A security boundary is the line of intersection between any two areas, subnets, or environments that have different security requirements or needs. A security boundary exists between a high-security area and a low-security one, such as between a LAN and the internet. It is important to recognize the security boundaries both on your network and in the physical world. Once you identify a security boundary, you must deploy mechanisms to control the flow of information across that boundary.
安全边界是指具有不同安全要求或需要的任何两个区域、子网或环境之间的交叉线。安全边界存在于高安全区域和低安全区域之间,如局域网和互联网之间。认识到网络和物理世界中的安全边界是很重要的。一旦确定了安全边界,你就必须部署机制来控制信息在该边界的流动。
Divisions between security areas can take many forms. For example, objects may have different classifications. Each classification defines what functions can be performed by which subjects on which objects. The distinction between classifications is a security boundary.
安全区域之间的划分可以有多种形式。例如,对象可能有不同的分类。每个分类都定义了哪些功能可以由哪些主体对哪些对象执行。分类之间的区别是一个安全边界。
Security boundaries also exist between the physical environment and the logical environment. To provide logical security, you must provide security mechanisms that are different from those used to provide physical security. Both must be present to provide a complete security structure, and both must be addressed in a security policy. However, they are different and must be assessed as separate elements of a security solution.
物理环境和逻辑环境之间也存在安全边界。为了提供逻辑安全,你必须提供不同于用于提供物理安全的安全机制。两者都必须存在以提供一个完整的安全结构,而且两者都必须在安全策略中得到解决。然而,它们是不同的,必须作为安全解决方案的独立元素来评估。
Security boundaries, such as a perimeter between a protected area and an unprotected one, should always be clearly defined. It’s important to state in a security policy the point at which control ends or begins and to identify that point in both the physical and logical environments. Logical security boundaries are the points where electronic communications interface with devices or services for which your organization is legally responsible. In most cases, that interface is clearly marked, and unauthorized subjects are informed that they do not have access and that attempts to gain access will result in prosecution.
安全边界,如受保护区域和未受保护区域之间的边界,应始终明确界定。在安全政策中说明控制的结束或开始点,并在物理和逻辑环境中确定该点是很重要的。逻辑安全边界是指电子通信与你的组织在法律上负责的设备或服务的接口点。在大多数情况下,该接口被清楚地标示出来,未经授权的主体被告知他们没有权限,试图获取权限的行为将被起诉。
The security perimeter in the physical environment is often a reflection of the security perimeter of the logical environment. In most cases, the area for which the organization is legally responsible determines the reach of a security policy in the physical realm. This can be the walls of an office, the walls of a building, or the fence around a campus. In secured environments, warning signs are posted indicating that unauthorized access is prohibited and that attempts to gainaccess will be thwarted and result in prosecution.
物理环境中的安全边界往往是逻辑环境安全边界的反映。在大多数情况下,组织在法律上负责的区域决定了安全策略在物理领域的范围。这可以是办公室的墙壁,建筑物的墙壁,或校园周围的围墙。在安全的环境中,警告标志被张贴出来,表明未经授权的访问是被禁止的,试图获得访问的行为将被反对并导致起诉。
When transforming a security policy into actual controls, you must consider each environment and security boundary separately. Simply deduce what available security mechanisms would provide the most reasonable, cost-effective, and efficient solution for a specific environment and situation. However, all security mechanisms must be weighed against the value of the objects they are to protect. Deploying countermeasures that cost more than the value of the protected objects is unwarranted.
当把安全策略转化为实际控制时,你必须分别考虑每个环境和安全边界。简单地推断哪些可用的安全机制可以为特定环境和情况提供最合理、最经济、最有效的解决方案。然而,所有的安全机制都必须与它们要保护的对象的价值进行权衡。部署成本高于受保护对象价值的反措施是没有必要的。
原文始发于微信公众号(网络安全等保测评):Security Boundaries 安全边界
评论