2.4 Network Security Models

Question 1

Perimeter-based security

Answer 1

Mainframe computers could be accessed by only a relatively limited number of remote job entry (RJE) terminals that were directly connected in physically secured areas.

Question 2

Why perimeter-based security is insufficient

Answer 2

• Fail to account for sophisticated cyberthreats to penetrate perimeter defenses.
• Malicious users can gain access to the internal network and sensitive resources by using stolen credentials.

Question 3

The primary issue with a perimeter-based network security

Answer 3

The assumption that everything on the internal network can be trusted.

Question 4

Shortcomings of the broken trust model (such as port-based firewalls)

Answer 4

• Definitively distinguish good applications from bad ones.
• Adequately account for encrypted application traffic.
• Accurately identify and control users.
• Filter allowed traffic not only for known application-porne threats but also for unknown ones.

Question 5

Zero Trust security

Answer 5

Essential security capabilities are deployed in a way that provides policy enforcement and protection for all users, devices, applications, data resources, and the communications traffic between them, regardless of location.

Question 6

Benefits of implementing a Zero Trust network

Answer 6

• Clearly improved effectiveness in mitigating data loss.
• Greater efficiency for achieving and maintaining compliance with security and privacy mandates.
• Improved ability to securely enable transformative IT initiatives.
• Lower total cost of ownership with a consolidated and fully integrated security operating platform.

Question 7

Core Zero Trust design principles

Answer 7

• Ensure that all resources are accessed securely, regardless of location.
• Adopt a least privilege strategy and strictly enforce access control.
• Inspect and log all traffic.

Question 8

Main components of a Zero Trust conceptual architecture

Answer 8

• Zero Trust Segmentation Platform.
• Trust zones (micro core and perimeter, MCAP)
• Management infrastructure (centralized mgmt)

Question 9

Zero Trust Segmentation Platform

Answer 9

Network segmentation gateway used to define internal trust boundaries.

Ability to:

• Enable secure network access
• Granularly control traffic flow to and from resources
• Continuously monitor allowed sessions for any threat activity

Question 10

Key Zero Trust criteria and capabilities

Answer 10

• Secure access
• Inspection of all traffic
• Least privileges access control
• Cyberthreat protection
• Coverage for all security domains

Question 11

Implementing a Zero Trust design

Answer 11

1. Collect traffic flows
2. Define trust zones and incrementally establish corresponding trust boundaries based on relative risk and/or sensitivity.
   - Deploy devices in appropriate locations to establish internal trust boundaries for defined trust zones.
   - Configure the appropriate enforcement and inspection policies
3. Establish trust zones and boundaries for other segments.
   - IT Mgmt
   - Partner resources (B2B)
   - High-profile customer-facing resources and connections(B2C)
   - Branch offices in risky countries
   - Guest access network
   - Campus networks