Access Controls and Network Segmentation

00:00

Now, the final section of this chapter is going to be discussing the topic of access controls.

00:05

The job of access controls is to mitigate some of the risks of the attacks that we talked about in the last section.

00:11

This is not a comprehensive list

00:13

all the way throughout this course. We've talked about risks and ways to mitigate them.

00:17

You haven't necessarily called at risk management, but that's what we're doing.

00:21

We talk about choosing the right type of cable or understanding the vulnerabilities of a protocol that's risk management.

00:27

The controls we implement are often access controls.

00:32

Let's take a look at some of the ways to mitigate some of our issues.

00:35

The first into me. The most important is network segmentation.

00:39

The premise of network segmentation is to keep untrusted entities away from your trusted assets.

00:45

Trusted assets are the things you want to protect. This is your network authentication server, mail server, Web server, internal client systems, your data, all your trusted resources

00:57

when I say that your trusted resources that are in your environment under your production under your care so we have a trust.

01:03

Now the outside world is untrusted. The Internet is a bad neighborhood. You want to stay away from that.

01:10

We don't want to allow access from untrusted, and he trusted. However, sometimes you have to, and that's why we segment our network.

01:17

One of the ways we might segment our network is to allow a DMZ a demilitarized zone. We talked about this in the earlier chapters. The whole purpose of a demilitarized zone is to have a network that's off my internalised network and separate from my trusted resources.

01:32

But it still is under my ownership and management.

01:36

It contains those resources that I want the public to have access to.

01:38

We consider that to be semi trusted. I manage it. But because I'm allowing the general public to access the network, it's not fully trusted

01:47

in that Dems. I have resources like a Web server.

01:51

This is also where I'm going to put my Web proxy or my Web application firewall, because I always want to keep the protection as close to the resources possible.

01:59

Might have honey pots in the DMZ intrusion detection systems, but at any rate, I create that network segmentation either through a router or, more likely, a firewall

02:08

to access that domain you go through a firewall to move the Dems into my internal network, you go through a firewall.

02:15

That's what network segmentation is all about. Separating systems usually based on layers of trust or controllable band with a broadcast

02:23

separating my network into many network subnets can be done with a router. Or as we've talked about in the network infrastructure section, it can be done with a virtual Eliana switch.