2.4 Risk analysis 49
5. Is there an authoritative directory?
6. The type of remote access available to the new combined network
Now for the opposite scenario. Your corporation has just sold a com-
pany or division. Review the same points in reverse. You may need to com-
pletely isolate the networks.
1. What access points to the Internet are/were in common?
2. How many DMZs does each company created from the split
3. What protocols are being used on each network?
4. What directories are being used to authenticate users?
5. Was there an authoritative directory?
6. What type of remote access is available to the new network?
So far in the discussion we have talked about a trusted network as a sin-
gle entity in a company. This is not always true. In a large enterprise or
multinational company, there can be many trusted networks, and each net-
work does not necessarily trust each other. Due to individual country laws
and requirements you may need to isolate your trusted network, and you
may even separate your networks via mini-DMZs. The common term for
this is "zones and perimeters." Security zones define the areas that need to
be protected. Each zone may have different security requirements. The
zones may be within a perimeter area that protects all zones or specific
Now you may be saying, "I don't have a DMZ or a trusted network."
No problem~all that means is that we have a lot of work ahead of us. So
let's move on to the next phase: initial risk analysis and the determination of
whether you need a DMZ or a trusted network.
2.4 Risk analysis
We have reviewed the business and the network. At this stage in the process
we will combine the information we have collected, which will give us a
high-level snapshot of our organization and our network.
Look at each business statement that you created from the "Identify the
Core Business" section. Identify each point where security could be an issue
or a concern.
I Chapter 2