SECURITY ZONES

Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the degree of acceptable risk.  To create an effective design, we need to understand how to group resources into appropriate security zones.

A Single Subnet  To minimize the number of systems that need to be set up and maintained, designers are often tempted to create servers that aggregate hosting of multiple services.  This configuration is often effective from a cost-saving perspective, but it creates an environment that is more vulnerable to intrusion or hardware failure than if each service were running on a dedicated server.  Consider a scenario in which a single Internet-accessible Linux box is used to provide DNS and services.  Because both of these services are running on the same server, an exploit against one of them could compromise security of the other.

A Single Subnet  A For example, if we were using BIND 8.2.2, an unpatched "nxt overflow vulnerability"  It would allow a remote attacker to execute arbitrary code on the server with the privileges of the BIND process.  Hopefully, in this scenario, we already configured the BIND server to run as the limited user nobody; that way, the attacker would not directly gain root privileges through the exploit.  Having local access to the system gives the attacker an opportunity to exploit a whole new class of vulnerabilities that would not be triggered remotely.

Security Zones Within a Server  A more robust way of separating a daemon such as BIND from the rest of the system involves the use of the chroot facility, which is available on most UNIX operating systems.  Chroot allows us to set up multiple security zones within a single server by creating isolated subsystems within the server, known as chroot jails.

Security Zones via Dedicated Servers  A more effective method of reliably separating one application from another involves dedicating a server to each application.  As in most designs that incorporate security zones, the purpose of dedicated servers is to help ensure that a compromise of one infrastructure component does not breach the security of the other.

Multiple Subnets  A Using multiple subnets provides a reliable means of separating resources.  Communications between systems on different subnets are regulated by devices that connect the subnets.  Tools and expertise for implementing such segmentation are widely available. After all, much of perimeter defense concentrates on using routers and firewalls to control how traffic passes from one subnet to another.  In addition to creating security zones by enforcing access control restrictions on traffic across subnets, routers and firewalls limit the scope of network broadcast communications.

Broadcast Domains  A broadcast domain is a collection of network nodes that receives broadcast packets and typically matches the boundaries of a subnet.  Subnets can be used in network design to limit the size of network broadcast domains.  Splitting a network into two or more subnets decreases the number of hosts that receive network broadcasts because routing devices are not expected to forward broadcast packets.  Broadcasts have security implications because they are received by all local hosts.  Decreasing the size of a broadcast domain also brings significant performance advantages because network chatter is localized to a particular subnet, and fewer hosts per broadcast domain means fewer broadcasts.

Security Zones via Subnets  In perimeter security, the most powerful devices for enforcing network traffic restrictions are located at subnet entry points and usually take the form of firewalls and routers.  We frequently use subnets to create different security zones on the network. In such configurations, communications that need to be tightly controlled are most likely to cross subnets and be bound by a firewall's or a router's restrictions.  Consider the example illustrated in Figure next. We separated the network into three security zones, each defined by a dedicated subnet.

 In this scenario, we group resources based on their primary purpose because that maps directly to the sensitivity levels of the data the system maintains.  The border firewall and the internal router allow us to control access to and from network resources based on the business requirements for each zone. The zones are defined as follows:  The Public Servers zone contains servers that provide information to the general public and can be accessed from the Internet. These servers should never initiate connections to the Internet, but specific servers might initiate connections to the Corporate Servers zone using approved protocols and ports.  The Corporate Servers zone contains the company's internal servers that internal users can access from the Corporate Workstations zone. The firewall should severely restrict the servers' ability to initiate connections to other zones.  The Corporate Workstations zone contains internal desktops and laptops that can browse the Internet using approved protocols and ports and can connect to the Corporate Servers zone primarily for file and print services.

 Access control lists (ACLs) on the internal router are set up to let only Windows network traffic from corporate workstations access the servers..  The firewall is configured to allow from the Internet only inbound traffic destined for systems in the Public Server zone on HTTP, DNS, and SMTP ports. These servers are not allowed to initiate connections that cross security zone boundaries except when relaying mail to the internal mail server.  Systems on the Corporate Workstations zone are allowed to browse the Web using approved protocols, such as HTTP, HTTPS, FTP, and so on.