Page 807 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 807
that rarely or never communicate are located in other segments. Often
the use of routers is employed for the purpose of dividing broadcast
domains, which can significantly improve performance for larger
networks.
Reducing Communication Problems Network segmentation
often reduces congestion and contains communication problems, such
as broadcast storms, to individual subsections of the network.
Providing Security Network segmentation can also improve
security by isolating traffic and user access to those segments where
they are authorized.
Segments can be created by using switch-based VLANs, routers, or
firewalls, individually or in combination. A private LAN or intranet, a
DMZ, and an extranet are all types of network segments.
When you’re designing a secure network (whether a private network,
an intranet, or an extranet), you must evaluate numerous networking
devices. Not all of these components are necessary for a secure
network, but they are all common network devices that may have an
impact on network security.
Network Access Control
Network Access Control (NAC) is a concept of controlling access to an
environment through strict adherence to and implementation of
security policy. The goals of NAC are as follows:
Prevent/reduce zero-day attacks
Enforce security policy throughout the network
Use identities to perform access control
The goals of NAC can be achieved through the use of strong detailed
security policies that define all aspects of security control, filtering,
prevention, detection, and response for every device from client to
server and for every internal or external communication. NAC acts as
an automated detection and response system that can react in real
time to stop threats as they occur and before they cause damage or a
breach.
