2.5 Segmentation and Access Control

Question 1

Segmenting the network

Answer 1

• Physical, logical, or virtual segmentation
  –Devices, VLANs, virtual networks
• Performance
  –High-bandwidth applications
• Security
  –Users should not talk directly to database servers
  –The only applications in the core are SQL and SSH
• Compliance
  –Mandated segmentation (PCI compliance)
  –Makes change control much easier

Question 2

Access control lists (ACLs)

Answer 2

Allow or disallow traffic
–Groupings of categories
–Source IP, Destination IP, port number, time of day,
application, etc.
* Restrict access to network devices
–Limit by IP address or other identifier
–Prevent regular user / non-admin access
* Be careful when configuring these
–You can accidentally lock yourself out.

• List the permissions
  –Bob can read files
  –Fred can access the network
  –James can access network 192.168.1.0/24 using tcp
  ports 80, 443, and 8088
• Many operating systems use ACLs to provide access to files
  –A trustee and the access rights allowed
  –Application allow list / deny list

Question 3

Examples of allow and deny lists

Answer 3

• Decisions are made in the operating system
  –Often built-in to the operating system management
• Application hash
  –Only allows applications with this unique identifier
• Certificate
  –Allow digitally signed apps from certain publishers
• Path
  –Only run applications in these folders
• Network zone
  –The apps can only run from this network zone