Sunday, February 24, 2008

Mutliple security Zones in Enterprise networks - Security Devices

Traditionally, security devices such as firewalls and UTMs are deployed at the Enterprise Edge. At Enterprise edge, one is satisfied with trusted zone (corporate network), untrusted zone (Internet), De-Militarized zone (DMZ) separation provided by security devices.

Increasingly, security devices are being deployed in Enterprise core where multiple department networks are present - Engineering, Marketing, Sales, Finance etc.. These security devices not only provide access control, intrusion prevention, network anti-virus and spam protection from Internet (untrusted network), but also provide isolation among the departments. Enterprises are increasingly providing internet connectivity for visitors too. Isolating corporate department networks from visitor network is very important from security perspective. To provide granular access controls and other security services among departments, three network zones provided by traditional security devices are not good enough. Security devices must support definition of zones and policy configuration among these multiple zones. For example, a firewall ACL rule can be defined to allow a specific traffic such as HTTP between Finance zone and Engineering zone. Security devices supporting multiple zones provide rule definition with 'From' and 'To' zones in additional traditional 5 tuples (source IP, destination IP, Protocol, Source port and destination port).

Some security devices in the market provide rule definition for each network interface. That is, each network interface is considered as a separate zone. Yet times, many Ethernet interfaces are connected to different segments of one department. In those cases, the rule definition needs to be duplicated for each interface. So, I prefer security devices providing concept of zones and associating Ethernet and other network interfaces to zones. Security policies are defined with respect to zones. By separating rule definition from interfaces, addition of new interfaces and deletion of interfaces to/from zones does not effect the rule definitions for that department.

No comments: