A few years ago, I sat in an otherwise empty classroom inside the administration building of a children’s hospital with two members of their security team. We stared at a spreadsheet and a document that described the server and client zones of their network, displayed from a projector like a classroom project. For each zone, we dug into the details of allowed, forbidden, and approved access. This work was precise and detailed, requiring us to step through subnet addressing, host addresses, and the policy documentation over and over again.
Eventually, we had mapped the network security architecture policy to their network, though, and this was a critical next step in protecting kids and their families from the potential evil done by those who would attack the network of a children’s hospital.
The work to dig in and map every network to an appropriate zone is significant, but it’s critical. Regardless of your specific requirements, knowing the purpose of every subnet, each type of host collection you have, and mapping them to a reasonable network security architecture is a critical requirement allowing you to draw lines between parts of your network to avoid the situations that Target and Supervalu have found themselves facing.
As attackers and their attacks become ever more sophisticated and patient, your security zones and the implementation of security controls between them is your only real defense. Of course, using automation to monitor those controls and ensure that they are implemented correctly, consistently, and completely is equally vital. More on that in an upcoming post.