Network Security Zones

For IT Professionals, with picture of swiss army knife

Brown's Redesigned Network

The Information Security Group (ISG) worked closely with the Network Technology Group (NTG) in a new design for Brown's network, one that would ensure a more robust, secure and reliable infrastructure.

In the new design, the network has been segmented into a handful of firewalls, each with rules written to best protect the populations and data that lie between them and the network core, which in turn, provides the pipeline to the Internet. The drawing is a graphic representation of this new scheme, with the following explanation for each of the components.

CIS has placed a DMZ Firewall to manage all incoming Internet traffic, which will ensure availability of web services while isolating the main campus from the potential of an attack.  In this design, the critical and required devices can connect to DMZ Internet services from within the inside, and CIS can define only the web services that should be accessible from outside Brown.

The Internet Border is the main infrastructure allowing access to the Internet. It too is robust, reliable, and redundant.

The Services Firewall hosts the CIS services to the University. Its primary function is to provide all data center services.

The Student Firewall is dedicated to the student networks and provides the most flexible secure access.

The Main Campus Firewall will provide general campus security, isolating Network Security Zones (NSZ) from each other, while allowing access to the DMZ, Services and Internet, and if necessary, to the Student networks.

The following chart represents the new design, implemented as part of the 2010 firewall upgrade project.

Note: Click the image for a zoomable PDF version of the schematic drawing.

Security Defined for VRF Networks: Schematic drawing of Network Security Zones
Click the image for a zoomable PDF version of the schematic drawing.