• No results found

networ architectural design process

In document Lab Implementation (Page 57-62)

Segm

Reason 0or $reation

S9 $onnectivi

 To make %olicy routing and multihomed IS*

connectivity exi#le, a #order router device is

%re0erred in this location+ Security #etween the *u#lic and *erimeter ?ones will #e en0orced with a device that %rovides the

*erimeter -irewall Services role and the a%%lication'layer %roxy rewall 0unction and that device also %rotects S3 0rom the *u#lic

?one+ Segments SH and S= are connected directly to this #order router #ut the host services on these segments (%roxy and *N"

are hardened+ This solution oMered higher

%er0ormance and ena#led the organi?ation to

%lan 0or growth #y adding more segments on the device %er0orming the 6order Routing role+

S3 $onnectivi

S9 and S8 To allow tra>c to ow 0rom the device that

%er0orms the 6order Routing role to the device that %er0orms the *erimeter -irewall Services role+ It is a highly secure device that %rotects the *erimeter ?one 0rom unauthori?ed tra>c 0rom the *u#lic ?one and #locks any out#ound connection initiated #y the *erimeter hosts+

 The $ontoso enter%rise security %olicy mandated that the %hysical device that

%er0ormed the *erimeter -irewall Services role also %er0orms the 0unction o0 a%%lication'layer

%roxy rewall to control tra>c #etween the

*u#lic and *rivate security ?ones+

S8 $onnectivi

ty and Security

!ogical S9 and S= To allow tra>c to ow 0rom the device that

%er0orms the 6order Routing role to the device that %er0orms the *erimeter -irewall Services role 0or the external *N and %roxy servers+

 This rewall service is a logical service running on the *N and %roxy servers+

In#ound tra>c is restricted to re%lies to conversations initiated #y the *erimeter or

ab (mplementation 5

Segm ent ID

*ur%ose *hysical or

!ogical

Destinatio n

Segments

Reason 0or $reation

Internal ?ones conversations, or to secure *N tunnel tra>c 0rom trusted authenticated sources+ :ut#ound tra>c can #e sourced 0rom Internal $lient or $or%orate ?ones+

S< $onnectivi ty and Security

!ogical S3, S, S5, and S

 To allow tra>c to ow 0rom the device

%er0orming the *erimeter -irewall Services role to the *erimeter DNS, *erimeter

A%%lication, and *erimeter )e# tiers through the device that %er0orms the *erimeter Switching role+ The organi?ationUs security

%olicy mandated that the device that %er0orms the Internal Switching role must #e %hysically se%arate 0rom the device that %er0orms the

*erimeter Switching role+

S Security !ogical S<, S5, and S93

 To allow the ow o0 tra>c #etween the device that %er0orms the *erimeter -irewall Services role and the *erimeter A%%lication tier

(allowing %u#lic access to the tier"+

 To allow tra>c to ow #etween the *erimeter )e# tier and the *erimeter A%%lication tier+

 To allow devices in the *erimeter /anagement tier to connect to the servers in the *erimeter A%%lication tier to remotely administer them+

S5 Security !ogical S<, S, and S93

 To allow tra>c to ow #etween the device that %er0orms the *erimeter -irewall Services role and the *erimeter )e# tier (allowing

*u#lic access to the tier"+

 To allow tra>c to ow #etween the *erimeter )e# tier and the *erimeter A%%lication tier+

 To allow devices in the *erimeter /anagement tier to connect to the servers in the *erimeter )e# tier to remotely administer them+

S Security !ogical S< and S93 To allow tra>c to ow #etween the device that %er0orms the *erimeter -irewall Services role and the *erimeter DNS tier (allowing a

*u#lic access to the tier"+

 To allow devices in the *erimeter /anagement tier to connect to the servers in the *erimeter DNS tier to remotely administer them+

SH Security

or

$onnectivi ty

!ogical S93 and S9<

 To allow tra>c to ow #etween *erimeter In0ormation In0rastructure ?one and the Internal -irewall deviceJ the lters allow s%ecic tra>c to ow to the *erimeter

A%%lication, )e#, and DNS tiers 0or directory services, #acku%s, and management+

Restricted communication is re&uired #etween the *erimeter In0ormation In0rastructure ?one and s%ecic devices in the Internal ?one, which are handled #y the Internal -irewall device+

S= Security !ogical S8, S94, To allow out#ound tra>c to ow 0rom the

Segm ent ID

*ur%ose *hysical or

!ogical

Destinatio n

Segments

Reason 0or $reation

S99, and S98

$lient ?one to the *u#lic ?one+

 To allow in#ound tra>c 0rom the *u#lic ?one (authori?ed #y a certicate" 0or *N tunnel creation and initiate communication to the Internal Access ?one+

