Your company is implementing a webserver as an intranet portal. Which of the following least aligns with the Zero Trust principles? (Wentz QOTD)
A. Implement HTTPS to support the end-to-end transmission.
B. Put the webserver in the demilitarized zone (DMZ) of the firewall.
C. Install a gateway between the clients and the webserver to monitor and record traffic.
D. Close all firewall ports and require port knocking techniques to open ports dynamically.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Put the webserver in the demilitarized zone (DMZ) of the firewall.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Firewall zones are network segments isolated by phsical network perimeter. It’s the traditional castle and moat security. A zone is a specific network location. So does the DMZ. However, Zero Trust doesn’t rely on network locations to enforce security. There is no inherent trust because of network locations in Zero Trust. A Zero Trust architecture uses micro-segmentation techniques to isolate resources in terms of data through logical or software-defined perimeter.
NIST Tenents of Zero Trust
- All data sources and computing services are considered resources
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Zero Trust as Access Control 2.0
Reference
您的公司正在實施一個網站伺服器作為內部入口網站。 以下哪一項最不符合零信任原則? (Wentz QOTD)
A. 實現HTTPS,支持端到端傳輸。
B. 將網站伺服器置於防火牆的非軍事區 (DMZ) 中。
C. 在客戶端和網站伺服器之間安裝閘道器以監控和記錄流量。
D. 關閉所有防火牆端口,並要求使用端口敲門技術來動態打開端口。
b
Even with zero trust, is there no network segment for services that should be open to all anonymous access?
Zero Trust is all about access control. I treated it as Access Control 2.0. So, anonymous access to public resources is not a significant concern of Zero Trust. Zero Trust can be implemented incrementally; it can be added to existing networks that use perimeter security.