A.23. Working with Security Zones

Even in a purely discretionary access control environment, security zones are important. Security zones are a form of classification. Basically, it is a designation of what portions of the company-controlled IT are accessible to which types of users. You will have at least three user types to deal with: employees, nonemployee business contacts, and external users. These easily lend themselves to the three standard security zones of intranet, extranet, and DMZ, respectively.

In addition to the basic ideas covered in the Security+ content, here are a few considerations:

• Never place the only copy of data or other resources into the DMZ or extranet.

• Regularly back up all data present in the DMZ and extranet.

• Never grant access to external entities into the intranet.

• Audit and monitor all activities in all security zones.

• Erect strong security barriers between each security zone.

• Public and anonymous access in a DMZ does not mean anything goes—detect and block attacks in every zone.

• Whenever possible, deploy the DMZ so that it has no connection whatsoever with your intranet or extranet.

• Consider co-location or site hosting at an ISP for your DMZ.

Understanding and respecting these three groups is important for a strong security endeavor. Different forms of security, different levels of access, and different types of data are present in each security zone. Making a mistake and placing the wrong element into a zone can have disastrous consequences. In the company security policy and in the deployed infrastructure, it's essential to set clear definitions of what each security zone will entail.