Zoning is a mechanism to segment the network based on the value of asset, asset exposure factor and functionality.
Asset value is determined by considering hardware cost, software cost, information cost to the organisation and criminals and the impact of loss in availability, integrity and confidentiality of asset.
Exposure factor is determine by amount of access available to an asset, number of active accessible services because more services mean more vulnerabilities and the value of asset because value of asset provide motivation for criminals.
Least Access Principal
This principal dictate that we should only allow the least access to most valuable asset, increase in access and functionality also increase the exposure therefore we should distinguish high value asset from low value assets and segment them in the different zones. For example, a database system usually has two components:
- Database engine that store and run the database.
- An access layer web application providing access to the database.
Based on zoning approach it is important to run a database on one server in separate secure zone and web application in different zone. As functionality increase in a zone the trust level and security of zone decrease.
Because more people access to the web application server and it is running number services and applications such as active x, flash etc. all of which are prone to have bugs and vulnerabilities. Because application doesn’t store the data, a compromised application server may affect availability for users but the confidentiality and integrity is saved due to separation. Users don’t need to have access to database server it is only the application server that is require to access database server.
The benefit of zoning can only be achieved if there are firewall devices that filter and restrict access between different zones. It is important to understand that every network device have bugs and vulnerabilities that are exploitable. Therefore it is important to implement a multi-layer security approach when zoning a network. This could be achieved by implementing an access control list on a multi-layer switch between internal zone and DMZ combining with Windows Server Firewall to implement the same restriction for a server. Multi-Layer security approach will ensure that if an unpatched switch is compromised then at least there is a secondary controller to enforce security restrictions.
Diagram 1 on the next page provide visual example of zoning and Table 1 provide template for IT team to list down current servers in relevant zone.