Security Zoning in Network Architecture
Many organizations struggle to implement the secured Network Architecture that can optimize the Network Security. Organizations usually spend a lot of time, effort, and money deploying the latest and greatest tools without ever addressing the fundamental problem of adequate network security design. This post will give you an approach to design the secured Network architecture to avoid the flaws in the designing of Network Infrastructure.
One of the biggest challenge while implementing the Network architecture is to identify the critical assets, where to locate these assets in the network, building and maintaining security around them. This should always be the priority while implementing any architecture. A Network architecture must identify the organization’s most valuable data and build layers of defense around it to protect its CIA. After identifying and classifying its most critical data, the network architecture needs to build an infrastructure keeping security in mind to protect and monitor the systems that store, process, and transmit the critical data.
Dr. Eric Cole, famous personality in Information Security field, once said: “prevention is ideal but detection is must”. That means we can not protect what we cannot see and to increase visibility in the areas of the network that are critical to the organization it is important to segment the network into security zones. It is the crucial to understand why the network should be segmented into different security zones. Let’s say if the network architecture consists of only one-zone in which the critical data servers, web servers, application servers, workstations etc. are there. In this scenario, there is a single point of entrance, in which security controls are implemented, to access everything inside the organization and if the attacker bypass that single point entrance then the attacker can access the whole network. But if the network is segmented, security controls can be distributed across different security zones which can significantly reduce the risk of compromising the network, increase the network visibility and reduce the attack surface. Each zone inside the network has different security requirement depending on the systems hosted within.
As per the SANS, Below listed are common security zones which should be implemented while building the Enterprise Network Architecture.
- Internet Zone — No Trust
- External DMZ — Low Trust
- Enterprise Zone — Medium Trust
- Extranet Zone — Medium Trust
- Internal DMZ — High Trust
- Management Zone — Highest Trust
- Restricted Zone — Highest Trust
Internet Zone — Internet Zone includes internet, ISPs. It is least trust zone as it contains the threat actors.
External DMZ — The External DMZ zone is the public facing zone that requires exposure to the Internet. It usually contains the web servers, DNS Server, FTP Servers, Web Proxy Servers, E-mail Gateways. This zone proxies access between systems in the Enterprise Zone and the Internet i.e. all traffic should be funneled through the External DMZ to reach the Internet. The systems deployed in this zone should be tightly controlled and hardened to reduce the attack surface.
Enterprise Zone — This Zone contains all the end users working inside the Enterprise. Endpoint protection is critical control in this zone to protect the end users.
Extranet Zone — This zone connects the Enterprise Network with the highly trusted 3rd party business partners, who can access the Enterprise Zone. Though the traffic between the Extranet Zone and Enterprise Zone is filtered and monitored at the zone’s perimeter to allow only business approved traffic to enter and leave the zone. The systems inside this zone are out of the control of the Enterprise and not follow organization’s security policies.
Internal DMZ — Internal DMZ acts as a mediator between Enterprise/Extranet Zone and the Restricted Zone. It usually contains the Internal application servers. So, all the end users must authenticate themselves in this zone before accessing the Restricted Zone.
Restricted Zone — The Restricted zone is the most critical zone for any organization as it contains all the confidential and sensitive data which are accessible to only a few privileged users. That is why it needs the highest level security at its perimeter. It contains all the database servers.
Management Zone — This Zone has all the administrative and monitoring systems (performance servers, configuration management servers, log management servers) controlled by the Network administrators, Database administrators, System administrator. The Users of Management Zone have higher privileges to access all the other zones in an Enterprise. This zone needs the highest level of security as needed by the Restricted zone. So, the communication between the Management Zones and the Internet should be restricted to only those destinations, ports, and protocols required to download patches or software upgrades.
Note: There can be multiple security zones of one type.
I tried to build a Network Architecture (In Microsoft VISIO) for small businesses.
This Network diagram has Untrusted Zone (Internet), Demilitarized Zone (DMZ), Management Zone, Restricted Zone (Database servers) and Workstation Zone. The Untrusted Zone is directly connected to the Edge Router which is connected to the perimeter firewall (Packet Filtering Firewall) and Network-based Intrusion Detection System (NIDS) before the DMZ zone is also implemented. DMZ Zone consists of Web Servers (HTTPS configured), DNS Servers, Proxy Server and FTP servers. The Workstation Zone consists of the Employees and the HRs and their network is separately secured by implementing different VLANs. Only IT Employees can assess the Restricted Zone i.e. Database servers by going through a Packet Filtering Firewall and a NIDS which is checking any intrusion activity by the User before providing Authorization of Restricted Zone. On the other side, the Management Zone has Management Server, Database Server, and Console which is logging all the logs. The management must pass through NIDS and the packet filtering firewall to access the Restricted Zone. This architecture has also a VPN (Virtual Private Network) support to give access to the Remote users through VPN Tunnel which makes the connection secure and TLS is also enabled on that. VPN users can access directly to the VPN servers and Web servers but they cannot access the Restricted Zone Servers remotely and for that, they must be on the office premises. Also, all the outbound traffic passes through the proxy server which can also filter the malicious traffic from the insiders. Overall, it is a well-secured network as per my understanding.
References:
[1] “Logical Security Zone Pattern,” http://www.securearc.com/wiki/index.php/Logical_Security_Zone_Pattern