Companies today have to deal with a broad set of IT environments, particularly with the increased reliance on connecting with external suppliers and business partners. Each of these environments has its own security exposure and each requires different approaches to asset protection.
Typically, there will be unsecured zones, semisecure zones and secure zones. Fortunately, these zones can be organized so that defenses-in-depth principles can be put in place.
Zone 7: Protecting physical assets and network traffic
If potential intruders have the ability to get physical access to some equipment or to intercept signals, no amount of firewalls, proxies or certificates will protect the organization. LAN wiring, PCs and some wireless services (nonsecure hot spots, home wireless routers without encryption, some cordless phones, Bluetooth-based devices) are examples of unintended radiation that can be intercepted.
Other wireless services (cellular, satellite, corporate wireless LANs and secure hot spots) are examples of radiation environments where appropriate signal protection is required to eliminate the risk of interception.
Zone 6: Protecting access
In this first-tier security zone, basic credentials and access privileges are validated, and a mediation function is often supported. Typically, this is a point in the intranet just outside the front-end demilitarized zone (DMZ) where communication sessions are proxied.
The repository of credentials, which should be part of the centralized enterprise directory, is typically in a more secure zone (beyond the back-end DMZ and accessed by the proxy server via an industry-standard protocol, such as Lightweight Directory Access Protocol). Intrusion detection/prevention systems may operate in this environment to deal with possible infractions.