Now, the final section of this chapter is going to be discussing the topic of access controls.
The job of access controls is to mitigate some of the risks of the attacks that we talked about in the last section.
This is not a comprehensive list
all the way throughout this course. We've talked about risks and ways to mitigate them.
You haven't necessarily called at risk management, but that's what we're doing.
We talk about choosing the right type of cable or understanding the vulnerabilities of a protocol that's risk management.
The controls we implement are often access controls.
Let's take a look at some of the ways to mitigate some of our issues.
The first into me. The most important is network segmentation.
The premise of network segmentation is to keep untrusted entities away from your trusted assets.
Trusted assets are the things you want to protect. This is your network authentication server, mail server, Web server, internal client systems, your data, all your trusted resources
when I say that your trusted resources that are in your environment under your production under your care so we have a trust.
Now the outside world is untrusted. The Internet is a bad neighborhood. You want to stay away from that.
We don't want to allow access from untrusted, and he trusted. However, sometimes you have to, and that's why we segment our network.
One of the ways we might segment our network is to allow a DMZ a demilitarized zone. We talked about this in the earlier chapters. The whole purpose of a demilitarized zone is to have a network that's off my internalised network and separate from my trusted resources.
But it still is under my ownership and management.
It contains those resources that I want the public to have access to.
We consider that to be semi trusted. I manage it. But because I'm allowing the general public to access the network, it's not fully trusted
in that Dems. I have resources like a Web server.
This is also where I'm going to put my Web proxy or my Web application firewall, because I always want to keep the protection as close to the resources possible.
Might have honey pots in the DMZ intrusion detection systems, but at any rate, I create that network segmentation either through a router or, more likely, a firewall
to access that domain you go through a firewall to move the Dems into my internal network, you go through a firewall.
That's what network segmentation is all about. Separating systems usually based on layers of trust or controllable band with a broadcast
separating my network into many network subnets can be done with a router. Or as we've talked about in the network infrastructure section, it can be done with a virtual Eliana switch.
The real important element and the principle of security is to keep entrusted entities away from your trusted resources.