Jan Schoonderbeek: link fix

2013-01-16T15:01:55Z

link fix

← Older revision		Revision as of 15:01, 16 January 2013
Line 50:		Line 50:
	}}		}}
	{{Pattern_Type_Adjacent_PAT_Row		{{Pattern_Type_Adjacent_PAT_Row
	\|pattern=PAT.~~Security Management + Auditing~~		\|pattern=PAT.Facilities Monitoring
	\|choice=may		\|choice=may
	\|reason=Transport Zone Protection is usually employed to enforce security levels within one or more Data Transport Zones; thus, many events that occur in a Transport Zone Protection facility are of interest to the security officers. This means it is very desirable to have the facility report directly to Security ~~Management & Auditing~~.		\|reason=Transport Zone Protection is usually employed to enforce security levels within one or more Data Transport Zones; thus, many events that occur in a Transport Zone Protection facility are of interest to the security officers. This means it is very desirable to have the facility report directly to (a Security instance of) Facilities Monitoring.
	}}		}}
	{{Pattern_Type_Adjacent_PAT_Row		{{Pattern_Type_Adjacent_PAT_Row

Jan Schoonderbeek: start

2012-11-11T23:22:21Z

start

New page

{{Maturity|3}}
{{Pageheaderbox4PatternType
|PATname=Data Zone Protection
|summary=Controls and secures data exchange between two data transport zones
|version=0.2
|owner=J.A.H. Schoonderbeek
|sector=Infrastructure Sector Core
}}
Two or more data transport zones may need to be separated because of different security-related requirements. If this is the case, then traffic from one zone traveling to the other zone needs to be processed so as to satisfy the security requirements imposed by the separation. To this end, this pattern may be employed.<br>
In practice, use of this pattern often leads to use of a firewall device, but as security requirements evolve, so may the realization of this pattern.
{{PAgraphic
|graphic=PAT.Data Zone Protection.png
|source=Pattern Types.vsd
|size=500px
|title=Protected Link graphic
|kind=Type
}}
{{Pattern Type Composition}}
{{Pattern Type Composition Row
|facility=BT.Traffic Filtering
|choice=must
|reason=This facility performs the actual filtering of traffic flowing from one data zone to the other. The filtering is based on rules that are derived from the security requirements, e.g. "no traffic is allowed from the DMZ to the internal network, with the exeption of ...". Note that the storage of these rules call for a Permission Store, and execution of the rules is in fact Permission Validation.
}}
{{Pattern Type Composition Row
|facility=BT.Data Scanning
|choice=may
|reason=When filtering based on traffic characteristics is not enough, filtering based on data (content, deep inspection) may be needed. This can be useful for securing message exchange between zones (e.g. e-mail or SOAP messages), but also for deep inspection in certain protocols. This can for example detect malicious commands inside protocol packets, e.g. SQL injection instructions inside a HTTP request. When data scanning reveals a problem, a fitting action must be undertaken by another facility (e.g. the Traffic Filter may drop the packet or block the sender, or Monitoring may issue an alert).
}}
{{Pattern Type Composition Row
|facility=BT.Control Interface
|choice=may
|reason=If there's a need to describe the interfacing with Traffic Filtering (e.g. by administrators, or maybe end users), then this function can be used for that.
}}
{{Pattern Type Composition Row
|facility=BT.Distribution
|choice=may
|reason=Since this Pattern often is used as a chokepoint where all data traffic must go through, it is also a good point to locate Distribution.
}}
{{Pattern Type Composition Row
|facility=BT.Load Balancing
|choice=may
|reason=Since this Pattern often is used as a chokepoint where all data traffic must go through, it may be necessary to include Load Balancing to provide higher availability of this Pattern.
}}
{{Table Ending}}
{{Pattern Type Neighbors}}
{{Pattern_Type_Adjacent_PAT_Row
|pattern=PAT.Data Transport
|choice=must
|reason=While Data Transport usually serves to link the facilities within a Pattern, in this case it also serves as the customer for this Pattern: Transport Zone Protection sits between two or more Data Transport Zones.
}}
{{Pattern_Type_Adjacent_PAT_Row
|pattern=PAT.Security Management + Auditing
|choice=may
|reason=Transport Zone Protection is usually employed to enforce security levels within one or more Data Transport Zones; thus, many events that occur in a Transport Zone Protection facility are of interest to the security officers. This means it is very desirable to have the facility report directly to Security Management & Auditing.
}}
{{Pattern_Type_Adjacent_PAT_Row
|pattern=PAT.Authentication+Authorization
|choice=may
|reason=The Authentication & Authorization Pattern can be linked to this Pattern when this Pattern is to support authorization (and/or authentication), so as to feed the Traffic Filter facility with the results of identity and/or permission validations. By "permission validation" we also understand the execution of rules such as the well-known "firewall rules".<br>
Note that the rules that the Traffic Filter employs can be stored in a Permission Store within this Pattern, although most implementations of a Traffic Filter do not require Identity Validation/an Identity Store.
}}
{{Table Ending}}
{{PATfooter}}

PAT.Data Zone Protection - Revision history

Jan Schoonderbeek: link fix

Jan Schoonderbeek: start