Determining Windows 2000 Network Security Strategies

Previous Topic Next Topic

Creating Secure Boundaries

Network security between your organization and the outside world is dependent on one or more servers where you implement network security technologies. These servers logically sit on the boundary between your organization and the outside world. Often the application servers providing services to the outside world are in the same physical location.

One approach to maximize the security of these servers is to logically place them in a unique location in your network infrastructure. The area in which they are placed is often called a demilitarized zone (DMZ). The firewall (discussed in the next section ) has an additional network adapter that directs traffic to the DMZ based on a set of addresses assigned to that area. Figure 17.2 shows this relationship.

Within the DMZ, you can ensure that servers do not have access to corporate resources. This way, if a security breach does occur on those servers, the perpetrators cannot then move on to other computers within your intranet.

Figure 17.2 A Demilitarized Zone
Enlarge figure

Figure 17.2 A Demilitarized Zone

The DMZ, as with all internal network components, needs to be physically secured against access by the public. This ensures that no one — not even one of your employees — can weaken your security by rearranging cabling or by using logged in accounts.

You do not have to physically separate the DMZ from other computers and networking equipment. However, it is appropriate to apply special policies and procedures to the DMZ, because of its critical role in your network security. The smallest of changes, made improperly, can be sufficient to create a breach that intruders can take advantage. Therefore, it must be impossible for unqualified staff to change the DMZ. Applying additional physical security to the DMZ ensures that this is the case.


caution-icon

Caution

Carefully secure your client computers and accounts to ensure that only authorized users can use them to access your network. If you cannot physically secure a client computer, then make certain that the accounts used on it have few privileges and that you use file encryption, secured screen savers, and other local security strategies.

© 1985-2000 Microsoft Corporation. All rights reserved.