hello and welcome to this week's
security management course professor
wool and today we're going to be talking
about best practices in data center
segmentation so let me start with a
simple example suppose you have your
internet connection and you have a
shopping application on your website so
you have a web front you have an
application zone and you have a data
center sitting behind all those and the
data center includes where you would put
the shopping cart information credit
card information from customers
purchases and so on so that's all in the
data center but the data center also has
other systems that support different
needs for instance suppose you have an
HR provider that needs access to your
payroll records so the payroll system is
also in the data center and you need
access from your to your partner from
your extranet into the day center so how
would you do that well you would connect
your partner to the corporate firewall
and then they can have access through
the corporate firewall and the data
center firewall they can reach the data
center and they can access the records
that they need where is a problem well
if you look at this data center you
realize that there are a mixture of
different systems in that data center
that do different things and have
different security requirements for
instance credit card information coming
from your shopping application might be
subject to PCI compliance
whereas data provided to your partner
should not be accessible from those
systems and should not end systems that
have that are accessible to your partner
should not be able to access the PCI
zone so how do you reorganize your data
sent to reflect the different security
levels that you have inside it well what
you could do is you could segment your
data center into multiple zones let's
say an orange zone and a blue zone
and you can do that using VLAN
technology so you can virtualize the
networks inside the data center so that
you can have a separate network for the
orange zone a separate network for the
blue zone and once you do that you can
connect the orange zone networks to the
firewall separately from the blue zone
networks and now you can filter traffic
and you can forbid traffic going between
those two zones in this firewall and the
partner would have access through the
orange path to the data that they need
and that's all good you can go you can
do one better than that
because instead of having another
virtual interface on this firewall you
can have a dedicated firewall just
protecting the arm zone and connect it
this way
giving you even better separation and
simplifying the policy on on the
firewall protecting the orange zone and
now traffic that you want to avoid
between those two zones has to cross two
firewalls one protecting the blue zone
and one protecting the orange zone so
this is better now in terms of
connectivity there is one thing that you
can do to streamline the nine network
architecture even better and that is
look at the difference between the
legitimate path and the knowledge is my
path so the legitimate path is going
from the partner zone to the orange zone
and that path has to cross three
firewalls now the corporate firewall the
data center firewall and then the orange
firewall into the orange zone whereas
and that's the legitimate path however
traffic that you want to forbid that you
don't expect to occur between these two
zones just has to go through two
firewalls so a better design would be to
take this orange firewall and make it
closer to its source and now if you
connect the orange firewall all the way
to the corporate firewall the legitimate
traffic from the partner just has to
cross the corporate firewall
and the orange firewall and straight
into this orange zone in the data center
whereas traffic between these two zones
that you want to forbid now has to cross
three firewalls so you were biasing the
network design in favor of the
legitimate paths and against the
knowledge of the paths which is more
sensible from a networker engineering
point of view thank you for your
attention
