Page 815 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 815

subnets between the private network and the internet separated by
               firewalls. Each subsequent firewall has more stringent filtering rules to

               restrict traffic to only trusted sources. The outermost subnet is usually
               a DMZ. A middle subnet can serve as a transaction subnet where
               systems needed to support complex web applications in the DMZ
               reside. The third, or back-end, subnet can support the private network.
               This architecture is the most secure of these options; however, it is
               also the most complex to design, implement, and manage.


               Endpoint Security


               Endpoint security is the concept that each individual device must
               maintain local security whether or not its network or
               telecommunications channels also provide or offer security.
               Sometimes this is expressed as “the end device is responsible for its
               own security.” However, a clearer perspective is that any weakness in a

               network, whether on the border, on a server, or on a client, presents a
               risk to all elements within the organization.

               Traditional security has depended on network border sentries, such as
               appliance firewalls, proxies, centralized virus scanners, and even
               IDS/IPS/IDP solutions, to provide security for all of the interior nodes
               of a network. This is no longer considered best business practice
               because threats exist from within as well as without. A network is only

               as secure as its weakest element.

               Lack of internal security is even more problematic when remote access
               services, including dial-up, wireless, and VPN, might allow an external
               entity (authorized or not) to gain access to the private network without
               having to go through the border security gauntlet.

               Endpoint security should therefore be viewed as an aspect of the effort

               to provide sufficient security on each individual host. Every system
               should have an appropriate combination of a local host firewall, anti-
               malware scanners, authentication, authorization, auditing, spam
               filters, and IDS/IPS services.


               Secure Operation of Hardware


               You’ll use numerous hardware devices when constructing a network.
   810   811   812   813   814   815   816   817   818   819   820