008
ENFORCEMENT LAYER
01
ENTERPRISE SECURITY BLUEPRINT
Below are a few examples of separating entities into different segments:
Two end-user workstations on the same LAN access corporate assets with identical
classifications:
.
As there is little motivation for one workstation user to attack the other
workstation since they both have access to the same assets, the two hosts may be
considered to be within a single atomic segment
.
On the other hand, users may want to access enterprise assets for which they have
no authorization. Such users and assets should be modeled in separate segments
A mobile device subjected to threats (e.g., physical theft) that are not applicable to
servers in a data center:
.
These entities have different security requirements and should not be placed in a
single atomic segment
Separate business units and sites:
.
Different entities should always be modeled in separate segments
Servers that can be accessed by users from outside of the organization:
.
These entities have a security profile distinct from internal servers that are not
externally exposed
Step 2: Segment Grouping
Once atomic segments have been identified, they can be grouped into hierarchical
segments (e.g., applications can be grouped within host boundaries, multiple hosts
within a network segment, and multiple networks hierarchically).
While each sub-segment handles its own protection, grouping provides support for:
Enhanced modularity through abstraction and information hiding
Heightened trust or more comprehensive protection at the superior
segment boundary than at the sub-segments
Centralized control and delivery of security infrastructure services
Infection containment and recovery
Consider the sample site in Figure 1-A. This enterprise consists of multiple sites connected
by an MPLS provider network. Each site – represented in a shaded box – is composed
of an Access Network hosting internal users (LAN) and server segments. Internal and
sensitive servers are hosted on separate segments, isolated from users by a gateway or
enforcement point. Multiple departmental segments provide self-contained functionality
to departmental end-users. Finally, a Demilitarized Zone (DMZ), in its own segment,
provides public-facing services.
In this example, multiple server segments and a separate user segment allow fine-
grained control over all inter-segment interactions. This control enforces classification-
based security policies and provides containment of compromised hosts. All internal
