Figure 31 Network Segmentation

[View full size image]

As Figure 3-1 illustrates, all network resources are segregated by type and value. Assets with a greater value to the organization are located further within the network and are, therefore, protected at multiple layers within the network. The use of RFC 1918 addressing on internal networks prevents attacks that originate from the Internet unless those segments are NAT'd at the network perimeter. Additionally, network intrusion prevention systems (IPS) should be implemented liberally at all critical points of the network, host-based intrusion detection systems (IDS) and IPSs should be implemented on critical hosts, and virus protection should be implemented on all hosts.

0 0

Post a comment