Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security Zones 125<br />
SECURITY ZONES<br />
You must imagine the different pieces that make up a network as discrete<br />
network segments, called security zones, each holding systems that share common<br />
requirements. Characteristics of security zones include the following:<br />
■<br />
■<br />
■<br />
■<br />
Systems in a zone may be running different protocols and OSes, such as<br />
Windows and NetWare.<br />
The type of a computer and its operating system do not dictate a particular<br />
security zone.<br />
Where the machine resides in the environment helps to define the security<br />
zone it resides in.<br />
Common requirements of a security zone may include the following:<br />
■ The types of information the zone handles.<br />
■ Who uses the zone.<br />
■ What levels of security the zone requires to protect its data.<br />
EXAM WARNING<br />
A security zone is defined as any portion of a network that has specific security concerns or<br />
requirements. Intranets, extranets, demilitarized zones (DMZs), and VLANs are all security<br />
zones.<br />
The following are samples of security zones that may be defined in your<br />
environment:<br />
■ DMZs A DMZ is a network segment which exists between the hostile Internet<br />
and the trusted internal network. Often, systems which need to be made<br />
accessible to the public Internet are placed in the DMZ, which offers some<br />
basic levels of protection against attacks but is not considered as secure as<br />
the trusted internal network.<br />
■ DMZ segments can exist in one of the following two ways:<br />
• Layered DMZ implementation – the systems that require protection<br />
are placed between two firewall devices with different rule sets, which<br />
allow systems on the Internet to connect to the offered services on the<br />
DMZ systems, but prevent them from connecting to the computers on<br />
the internal segments of the organization’s network.<br />
• Multiple interface firewall implementation – a third interface is added<br />
to the firewall and the systems that require protection are placed on<br />
that network segment. The same firewall is used to manage the traffic<br />
between the Internet, the DMZ, and the protected network. See<br />
Figure 8.1 for a diagram of a multiple interface firewall implementation.<br />
The role of the firewall in all these scenarios is to manage the traffic between<br />
the network segments. The systems in the DMZ can host any or all the following<br />
services:<br />
■<br />
Hypertext Transfer Protocol (HTTP) servers Internet Information Services<br />
(IIS) or Apache servers provide Web sites for public and private usage.