https://www.infra-repository.org/oiar/index.php?action=history&feed=atom&title=GP.Data_Zone_ProtectionGP.Data Zone Protection - Revision history2026-05-02T09:49:27ZRevision history for this page on the wikiMediaWiki 1.40.0https://www.infra-repository.org/oiar/index.php?title=GP.Data_Zone_Protection&diff=942&oldid=prevJan Schoonderbeek: New GP2014-12-19T12:15:50Z<p>New GP</p>
<p><b>New page</b></p><div>{{Maturity|4}}<br />
{{Pageheaderbox4GP<br />
|name=Data Zone Protection<br />
|sector=Core<br />
|version=0.3<br />
|owner=J.A.H. Schoonderbeek<br />
|summary=This Pattern realizes a security separation between different Data Transport zones.<br />
}}<br />
Two or more data transport zones may need to be separated because of different security-related requirements. If this is the case, then traffic from one zone traveling to the other zone needs to be processed so as to satisfy the security requirements imposed by the separation. To this end, this pattern may be employed.<br />
In practice, use of this pattern often leads to use of a firewall device, but as security requirements evolve, so may the realization of this pattern.<br />
{{Pattern Realizes<br />
|service=GS.Data Zone Protection<br />
}}<br />
{{Pattern Graphic<br />
|graphic=GP.Data Zone Protection.png<br />
|size=600px<br />
|title=Data Zone Protection<br />
|kind=Generic<br />
}}<br />
{{Generic Pattern Composition}}<br />
{{Generic Pattern Composition Row<br />
|function=GF.Filtering<br />
|choice=Must<br />
|reason=This function performs the actual filtering of data flowing from one data zone to the other. The filtering is based on criteria that are derived from the security requirements, e.g. "no traffic is allowed from the DMZ to the internal network, with the exeption of ...".<br />
}}<br />
{{Generic Pattern Composition Row<br />
|function=GF.Load Balancing<br />
|choice=May<br />
|reason=Since this Pattern often is used as a chokepoint where all data traffic must go through, it may be necessary to include Load Balancing to provide higher availability of this Pattern.<br />
}}<br />
{{Generic Pattern Composition Row<br />
|function=GF.Data Scanning<br />
|choice=Must<br />
|reason=When filtering based on traffic characteristics does not suffice, filtering based on data (content, deep inspection) may be needed. This can be useful for securing message exchange between zones (e.g. e-mail or SOAP messages), but also for deep inspection in certain protocols. This can for example detect malicious commands inside protocol packets, e.g. SQL injection instructions inside a HTTP request. When data scanning reveals a problem, a fitting action must be undertaken by another function (e.g. the Filter may drop the packet or block the sender, or Monitoring may issue an alert). <br />
}}<br />
{{Generic Pattern Composition Row<br />
|function=GF.Rules Engine<br />
|choice=May<br />
|reason=This function enables the processing of more complex logic, such as the well-known "firewall rules".<br />
<br />
Note that the rules may be stored in the Data Zone Protection facility itself, or outside of it, with deployment to this facility.<br />
}}<br />
{{Generic Pattern Composition Row<br />
|function=GF.Logging<br />
|choice=Must<br />
|reason=Since this Pattern is used for security purposes, this function is required to provide security personnel with the necessary logs for security monitoring and auditing.<br />
}}<br />
{{Generic Pattern Composition Row<br />
|function=GF.Distribution<br />
|choice=May<br />
|reason=Since this Pattern often is used as a chokepoint where all data traffic must go through, it is also a good point to locate Distribution. <br />
}}<br />
{{Generic Pattern Composition Row<br />
|function=GF.Controlling<br />
|choice=Must<br />
|reason=Access to the configuration and operation of this security related Pattern is most always restricted.<br />
}}<br />
{{Table Ending}}<br />
{{Pattern Adjacent Services}}<br />
{{Generic Pattern Adjacent Service Row<br />
|service=GS.Authentication+Authorization<br />
|choice=May<br />
|reason=The Authentication & Authorization Pattern can be linked to this Pattern when this Pattern is to support authorization (and/or authentication), so as to feed the Traffic Filter facility with the results of identity and/or permission validations.<br />
}}<br />
{{Generic Pattern Adjacent Service Row<br />
|service=GS.Facilities Monitoring<br />
|choice=May<br />
|reason=Transport Zone Protection is usually employed to enforce security levels within one or more Data Transport Zones; thus, many events that occur in a Transport Zone Protection facility are of interest to the security officers. This means it is very desirable to have the facility report directly to (a Security instance of) Facilities Monitoring.<br />
}}<br />
{{Table Ending}}<br />
{{Text Footer GP}}</div>Jan Schoonderbeek