Network enclave

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Enclave Network

A Network Enclave is a section of an internal network that is subdivided from the rest of the network.[1][2]


The purpose of a network enclave is to limit internal access to a portion of a network. It is necessary when the set of resources differs from those of the general network surroundings.[3][4] Typically, network enclaves are not publicly accessible. Internal accessibility is restricted through the use of internal firewalls, VLANs, network admissions control and VPNs.[5]


Network Enclaves consist of standalone assets that do not interact with other information systems or networks. A major difference between a DMZ or demilitarized zone and a network enclave is a DMZ allows inbound and outbound traffic access, where firewall boundaries are traversed. In an enclave, firewall boundaries are not traversed. Enclave protection tools can be used to provide protection within specific security domains. These mechanisms are installed as part of an Intranet to connect networks that have similar security requirements.[6]

DMZ within Enclave[edit]

A DMZ can be established within an enclave to host publicly accessible systems. The ideal design is to build the DMZ on a separate network interface of the enclave perimeter firewall. All DMZ traffic would be routed through the firewall for processing and the DMZ would still be kept separate from the rest of the protected network.


  1. ^ "Protected Enclaves Defense-in-Depth". Retrieved 2015-10-08.
  2. ^ "Term:Enclave - FISMApedia". Retrieved 2015-10-08.
  3. ^ "Page not found | Where Trust is Key!". Archived from the original on 2013-02-13. Retrieved 2015-10-08. Cite uses generic title (help)
  4. ^ Rome, James. "Enclaves and Collaborative Domains" (PDF). Enclaves and Collaborative Domains.
  5. ^ "Protected Enclaves Defense-in-Depth". Retrieved 2015-10-08.