/S, BS Network Security How does demilitarized zone work?How does a DMZ work? DMZs function as a buffer zone between the public internet and the private network. The DMZ subnet is deployed between two firewalls. All inbound network packets are then screened using a firewall or other security appliance before they arrive at the servers hosted in the DMZ.
Which of the following best describes a demilitarized zone DMZ?Which of the following BEST describes this new network? Explanation: A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet.
What are the vulnerabilities to a DMZ?DMZ resource vulnerabilities
Remote access technologies such as VPN or RDP, for example, have become common targets of cyberattacks. Web or email servers that are not sufficiently locked down can let hackers move laterally through the DMZ and eventually into the protected network.
Which of the following network services are commonly placed in DMZ?Resources commonly placed in the DMZ include, Web servers, Mail servers, FTP servers, and VoIP servers.
|