Videos

hello and welcome to security management 201 I'm professor wool and today we're going to be talking about how to structure your security policy in a segmented Network if you recall one of the previous segments we talked about segmenting your network and using security zoning as a way to think about how to structure your policy so today we're going to be looking at one aspect of such an organization of your security policies to future-proof your work against additional upcoming changes so let's start with an example and we'll see what I mean suppose you have a network that's segmented into three segments you have your orange zone over here then you have the core network in brown in the middle and you have the blue zone on the right and there are firewalls protecting all of these zones from each other so there's a firewall protecting the orange zone there's a couple of firewalls protecting the core network and there's a blue firewall protecting the blue zone now with this in mind you have a new change request to deal with there is a need for the VMware administrator to connect from his administration workstation over here in the arm zone to the ESX server over there in the blue zone with this IP address 3 at the end and as far well administrator you need to allow this traffic through from end-to-end so your consult we're a net with your network diagram and you realize that you need to modify all 4 firewalls on this path the orange one the two brown ones and the blue one to allow this requested traffic at this point I suggest to stop and think for a second how you want to write these rules in these four policies that you have to update so what I'd like to suggest is to think about these policies in a sort of diamond shape like this sketch over here where it's sharp near the source it sharp near the destination and it's broad in the and if you think about the way you want to organize your put your whole policies in this way you might save yourself work in the future specifically when you're close to the source so you're over here in the orange firewall that's right next to the source you can be very specific regarding the source or just lists the IP address of the administration Works workstation so just that one IP address but in terms of destination you're very far away from the Blue Zone in the terms of the destination so you can just write the whole subnet here so 172 dot one dot one dot zero slash 24 so allowing traffic to exit just from that one administration system but it might it can go to anywhere in the Blue Zone with the VMware Service so that's the starting point of the diamond if you look at the other side at the blue firewall protecting the blue zone here you're very close to the destination so you should be specific with regards to the destination so just allow that one destination but you're quite far away from the source so you can allow all traffic from the whole orange zone so 10.3 dot 0 dot 0 slash 16 in terms of source and now when you have to look at the intermediate firewalls protecting the core network so they're not close to the administration to the orange zone and they're not close to the blue zone either they're in the fat middle over here you don't want to put specific rules you want to put broad rules just with zone to zone traffic so you'd put the whole source zone 10300 slash 16 and the whole blue zone wasn't 172 dot one dot one dot zero slash 24 now notice that by writing the rules in this way I have not introduced any traffic that wasn't specifically requested so I'm following the least privileged principle because any traffic using this VMware service going between any other combination of IP addresses is going to be blocked somewhere either by the orange zone firewall when it tries to exit the orange zone or by one of the core firewalls if it's coming from the wrong direction or by the blue firewall if it's trying to get into the blue zone but not going to specifically do that IP address so traffic that wasn't specifically requested is not being allowed by the combination of all these rules but what I've done by introducing wider objects and the source and the destination in the intermediate steps and just having one side of the rule being very specific at the points is that if in the upcoming weeks you'll receive additional change requests that are variations of this one so maybe from that same Administration station the administrators would need to get to other servers in the Blue Zone or maybe there are other administration workstations that need to get to that same service system in those upcoming change requests should they occur you might not need to touch the firewalls in the core at all and maybe you'll just need to touch one firewall either near the destination or near the source so your future proofing your policy and saving yourself potential work in upcoming change requests without giving up any security for the immediate change requests that you have to deal with right now so to conclude think about it in the multi zoned segmented network with multiple firewalls think about your firewall policies as a whole across your whole estate in this using this diamond-shaped metaphor where you're specific at the points and broad in the middle if you do that you'll have a more structured policy and you'll have to work less with upcoming change requests and in general you'll be able to do more with your limited time so thank you very much for your attention and see you next time