Network Architecture
Bringing the discussion back to intranets, you may have heard terms like “subnets” or even “DMZs.” Networks are divided into multiple security zones, called subnetworks or subnets. Each zone should have a similar security posture: data classification (e.g., public or confidential), need-to-know, and departmental use. Many corporations today employ a three-tiered architecture. Serving as the first line of defense is the perimeter firewall. It separates the corporation from the wilds of the Internet. As such, it is configured to allow specific traffic that the devices just behind it—the hardware that runs Internet-facing applications, such as the servers which relay email to the outside world, your organization’s web pages, and customer applications—are “expecting.” This zone sometimes is referred to as an outer DMZ, described in more detail below. The servers hosting these applications are called bastion hosts because they have been hardened, or locked down, by removing or disabling unnecessary services, applications, and user accounts, and installing the latest software patches
Host hardening is something end users should take to heart. However, I will talk about that in a future post.
Despite your firewall team’s best efforts, this first layer can be breached. As such, there needs to be some type of barrier between it and your corporation’s inner sanctum, which hosts the applications that allow your business to function. The examples are countless, but would include human resources files, proprietary data, as well as general business information which can be (more or less) shared freely within the organization, but should not leave the confines of the corporate intranet.
Next time: the DMZ
|