لطفا منتظر باشید ...
Understanding the Campus Module
The Campus module contains the end-user workstations and the corporate intranet servers and management servers. This module also contains the Layer 2 and Layer 3 devices that provide the underlying network infrastructure. In the medium-sized and small networks covered in the SAFE SMR design, the Campus module is a combination of the various modules that comprise the campus segment in the SAFE Enterprise white paper. This combination is done to reflect the smaller scale of the design in the small and medium-sized network designs and to reduce the overall cost. Also, this design does not include redundancy, which further reduces costs.Figures 4-1 and 4-2 show the SAFE medium-sized and small network Campus module designs, respectively. In the medium-sized network design, the Layer 3 switch provides connectivity for the Layer 2 switches as well as VLAN segmentation and inter-VLAN routing. All servers, including the corporate intranet servers and the management server, connect directly into the Layer 3 switch. Additionally, the network intrusion detection system (NIDS) management interface connects into this switch.
Figure 4-1. SAFE Medium-Sized Network Campus Module
Figure 4-2. SAFE Small Network Campus Module
Key Campus Module Devices
There are significant differences between the Campus module design for the small network and that for the medium-sized network, summarized in Table 4-2. The key devices in the small network Campus module are the Layer 2 switches. In the medium-sized network, there are several key devices, including Layer 2 and Layer 3 switches and an IDS. The functions of these devices along with management hosts are described in the following sections.
Layer 2 Switch
The Layer 2 switch provides end-user workstation connectivity to small and medium-sized networks. Private VLANs are implemented on these switches to help reduce the risk of trust exploitation attacks.
Layer 3 Switch
The Layer 3 switch provides several functions to the medium-sized network Campus module, including the following:
- Routing and switching of production and management traffic
- Distribution layer services such as routing, QoS, and access control
- Connectivity for the corporate and management servers
- Traffic filtering between subnets
The Layer 3 switch provides separate segments for the corporate servers, the management servers, and the corporate users and provides connectivity to the WAN and Corporate Internet modules. These segments are provided through the deployment of VLANs.A Layer 3 switch also provides for an additional line of defense against internal attacks through the use of access control lists (ACLs). You can use internal ACLs to protect one department's servers from access by users in another department. Additionally, the use of network ingress filtering (described in RFC 2827) on the corporate user and corporate intranet server VLANs helps reduce the risk of attack through internal source address spoofing.Private VLANs can be used within each VLAN to mitigate attacks through trust exploitation. Additional protection of the management servers is provided through extensive Layer 3 and Layer 4 ACLs at the interface connecting the management segment VLAN. These ACLs restrict connectivity between the management servers and the devices under their control. Only those IP addresses being managed and only those protocols necessary to conduct management are permitted. Additionally, only established connections are permitted back through the ACLs.
NIDS Appliance
Intrusion detection within the medium-sized network Campus module is provided by a single NIDS appliance. The port to which this appliance is connected on the Layer 3 switch is configured to mirror all network traffic from all VLANs that require monitoring. This appliance provides detection and analysis of both attacks that originate from within the Campus module and external attacks that get past the firewall. These attacks could result from a compromised workstation with an unauthorized dial-in modem, disgruntled employees, viruses and worms, or an internal workstation that has been compromised by an outside user.
Management Hosts
The NIDS appliances and the host-based IPS installed on the corporate servers are all managed through the IDS management host. This host provides for alarm aggregation and analysis for all IDS devices throughout the Campus module and the Corporate Internet module.Other management hosts in the medium-sized network design include the following:
- A syslog host for aggregation of firewall, router, and NIDS logs
- An access control server for authentication services to network devices, such as NASs
- An OTP server for authorization of OTP authentication relayed from the access control server
- A sysadmin host for configuration, software, and content changes on network devices
Alternative Campus Module Designs
If the medium-sized network is small enough, you can eliminate the Layer 2 switches and connect all end-user workstation directly into the core switch. Private VLANs are still implemented to reduce the risk of attacks due to trust exploitation. If desired, you can replace the NIDS appliance with an IDS module in the core switch, which then provides for higher traffic throughput into the IDS system.
