zone architecture. So we just said, isolate your traffic into trusts. Owns. But what does that really mean? What does that look like? Well, at the very, very least, you're gonna have a set of zones. Okay, You're gonna have a management zone. Remember these air for management commands.
manipulation and modification of service is of devices. You want that traffic isolate. Now, a management entity should be ableto access systems in the d m Z
in the trusted zone in the restricted zone. Right? I should be ableto have right access to those owns.
But should somebody in the d m z be ableto wright to the management plane knew? That's crazy talk, right? No. Somebody even in a trusted zone doesn't get access to the management's own. Certainly not in the restricted zone. So,
you know, the idea is this read, write access. Management should always be able to write to these other entities.
Right? Should be able to even read from those entities. However,
no one from untrusted entities or even semi trusted or even the trusted zone. They're not management. No one should be able to manipulate what's going on in that song.
all right now, Untrusted zone. Think that is the Internet, right? Usually when we look at that, we have to allow external access. But that doesn't mean we want something
that does, right? Access coming in from the Internet. Now the exception. There's that DMC because these air the servers that I'm gonna make publicly available, right. And there's the reason to make publicly available
So I may use forms to collect information from my customers. What out? So, yeah, there's kind of a read and write to the Internet that zones considered the perimeter network. It's considered semi trusted because we do allow that public access. Okay, Trusted zone. We're not gonna allow right
access to the trusted zone
unless it's coming from the management plane. So there's no way from the d. M Z or from the Internet or we're gonna allow internal access.
But that trusted zone can send information to audit as Kim DMC, as can restricted zone audit should always have read permission, should never have right permission.
All it doesn't modify
fire to ask you, what audit does they audit? And they report nothing else. They don't correct. They don't modify. They don't. This that or the other They document they report.
All right. Now, um, again, you know, I've just got this further clarified out on the second slide exactly what I'm talking about. So and this one mentioned sub zones. But again, you may have multiple trusted zones, multiple restricted zones,
but they're still want together under the category of
trusted or restricted. So I think that's a good slide. That kind of helps you determine from a logical perspective, the direction of which you wanna at allow traffic to traverse. Right? We want to protect our trusted resource is from untrusted entities.