Page 455 - StudyBook.pdf
P. 455

Topologies and IDS • Chapter 7  439

                 the protected network.To manage this situation, the firewall permits only systems
                 from the protected network to initiate connections with the financial segment.This
                 prevents an attacker from being able to directly access the protected network in the
                 event of a compromise. On the other hand, if the financial system must use real-
                 time transmissions or data from the computers on the protected network, the
                 financial systems have to be able to initiate those communications. In this event, if a
                 compromise occurs, the attacker can use the financial systems to attack the pro-
                 tected network through those same channels. It is always preferable that DMZ sys-
                 tems not initiate connections into more secure areas, but that systems with higher
                 security requirements initiate those network connections. Keep this in mind as you
                 design your network segments and the processes that drive your site.


                 TEST DAY TIP

                      The phrase store-and-forward refers to a method of delivering transmis-
                      sions in which the messages are temporarily held by an intermediary
                      before being sent on to their final destination. Some switches and many
                      e-mail servers use the store-and-forward method for data transfer.






                 EXAM WARNING

                      DMZ design is covered on the Security+ exam. You must know the basics
                      of DMZ placement and what components the DMZ divides.




                    In large installations, these segments may vary in placement, number, and/or
                 implementation, but this serves to generally illustrate the ideas behind the process.
                 An actual implementation may vary from this design. For example, an administrator
                 may wish to place all the financial processing systems on the protected network.
                 This is acceptable as long as the requisite security tools are in place to adequately
                 secure the information. I have also seen implementation of the business informa-
                 tion off an extension of the DMZ, as well as discrete DMZ segments for develop-
                 ment and testing. Specific technical requirements will impact actual deployment, so
                 administrators may find that what they currently have in place on a network (or
                 the need for a future solution) may deviate from the diagrams shown earlier.The
                 bottom line is to ensure that systems are protected.



                                                                              www.syngress.com
   450   451   452   453   454   455   456   457   458   459   460