Hello and welcome back to our discussion about operating internetwork trust architectures. Let's take a look at what we're going to cover in the module. Our topics include comparing different internetwork architectures, what's an intranet, what's an extranet, those kinds of discussions. What are one way trusts, what are two way trusts and what are transitive trusts? We'll talk in general, about the nature of different trust relationships, why they're important, what they imply. And obviously giving direction, how we manage them and what the implications of a one versus a two-way trust scenario may be, from an access standpoint, with regards to access control and authentication. As we begin we'll start talking about comparing internetwork architectures. You can see on the screen in front of you, we have four different internetwork or network architecture types that we often think about. We have Internet, intranet, extranet, and what's called the DMZ, or the demilitarized zone. The idea with an Internet, as we all are using the Internet to do a variety of things today, although we sometimes think of it as the World Wide Web, sometimes as the cloud. We tend to use a lot of these terms interchangeably, but the Internet is going to simply be a very large publicly available network. The World Wide Web being the most largest or the best example, most well-known that we have in the world today, but certainly not the only kind of network of this type. But the Internet is a large publicly accessible network, that is available typically from multiple vantage points, multiple access points that people can interact with and use, really with little if any additional capabilities required. They usually don't have to authenticate more often than not, usually anonymous access is allowed. On the intranet side, we're thinking about a small by comparison to the Internet, private internal network. You could think of this as being your LAN, your local area network behind your gateway or bordered devices. And this would require some sort of authentication on behalf of validated or authorized users that would have to get in to the network through some sort of access control mechanism in order to access resources, and that's the traditional corporate network that we're all familiar with. The extranet is going to be bigger than the intranet but less big or smaller than the Internet. And the idea is that it's a secure externally accessible network that people can get into and use, typically again a corporate network may fall into this category, but extending remote access to users from outside, would give them ability to get to a secure extranet. They do have to authenticate users, will be required to be vetted in some way to gain control or access to resources in the extranet. But having said that, it is available from outside the corporate entity, meaning publicly available from the outside, with the appropriate level of remote access technology and authentication mechanisms being used. And then the demilitarized zone is often referred to an architectural and design discussions, as being the network topology that we use or the internetwork architecture design that we use, to be able to create a place that is not quite publicly, not quite privately held and available between the external and internal networks. Where we will somewhat expose certain resources, making them available in a semi secure environment, but allow the public to be able to gain access to them under the correct and therefore controlled conditions. So it's a network that sits in front of the intranet, so it is going to be less secure than the Internet, but it is not quite as open without any safeguards, without any access control mechanisms applied as the Internet would be. And if you think about sitting between the two, you would see a DMZ. Typically the DMZ is going to be fronted by a gateway or a border protection device, more often than not a firewall of some kind. We will then be able to move through the firewall using a set of business rules and logic that will do a comparison test on all inbound traffic requests looking for matches to allow or deny. And then based on that, we'll get into the secure middle part of the DMZ where access is granted but in a restricted way, through the initial front end firewall. And then if we need really secure totally controlled access to the intranet we will see that internally, by moving through the back end of the DMZ, again more security controls, more border protection, more gateway filtering, things of that nature will be applied. And the traffic will be passed through assuming that the rules allow it to move through from the gateway device, and will be on the inside of the network typically accessing the intranet. So the DMZ is that space that sits between the two effectively. As an SSCP, we want to make sure we understand the difference between these terms. You can think of them generically as vocabulary terms, they represent a lot more than that obviously. But you do want to be able to define them from a vocabulary perspective, have a working definition of maybe a sentence or so, explaining what each term does, or what each term represents, and is able to give us in terms of a benefit from a design and security perspective. And if you can then take that working definition in your mind, and turn it around and apply it when necessary, when asked, when questioned about it. Perhaps apply it in some sort of a scenario, if someone paints a picture for you with a word problem and you're asked to choose the most appropriate internetwork architecture to represent the network topology that would be necessary to create the proper design or proper security elements. You would be well armed to do that by understanding the definition and having a working example of what each application of this may look like. So if you can do that, then I think you're well on your way to understanding this material and being successful. A typical DMZ as I described for you just now would look something like the picture in front of you on the screen. And you could see that the Internet out here at the top of the diagram would be outside and would be available publicly to anybody who wants to get in. You could imagine this being the cloud that we often hear about, that would be the public cloud available outside. Then from here we have the first firewall that represents the initial border, or gateway into the DMZ. We have some elements sitting in the DMZ network here. These may be web servers, hard to say what they are, but they're probably some sort of remote system that we need to access from outside, but with initial security parameters in place. Then the secondary firewall on the backend here will allow us to understand the back side of the DMZ that faces the internal network, as you can see down here, this would be the intranet, the secure internal network. Where we may have domain controllers and may have DNS servers, DHCP servers, file and print, databases, email servers, a variety of different services and servers that represent them. Along with external or excuse me, internal users and the need to be able to use that information securely behind the secondary firewall, is what the internal intranet network represents. The DMZ is a space between the two where internal users can theoretically reach out and get resources, and external users can theoretically come in and get resources, but we have effectively a stand off solution where neither group of users are directly connecting to each other, but rather connecting through a common area that is semi-public, semi-private. And that's what the DMZ represents, and we just want to make sure we're aware of that, and we're thinking about that as we look at the overall design.
