SECURITY ZONES

Security Zones

A security zone is a logical grouping of resources, such as systems,

networks, or processes, that are similar in the degree of acceptable risk.

To create an effective design, we need to understand how to group

resources into appropriate security zones.

A Single Subnet

To minimize the number of systems that need to be set up and maintained,

designers are often tempted to create servers that aggregate hosting of

multiple services.

This configuration is often effective from a cost-saving perspective, but it

creates an environment that is more vulnerable to intrusion or hardware

failure than if each service were running on a dedicated server.

Consider a scenario in which a single Internet-accessible Linux box is used to

provide DNS and email services.

Because both of these services are running on the same server, an exploit

against one of them could compromise security of the other.

A Single Subnet

A For example, if we were using BIND 8.2.2, an unpatched "nxt overflow

vulnerability"

It would allow a remote attacker to execute arbitrary code on the server with

the privileges of the BIND process.

Hopefully, in this scenario, we already configured the BIND server to run as

the limited user nobody; that way, the attacker would not directly gain root

privileges through the exploit.

Having local access to the system gives the attacker an opportunity to exploit

a whole new class of vulnerabilities that would not be triggered remotely.

Security Zones Within a Server

A more robust way of separating a daemon such as BIND from the rest of

the system involves the use of the chroot facility, which is available on

most UNIX operating systems.

Chroot allows us to set up multiple security zones within a single server by

creating isolated subsystems within the server, known as chroot jails.

Security Zones via Dedicated Servers

A more effective method of reliably separating one application from

another involves dedicating a server to each application.

As in most designs that incorporate security zones, the purpose of

dedicated servers is to help ensure that a compromise of one infrastructure

component does not breach the security of the other.

Multiple Subnets

A Using multiple subnets provides a reliable means of separating resources.

Communications between systems on different subnets are regulated by

devices that connect the subnets.

Tools and expertise for implementing such segmentation are widely

available. After all, much of perimeter defense concentrates on using routers

and firewalls to control how traffic passes from one subnet to another.

In addition to creating security zones by enforcing access control restrictions

on traffic across subnets, routers and firewalls limit the scope of network

broadcast communications.

Broadcast Domains A broadcast domain is a collection of network nodes that receives broadcast packets

and typically matches the boundaries of a subnet.

Subnets can be used in network design to limit the size of network broadcast domains.

Splitting a network into two or more subnets decreases the number of hosts that receive

network broadcasts because routing devices are not expected to forward broadcast

packets.

Broadcasts have security implications because they are received by all local hosts.

Decreasing the size of a broadcast domain also brings significant performance

advantages because network chatter is localized to a particular subnet, and fewer hosts

per broadcast domain means fewer broadcasts.

Security Zones via Subnets

In perimeter security, the most powerful devices for enforcing network

traffic restrictions are located at subnet entry points and usually take the

form of firewalls and routers.

We frequently use subnets to create different security zones on the

network. In such configurations, communications that need to be tightly

controlled are most likely to cross subnets and be bound by a firewall's or a

router's restrictions.

Consider the example illustrated in Figure next. We separated the network

into three security zones, each defined by a dedicated subnet.

In this scenario, we group resources based on their primary purpose because that maps directly to the sensitivity levels of the data the system maintains.

The border firewall and the internal router allow us to control access to and from network resources based on the business requirements for each zone. The zones are defined as follows:

The Public Servers zone contains servers that provide information to the general public and can be accessed from the Internet. These servers should never initiate connections to the Internet, but specific servers might initiate connections to the Corporate Servers zone using approved protocols and ports.

The Corporate Servers zone contains the company's internal servers that internal users can access from the Corporate Workstations zone. The firewall should severely restrict the servers' ability to initiate connections to other zones.

The Corporate Workstations zone contains internal desktops and laptops that can browse the Internet using approved protocols and ports and can connect to the Corporate Servers zone primarily for file and print services.

Access control lists (ACLs) on the internal router are set up to let only

Windows network traffic from corporate workstations access the servers..

The firewall is configured to allow from the Internet only inbound traffic

destined for systems in the Public Server zone on HTTP, DNS, and SMTP

ports. These servers are not allowed to initiate connections that cross

security zone boundaries except when relaying mail to the internal mail

server.

Systems on the Corporate Workstations zone are allowed to browse the

Web using approved protocols, such as HTTP, HTTPS, FTP, and so on.