Network Architecture
Sign in

Network Architecture

Information Security Professiona
When reading this post, have in your mind an image of a real-world, bricks-and-mortar bank branch.  The people who handle loan applications are in one area, usually out on the floor.  The folks who handle money—the tellers—are behind some sort of barrier.  (Admittedly, in many cases it is nothing more that a counter, which easily can be vaulted.  Still, there is some form of separation.)  And the “big money” is locked safely in a vault.  Network architecture attempts to accomplish this same type of segregation in the online world.

Bringing the discussion back to intranets, you may have heard terms like “subnets” or even “DMZs.”  Networks are divided into multiple security zones, called subnetworks or subnets.  Each zone should have a similar security posture: data classification (e.g., public or confidential), need-to-know, and departmental use.  Many corporations today employ a three-tiered architecture.  Serving as the first line of defense is the perimeter firewall.  It separates the corporation from the wilds of the Internet.  As such, it is configured to allow specific traffic that the devices just behind it—the hardware that runs Internet-facing applications, such as the servers which relay email to the outside world, your organization’s web pages, and customer applications—are “expecting.”  This zone sometimes is referred to as an outer DMZ, described in more detail below.  The servers hosting these applications are called bastion hosts because they have been hardened, or locked down, by removing or disabling unnecessary services, applications, and user accounts, and installing the latest software patches  

Host hardening is something end users should take to heart.  However, I will talk about that in a future post.  

Despite your firewall team’s best efforts, this first layer can be breached.  As such, there needs to be some type of barrier between it and your corporation’s inner sanctum, which hosts the applications that allow your business to function.  The examples are countless, but would include human resources files, proprietary data, as well as general business information which can be (more or less) shared freely within the organization, but should not leave the confines of the corporate intranet. 

Next time: the DMZ

start_blog_img