Wednesday, May 12, 2010

Demilitarized zone (DMZ)



A Demilitarized zone (DMZ) is an area where you can place a public server for access bypeople you might not trust otherwise. By isolating a server in a DMZ, you can hide or
remove access to other areas of your network. You can still access the server using your network,but others aren't able to access further network resources. This can be accomplished using firewalls to isolate your network.
When establishing a DMZ, you assume that the person accessing the resource isn't necessarily someone you would trust with other information. Figure 1.13 shows a server placed in a DMZ. Notice that the rest of the network isn't visible to external users. This lowers the threat of intrusion in the internal network.The easiest way to create a DMZ is to use a firewall that can transmit in three directions:Tip:Anytime you want to separate public information from private information,a DMZ is an accceptable option.
to the internal network, to the external world (Internet), and to the public information you’re
sharing (the DMZ). From there, you can decide what traffic goes where; for example, HTTP
traffic would be sent to the DMZ, and e-mail would go to the internal network.


Security Zones:Exteranet



Extranets extend intranets to include outside connections to partners. The partners can be vendors, suppliers, or similar parties who need access to your data for legitimate reasons.An extranet allows you to connect to a partner via a private network or a connection using a secure communications channel across the Internet. Extranet connections involve connections between trustworthy organizations.
An extranet is illustrated in the figure above. Note that this network provides a connection
between the two organizations. The connection may be through the Internet; if so, these
networks would use a tunneling protocol to accomplish a secure connection.

Security Zones:Interanet



Intranets are private networks implemented and maintained by an individual company or
organization. You can think of an intranet as an Internet that doesn't leave your company;
it's internal to the company, and access is limited to systems within the intranet. Intranets use the same technologies used by the Internet. They can be connected to the Internet but can't be accessed by users who aren't authorized to be part of them; the anonymous user of the Internet is instead an authorized user of the intranet. Access to the intranet is granted to trusted users inside the corporate network or to users in remote locations.

Security Zones:The Internet


    
The Internet is a global network that connects computers and individual networks
together. It can be used by anybody who has access to an Internet portal or an Internet service provider (ISP). In this environment, you should have a low level of trust in the people who use the Internet. You must always assume that the people visiting your website may have bad intentions; they may want to buy your product, hire your firm, or bring your servers to a screaming halt. Externally, you have no way of knowing until you monitor their actions. Because the Internet involves such a high level of anonymity, you must always safeguard your data with the utmost precautions.
Figure 1.10 illustrates an Internet network and its connections.

Security Zones

Over time, networks can become complex beasts. What may have started as a handful of computers sharing resources can quickly grow to something resembling an electrician's nightmare. The networks may even appear to have lives of their own. It's common for a network to have connections among departments, companies, countries, and public access using private communication paths and through the Internet.

Not everyone in a network needs access to all the assets in the network. The term security zone describes design methods that isolate systems from other systems or networks.

You can isolate networks from each other using hardware and software. A router is a good example of a hardware solution: You can configure some machines on the network to be in a certain address range and others to be in a different address range. This separation makes the two networks invisible to each other unless a router connects them. Some of the newer data switches also allow you to partition networks into smaller networks or private zones.

When discussing security zones in a network, it's helpful to think of them as rooms.

You may have some rooms in your house or office that anyone can enter. For other rooms,access is limited to specific individuals for specific purposes. Establishing security zones is a similar process in a network: Security zones allow you to isolate systems from unauthorized users. Here are the four most common security zones you'll encounter:

  • Internet
  • Intranet
  • Extranet
  • Demilitarized zone (DMZ)

The next few posts identify the topologies used to create security zones to provide

Security. The Internet has become a boon to individuals and to businesses, but it creates a challenge for security. By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization.

Accountability:A real story…


Accountability, like common sense, applies to every aspect of information technology.
Several years ago, a company that relied on data that could never be re-created wrote shell scripts to do backups early in the morning when the hosts were less busy. Operators at those machines were told to insert a tape in the drive around midnight and check back at 3:00 a.m. to make certain that a piece of paper had been printed on the printer, signaling the end of the job. If the paper was there, they were to remove the tapes and put them in storage; if the paper was not there, they were to call for support.
The inevitable hard drive crash occurred on one of the hosts one morning, and an IT
"specialist" was dispatched to swap it out. The technician changed the hard drive and
then asked for the most recent backup tape. To his dismay, the data on the tape was two years old. The machine crash occurred before the backup operation ran, he reasoned, but the odds of rotating two years' worth of tapes was pretty amazing. Undaunted, he asked for the tape from the day before, and found that the data on it was also two years old.
Beginning to sweat, he found the late shift operator for that host and asked her if she was making backups. She assured him that she was and that she was rotating the tapes and putting them away as soon as the paper printed out. Questioning her further on how the data could be so old, she said she could verify her story because she also kept the pieces of paper that appeared on the printer each day. She brought out the stack and handed them to him. They all reported the same thing—tape in drive is write protected.
Where did the accountability lie in this true story? The operator was faithfully following
the procedures given to her. She thought the fact that the tape was protected represented a good thing. It turned out that all the hosts had been printing the same message, and none of them had been backed up for a long while.
The problem lay not with the operator, but with the training she was given. Had she been shown what correct and incorrect backup completion reports looked like, the data would never have been lost.