069
ENTERPRISE SECURITY BLUEPRINT
APPENDIX
A
Such DMZ segmentation also provides more robust protection in case of denial of service
attacks on the DMZ. Separation or quality of service controls should be used to ensure that
outbound access from the enterprise is not adversely impacted by network pipe saturation
attacks on servers within the DMZ. For example, separate ISP links can be used for inbound
and outbound network flows. Separate DNS servers should be used for inbound and outbound
domain name resolution, with the inbound servers resolving only addresses that should be
accessible to external entities.
Protections
The following security controls are typical for the DMZ design pattern:
Inbound Access Control
Firewall allows authorized inbound interactions while preventing attacks from
the Internet (Figure A-L, marker 1) and from the internal network (Figure A-L,
marker 2)
IPS enforces protocol and data compliance
Outbound Access Control
Firewall allows authorized access from DMZ to internal servers and services
Pre-infection Threat Prevention
IPS blocks exploitation of known application vulnerabilities
Post-infection Threat Prevention
Compromised bastion hosts are contained
Interactions with bot C&C servers are blocked
Design Pattern
Mobile
Users may need to access enterprise information systems while they are physically away from the
organization’s premises. Such access may be performed via laptops, mobile devices (e.g., smart
phones and tablets) or from personal computers that are beyond the organization’s control (e.g.,
home PCs or Internet kiosks). These devices pose unique enterprise security challenges.
All mobile devices are vulnerable to physical theft and physical access. While some enterprises
may distribute managed smart phones or tablets to their employees, the more popular trend
nowadays is for employees to use their personal mobile devices to access enterprise resources
(i.e., Bring Your Own Device or BYOD programs). Under this scenario, the enterprise has
limited control. In addition, because mobile devices connect to public networks, they are more
susceptible to malware compared to workstations located within the enterprise network.
Another challenge with mobile devices is the diversity of existing platforms and operating
systems. This diversity makes it hard to develop generic enforcement points that can run all
protection types on mobile devices, especially given that some of these platforms provide
limited processing and storage capabilities.
