Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Classification of Network Zones

Hello all, Is there any specfic document which provides best practices as to network zone classifications with a clear distinction between the Enterprise and Intranet zone, i.e. what makes these two zones different and why is it worthwhile to create a distinction between the two? One may argue that the Intranet is considered to be an extension of the enterprise zone, so might as well combine these two zones into one. Does COBIT DS5.10 - Network Security go into that detail?
You must sign in to rate content.
(Unrated)

Comments

RE: Classification of Network Zones

COBIT5 would not be this granular. It is a management and governance framework not specific controls. As you mention, an intranet should still be part of an Enterprise's internal network. Within an internal network you can have as many zones as you need to have without going crazy on it. COBIT5 for Info Sec (http://www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx) is more detailed guidance on Information Security but still not this specific. Within COBIT5 processes document you can look generally at DSS01.04 and DSS05.05 which mention the word "zone." Here is some more prescriptive guidance on zoning/network segmentation: CIS CSC 12 and 14 - specifically 14.1. NIST: https://ics-cert.us-cert.gov/Standards-and-References#estab http://dx.doi.org/10.6028/NIST.SP.800-125B SP 800-53 rev 4 - see SC-7 and its enhancements specifically (13), SC-3 enhancement (1). What you are running into is a security architecture discussion. I would discuss with your security architect. Regards, Andy
AndrewGill663Lively at 8/11/2017 12:59:35 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Classification of Network Zones

Thanks Andrew.
Robert271Social at 8/12/2017 6:04:16 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

What you need is the logical Security Zone Model. This can be found in the Security Architecture space. There is the - Controlled Zone for the Infrastructure nodes - Restricted Zone for application nodes - Secured Zone for Storage nodes Other zones like Uncontrolled, Partner and User connects to the Controlled zones for access to one of the three main zones.
D'LionKingSocial at 9/11/2017 9:03:31 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

Take data-centric approach on network architecture zones. You can do it by defining "trust" and "untrust" based on inbound and outbound interfaces.For example, you have these PCI-DSS 3.2 - access policy "Restrict access from internet to card holder data" start looking for interfaces and classify internet,DMZ and PCI internal interfaces.
sunnydhabhaiLively at 10/8/2017 4:54:55 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

Take data-centric approach on network architecture zones. You can do it by defining "trust" and "untrust" based on inbound and outbound interfaces.For example, you have these PCI-DSS 3.2 - access policy "Restrict access from internet to card holder data" start looking for interfaces and classify internet,DMZ and PCI internal interfaces.
sunnydhabhaiLively at 10/8/2017 4:54:55 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

What you need is the logical Security Zone Model. This can be found in the Security Architecture space. There is the - Controlled Zone for the Infrastructure nodes - Restricted Zone for application nodes - Secured Zone for Storage nodes Other zones like Uncontrolled, Partner and User connects to the Controlled zones for access to one of the three main zones.
D'LionKingSocial at 9/11/2017 9:03:31 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

Thanks Andrew.
Robert271Social at 8/12/2017 6:04:16 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

COBIT5 would not be this granular. It is a management and governance framework not specific controls. As you mention, an intranet should still be part of an Enterprise's internal network. Within an internal network you can have as many zones as you need to have without going crazy on it. COBIT5 for Info Sec (http://www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx) is more detailed guidance on Information Security but still not this specific. Within COBIT5 processes document you can look generally at DSS01.04 and DSS05.05 which mention the word "zone." Here is some more prescriptive guidance on zoning/network segmentation: CIS CSC 12 and 14 - specifically 14.1. NIST: https://ics-cert.us-cert.gov/Standards-and-References#estab http://dx.doi.org/10.6028/NIST.SP.800-125B SP 800-53 rev 4 - see SC-7 and its enhancements specifically (13), SC-3 enhancement (1). What you are running into is a security architecture discussion. I would discuss with your security architect. Regards, Andy
AndrewGill663Lively at 8/11/2017 12:59:35 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Classification of Network Zones

COBIT5 would not be this granular. It is a management and governance framework not specific controls. As you mention, an intranet should still be part of an Enterprise's internal network. Within an internal network you can have as many zones as you need to have without going crazy on it. COBIT5 for Info Sec (http://www.isaca.org/COBIT/Pages/Information-Security-Product-Page.aspx) is more detailed guidance on Information Security but still not this specific. Within COBIT5 processes document you can look generally at DSS01.04 and DSS05.05 which mention the word "zone." Here is some more prescriptive guidance on zoning/network segmentation: CIS CSC 12 and 14 - specifically 14.1. NIST: https://ics-cert.us-cert.gov/Standards-and-References#estab http://dx.doi.org/10.6028/NIST.SP.800-125B SP 800-53 rev 4 - see SC-7 and its enhancements specifically (13), SC-3 enhancement (1). What you are running into is a security architecture discussion. I would discuss with your security architect. Regards, Andy
AndrewGill663Lively at 8/11/2017 12:59:35 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Classification of Network Zones

Thanks Andrew.
Robert271Social at 8/12/2017 6:04:16 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

What you need is the logical Security Zone Model. This can be found in the Security Architecture space. There is the - Controlled Zone for the Infrastructure nodes - Restricted Zone for application nodes - Secured Zone for Storage nodes Other zones like Uncontrolled, Partner and User connects to the Controlled zones for access to one of the three main zones.
D'LionKingSocial at 9/11/2017 9:03:31 AM Quote
You must sign in to rate content.
(Unrated)

RE: Classification of Network Zones

Take data-centric approach on network architecture zones. You can do it by defining "trust" and "untrust" based on inbound and outbound interfaces.For example, you have these PCI-DSS 3.2 - access policy "Restrict access from internet to card holder data" start looking for interfaces and classify internet,DMZ and PCI internal interfaces.
sunnydhabhaiLively at 10/8/2017 4:54:55 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.