User:Tony Voyce

Network Enclave
A Network Enclave is a section of an internal network that is subdivided from the rest of the network. The purpose of a network enclave is to limit internal access to a portion of a network. It is necessary when the set of resources differs from those of the general network surroundings. Typically, network enclaves are not publicly accessible. Internal accessibility is restricted through the use of internal firewalls, VLANS, network admissions control and VPNs.

Scenarios
Network Enclaves consist of standalone assets that do not interact with other information systems or networks. A major difference between a DMZ or demilitarized zone and a network enclave is a DMZ allows inbound and outbound traffic access, where firewall boundaries are traversed. In an enclave, firewall boundaries are not traversed. Enclave protection tools can be used to provide protection within specific security domains. These mechanisms are installed as part of an Intranet to connect networks that have similar security requirements.

DMZ within Enclave
A DMZ can be established within an enclave to host publicly accessible systems. The ideal design is to build the DMZ on a separate network interface of the enclave perimeter firewall. All DMZ traffic would be routed through the firewall for processing and the DMZ would still be kept separate from the rest of the protected network.

Vulnerability Assessments
A mixture of vulnerability assessments and continuing self-assessments can be used to safeguard controls. Potential scenarios may be:
 * Operate and maintain online automated vulnerability assessment tools for each server on their network to include systems managed remotely by another organization.
 * Penetration tests to test enclave security.
 * Deploy, install, and provide training for enclave security tools that support the Enclave Security Architecture.