029
ENTERPRISE SECURITY BLUEPRINT
CONTROL LAYER
02
The Control Layer delivers controls to enforcement points so any risk associated with any
interaction can be controlled along the entire interaction path. The following are general
recommendations for where to apply each required control:
Inbound Access Control and Pre-infection Threat Prevention security
controls (e.g., firewall, IPS and user identification) should be applied as close
to assets as possible. This reduces the risk of security bypass and supports more
granular controls tailored to the specific assets
Denial of service controls should be implemented at the organizational
perimeter due to attackers’ higher motivation, opportunity and risk of such
attacks
Pre-infection anti-malware controls should be implemented at the
organizational perimeter as they are usually generated by external entities.
In addition, anti-malware controls are usually implemented on endpoint
hosts and mobile devices processing documents that may contain malware.
Enforcement point selection should take performance issues and data
encryption into account (e.g., encrypted mail messages must be decrypted
before being scanned for malware)
Post-infection threat prevention controls for restricting access to external
applications are typically done at the organizational perimeter. Collaborative
intelligence is used to identify high-risk targets and applications. Outbound
network access may also be controlled on endpoint hosts to provide threat
containment capabilities
Network-level data loss prevention controls are implemented in accordance
to the classification scheme. Internal information should be controlled when
data is exported out of the organization, whereas departmental data should be
controlled at the departmental segment boundaries. In addition, encryption
controls should be installed on endpoint hosts, mobile devices and cloud
environments to protect against data access threats
Please refer to the network segmentation design patterns listed in the Appendix for further
description of enforcement points and mapping of controls to enforcement points.
Figure 2-D depicts a sample implementation for the sample site described in the previous
chapter, with different security controls applied at different enforcement points. The
segment boundary controls are consolidated into two physical appliances. The first is
responsible for controlling access between the Internet and the DMZ, as well as between
the DMZ and the internal network. The second security gateway implements five virtual
systems that provide controls for the MPLS-based WAN; the LAN; and the Internal,
Sensitive and Departmental Servers segments.
