Campus Module in Small Networks
The Campus module of the small network design, which is shown in Figure 13-4, provides end-user workstations, corporate intranet servers, management servers, and the associated Layer 2 functionality via a single switch.
Figure 13-4. Small Network Campus Module

Device | Description |
---|---|
Corporate server | Provides services to internal users such as e-mail, file, and printing services |
Layer 2 switch | Provides Layer 2 connectivity and also supports private VLANs |
Management host | Provides management services, such as authentication, through RADIUS and TACACS+, host-based IPS, syslog, and other general management services |
User workstation | Provides data services to authorized users on the network |
Mitigating Threats in the Campus Module
Within the small network Campus module, each device plays a threat-mitigation role, as shown in Figure 13-5. Table 13-6 lists the expected threats and mitigation actions found within this module.
Figure 13-5. Small Network Campus Module Threat-Mitigation Roles

Design Guidelines for the Campus Module
The small network Campus module provides connectivity for the corporate and management servers and also corporate users. Private VLANs can be used within the switch to mitigate trust-exploitation attacks between the devices. For example, corporate users might not require inter-user communications and only need to communicate directly with corporate servers. This functionality can be provided by using private VLANs.Because the Campus module has no Layer 3 services within its design, there is an increased emphasis on application and host security because of the open nature of the internal network. Consequently, host-based IPSs have been installed on key devices within the campus, including the corporate servers and management systems.
Design Alternatives for the Campus Module
The placement of a filtering device, such as a firewall or router, to control the flow of management traffic between the management server and the rest of the network provides an increased level of security. Also, if the level of trust within the organization is high, it is possible to consider removing the host-based IPS from the design but this is not recommended.
