• Choose a category
• All
• Classic-Fiction

2. Which areas are accessible by everyone from administrators to visitors? Can a visitor ever leave the reception area without an escort, and if so, to go where (bathroom, break room, and so forth)?

3. In what areas are users allowed to move about freely? Are you certain that no visitors or guests could enter those areas?

4. What areas are administrators allowed to enter that users can’t? Server room? Wiring closets? How do you keep users out and verify that only administrators enter?

5. Do other areas need to be secured for entities beyond the user/administrator distinction (such as groups)?

You should evaluate your environment routinely to make certain the zones that exist within your security plan are still relevant. Always start from scratch and pretend that no zones exist; then verify that the zones that do exist are the same as those you’ve created from this exercise.

The networking equivalent of a security zone is a network security zone. They perform the same function. If you divide a network into smaller sections, each zone can have its own security considerations and measures—just like a physical security zone. Figure 6.4 illustrates a larger network being broken down into three smaller zones. Notice that the first zone also contains a smaller zone where high-security information is stored. This arrangement allows layers of security to be built around sensitive information. The division of the network is accomplished by implementing virtual LANs (VLANs) and instituting demilitarized zones (DMZs), both of which are discussed in Chapter 1, “General Security Concepts.”

Partitioning

Partitioning a network is functionally the same as partitioning a building. In a building, walls exist to direct pedestrian flow, provide access control, and separate functional areas. This process allows information and property to be kept under physical lock and key.

FIGURE 6.4 Network security zones

Partitions can be either temporary or permanent structures.

Hallways in an office building are usually built differently from internal office space. Hallways are usually more flame resistant, and they’re referred to as fire corridors. These corridors allow people in the building to escape in the event of a fire. Fire corridor walls go from the floor to the ceiling, whereas internal walls can stop before they reach the ceiling (most office buildings have a false ceiling in them to hold lighting, wiring, and plumbing).

Network partitioning accomplishes the same function for a network as physical partitioning does for a building. Buildings have physical walls, whereas network partitioning involves the creation of private networks within larger networks. Partitions can be isolated from each other using routers and firewalls.

Therefore, while the network systems are all connected using wire, the functional view is that of many smaller networks. Figure 6.5 shows a partitioned network. It’s important to realize that unless a physical device (such as a router) separates these partitioned networks, all the signals are shared across the wire. This device accomplishes the same function as a hallway or locked door—from a purely physical perspective.

Partitioning and security zones are essentially interchangeable. Typically, partitioning is more narrowly focused than zones, but this need not always be the case. In a typical installation, a zone would encompass one floor, while a partition would include one room.

FIGURE 6.5 Network partitioning separating networks from each other in a larger network

Real World Scenario

Evaluating Your Security System

You’ve been asked to evaluate your building’s security system. The president chose you because you understand computers, and after all, these new alarm systems are computerized.

In evaluating the environment, you notice that there is a single control panel for the whole building. A few motion detectors are located in the main hallway. Beyond that, no additional security components are installed.