Trust is the relationship between two or more network entities that are permitted to communicate. Security policy decisions are largely based on this premise of trust. If you are trusted, you are allowed to communicate as needed. However, at times security controls need to apply restraint to trust relationships by limiting access to the designated privilege level. Trust relationships can be explicit or implied by the organization. Some trust relationships can be inherited or passed down from one system to another. However, keep in mind that these trust relationships can also be abused.

Domains of Trust

Domains of Trust are a way to group network systems that share a common policy or function. Network segments have different trust levels, depending on the resources they are securing. When applying security controls within network segments, it is important to consider the trust relationships between the segments. Keep in mind that customers, partners, and employees each have their unique sets of requirements from a security perspective that can be managed independently with Domains of Trust classifications. When Domains of Trust are managed in this way, consistent security controls within each segment can be applied.

Figure 13-7 shows two examples of Trust Domains with varying levels of trust segmented. The lighter shading indicates internal higher security and more secure networks and the darker areas represent less secure areas and lower security.

Figure 13-7 Domains of Trust

Example A

Example B

' I Internet

Internal Servers

Example B

Trust levels such as the internal network can be very open and flexible, whereas the outside needs to be considered unsafe and thus needs strong security to protect the resources. Table 13-3 shows different levels of trust, going from low to high.

Table 13-3 Domains of Trust: Risks from Low to High



Safeguards Required

Production to lab

Low risk

ACLs and network monitoring

Headquarters to branch (IPsec VPN)

Medium risk

Authentication, confidentiality, integrity concerns, ACLs, route filtering

Inside (private) to outside (public)

High risk

Stateful packet inspection, intrusion protection (IPS), security monitoring

Was this article helpful?

0 0

Post a comment