Network Security Zones

Objectives: Learn about different types of network security zones and when are they used.

Prerequisites: no prerequisites.

Key terms: intranet, extranet, LAN, private network, DMZ, NAT

 Security Zone

Security zone is a portion of a network that has specific security requirements set. Security zones are often separated by traffic control devices such as a firewall or a router. Examples of security zones are intranets, extranets, demilitarized zones (DMZ), and virtual local area networks (VLANs).

Intranet is a private network that has implemented services for internal use only.

An extranet is a privately controlled network located between the Internet and a private network. It is often used to grant resource access to business partners, customers or similar users outside of our organization.

DMZ is a border network which is partially protected and accessible from the Internet as well as from the private LAN. Access from the DMZ to the private network is prevented. DMZ provides additional layer of protection between the Internet and the LAN. DMZ usually hosts resources such as web, FTP or e-mail servers. DMZ is often bordered on both sides by a firewall. Access from the Internet to the DMZ is protected by only some restrictions on the firewall, but access into the LAN is highly restricted by the second firewall. Another way to deploy a DMZ is to have a firewall with a third interface on it. The third interface serves the DMZ.

Virtual LANs are created using switches. VLANs are used to split broadcast domains into multiple sub-domains which decreases the broadcast traffic between network segments. Access between VLANs is restricted using routers in the same way as between subnets or distinct networks. VLANs can be used to create logical LANs regardless of the physical location of our computers. VLANs also reduces attack surface for network sniffers inside the network.

Network Address Translation (NAT)

When talking about security zones, we also have to understand the concept of NAT. NAT allows the design of the network in which we hide the internal network configuration from the public. This allows large organizations and large networks to enable Internet access without using large number of public IP addresses (public IP addresses have to be leased from Internet Service Provider). NAT allows us to use private IP addresses on our private network and still grant that private network access to the Internet by converting those addresses to public addresses when the communication to the Internet is requested. A NAT router translates a public address into a private address and port number and in that way allows private networks to share a single public IP address.

There are three classes or ranges of private IP addresses:

• Class A  is 10.0.0.0 / 8
• Class B is 172.16.0.0 / 12
• Class C is 192.168.0.0 / 16

Related topic to NAT is Port Address Translation. In this case, the ports themselves are translated from internal request to external request. NAT and IPSec are incompatible since NAT alters the packet headers (changes the source and destination address). Because of that it makes the IPSec communication impossible across the NAT server.

Proxy server

Proxy server is a border device that serves several functions. It improves performance by utilizing caching of content. It can also perform a level of access control for Internet services and applications. It can also perform filtering of content based on access rules, keywords, protocols and even domain names. In many cases, proxy server will also use NAT.