 To %rovide 0or client and site'to'site *N connectivity+

 To allow tra>c initiated 0rom the Internal

*roxy tier+ No in#ound initiated

communication is allowed 0rom the *u#lic

?one+

S94 Security or

$onnectivi ty

!ogical S= and S98 To allow tra>c to ow 0rom internal $lient

?one to the *erimeter *roxy Services ?one (out#ound initiated only"+

 To allow tra>c to ow #etween the internal clients and the tiers in the $or%orate

Data#ase, $or%orate In0rastructure, $or%orate Internal A%%lications, and $or%orate )e#

Services ?ones+

S99 Security or

connectivi ty

!ogical S= and S98 To allow tra>c to ow 0rom Internal 6ranch :>ce ?one (connected through a *N secure tunnel" to the *erimeter *roxy Services ?one (out#ound initiated only"+

 To allow tra>c to ow #etween the Internal

$lients and the tiers in the $or%orate

Data#ase, $or%orate In0rastructure, $or%orate Internal A%%lications, and $or%orate )e#

Services ?ones+ Note that this segment is a virtual segmentJ the #ranch o>ces are connected %hysically through the $D$ )AN

#ut are connected logically through the *N tunnel as a semi'trusted client, which %rovides 0or the most reasona#le connection+

S93 $onnectivi ty

!ogical S, S5, S, SH, and S9<

 To allow tra>c to ow #etween the device that %er0orms the *erimeter *u#lic Switching role and the device that %er0orms the Internal -irewall Services role+ All servers in the

*erimeter DNS and *erimeter )e# tiers route tra>c through the device that %er0orms the

*erimeter Routing and Switching role i0 they need to communicate with systems in the

$or%orate ?one+ This segment also allows inter'?one tra>c #etween the *erimeter services through the *erimeter Switching role+

S98 $onnectivi ty

!ogical S=, S94, S99, and S9<

 To allow tra>c to ow #etween the device that %er0orms the *erimeter semi'trusted Switching role and the device that %er0orms the Internal -irewall Services role+ All client and #ranch o>ce tra>c to cor%orate services as well as cor%orate communication to the

*erimeter *roxy Services and Remote Access

?ones will transit this segment+

ab (mplementation 55

Segm

Reason 0or $reation

 The $ontoso enter%rise security %olicy

mandated that a device that %er0orms at least the 0unction o0 state0ul %acket ins%ection

rewall control network tra>c #etween the

*erimeter and Internal ones+ In addition, it mandated that the device that %er0orms the Internal -irewall Services role #e a dedicated device 0or this %ur%ose and is %hysically se%arate 0rom the device that %er0orms the

*erimeter -irewall Services role+

S9< $onnectivi ty

!ogical S93, S98, S9, S95, S9, S9H, and S9=

 To allow tra>c to ow #etween the device

%er0orming the Internal -irewall Services role and the device that %er0orms the Internal Switching role+ This will include tra>c

#etween the *erimeter and the Internal ?ones+

Note that the $ontoso enter%rise security

%olicy mandated that the device that %er0orms the Internal Switching role must #e %hysically se%arate 0rom the device that %er0orms the

*erimeter Switching 0unction+

S9 $onnectivi ty

!ogical S9<, S9, S9H, and S9=

 To allow tra>c to ow #etween the device that %er0orms the Internal Switching role and the tiers in the $or%orate Data#ase ?one+ This segment services two ?ones ' $or%orate Data#ase and *rivate S1!+ It is a single !AN that has services that re&uire single host'

#ased security lters+

S95 Security or

$onnectivi ty

!ogical S9<, S9, S9, S9H, and S9=

 To allow tra>c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate /anagement ?one+

S9 Security or

$onnectivi ty

!ogical S9<, S9, S95, S9H, and S9=

 To allow tra>c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate In0rastructure ?one+ This

segment carries the ty%ical client tra>c to this ?one and carries the certication and authentication tra>c 0or the *erimeter Remote Access ?one+ This segment services two ?ones'$or%orate In0rastructure and

$or%orate Access+ It is a single !AN that has services that re&uire single host'#ased

security lters+

 To allow tra>c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate Internal A%%lications ?one+

Segm ent ID

*ur%ose *hysical or

!ogical

Destinatio n

Segments

Reason 0or $reation

re&uired to

minimi?e the num#er o0 devices to #e managed in the enter%ris e+

S9= Security or

$onnectivi ty

!ogical+

 The connecti on is

#etween two devices that

$ontoso owns+ It is

re&uired to

minimi?e the num#er o0 devices to #e managed in the enter%ris e+

S9<, S9, S95, S9, and S9H

 To allow tra>c to ow #etween the device that %er0orms the Internal Switching role and the $or%orate )e# Services ?one+

 Ta#le 9+ Network Segmentation In0ormation 0or the $D$ Scenario

ab (mplementation 5

Appendi- ./60Address Allocation Information

In document Lab Implementation (Page 57-62)
Download now "Lab Implementation"

Outline

Related documents