2.4 Risk analysis 49
5. Is there an authoritative directory?
6. The type of remote access available to the new combined network
Now for the opposite scenario. Your corporation has just sold a com-
pany or division. Review the same points in reverse. You may need to com-
pletely isolate the networks.
1. What access points to the Internet are/were in common?
2. How many DMZs does each company created from the split
have?
3. What protocols are being used on each network?
4. What directories are being used to authenticate users?
5. Was there an authoritative directory?
6. What type of remote access is available to the new network?
So far in the discussion we have talked about a trusted network as a sin-
gle entity in a company. This is not always true. In a large enterprise or
multinational company, there can be many trusted networks, and each net-
work does not necessarily trust each other. Due to individual country laws
and requirements you may need to isolate your trusted network, and you
may even separate your networks via mini-DMZs. The common term for
this is "zones and perimeters." Security zones define the areas that need to
be protected. Each zone may have different security requirements. The
zones may be within a perimeter area that protects all zones or specific
zones.
Now you may be saying, "I don't have a DMZ or a trusted network."
No problem~all that means is that we have a lot of work ahead of us. So
let's move on to the next phase: initial risk analysis and the determination of
whether you need a DMZ or a trusted network.
2.4 Risk analysis
We have reviewed the business and the network. At this stage in the process
we will combine the information we have collected, which will give us a
high-level snapshot of our organization and our network.
Look at each business statement that you created from the "Identify the
Core Business" section. Identify each point where security could be an issue
or a concern.
I Chapter 2
50 2,4 Risk analysis
Perimeter #2
)
Perimeter #1
h,.
v
Figure 2.3
Example: The Company has been in business for 12 years and has 7000
employees. It has 600 parts distributors to which it sells Widgets. The
Company also has 22 vendors ~hat supply raw materials. The Company has
few direct sales customers. Selling directly to the part distributors generates
the most sales for the Company.
In this example we have several areas of concern.
• 7000 employees~security training awareness. What are the defini-
tions of trust with each group of employees?
• 22 vendors~what is the trust level of these vendors? Do the vendors
need to have direct access to the systems on the trusted network?
• Parts distributors~how does the company communicate with the
parts distributors? Is encrypted mail used? Are secure web pages
established?
Get Internet Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
