From the course: CompTIA Security+ (SY0-601) Cert Prep: 8 Network Security Design and Implementation

Security zones

- [Narrator] Well-designed networks use firewalls to group systems into network segments based upon their security level. Let's talk about some of the more common security zones, and we're going to begin with the network border firewall. Typical border firewalls have three network interfaces because they connect three different security zones together. One interface connects to the internet or another untrusted network. This is the interface between the protected networks and the outside world. Generally speaking, firewalls allow many different kinds of connections out to this network when initiated by a system on more trusted networks, but they block most inbound connection attempts, allowing only those that meet the organization's security policy. A second network interface connects to the organization's intranet. This is the internal network where most systems reside. This intranet zone may be further subdivided into segments for end point systems, wireless networks, guest networks, data center networks, and other business needs. The firewall may be configured to control access between those subnets, or the organization may use additional firewalls to segment those networks. The third network interface on the firewall connects to the DMZ. Short for demilitarized zone, the DMZ is a network where you can place systems that must accept connections from the outside world, such as mail and web servers. Those systems are placed in a separate security zone because they have a higher risk of compromise. If an attacker compromises a DMZ system, the firewall still blocks them from breaching the internet. This approach is also known as a screen sub-net. Network designs using this philosophy often created an implicit trust in systems based upon their network security zone. This approach is now going out of style in favor of a security philosophy known as zero trust. Under the zero trust approach, systems do not gain privileges based solely upon their network location. There are also three special purpose networks that you need to know about. Extranets are special intranet segments that are accessible by outside parties. For example, if you need to allow vendors to access your ERP system, you might have them use a VPN to connect to an extranet that allows the limited intranet access that they need as business partners. Honeynets are decoy networks designed to attract attackers. They appear to be lucrative targets, but, in reality, they don't contain any sensitive information or resources. Security teams use honeynets to identify potential attackers, study their behavior, and block them from affecting legitimate systems. Ad hoc networks spring up whenever someone sets up a wired or wireless network outside of your standard security design. Now, these networks are often planned to be temporary in nature, but they sometimes last longer than was intended. Ad hoc networks may present a security risk, especially if they are interconnected with other networks but don't have strong security controls. For example, an employee who sets up a wireless access point without using encryption and then connects it to the intranet may inadvertently expose sensitive information to eavesdropping and create a potential path for an attacker to enter the organization's network. Now, there are two last terms that you'll need to know when you take the exam. Networking professionals often refer to the type of traffic on a network using terms derived from compass directions. Network traffic between systems in a data center is called east-west traffic, while traffic between systems in a data center and systems located on the internet is called north-south traffic. Either type of traffic may be regulated by a firewall if it crosses security zones.

Contents