Campus Trust Model
Network Design Considerations
Later in the chapter, specific designs and considerations for specific campus designs are presented. However, there are some considerations that apply to all designs. This section highlights those size-independent security designs.
Layer 2 Considerations
Many of the unique security requirements in the campus stem from the large quantity of network resources that can contact one another at L2 without crossing routing devices. To properly design a campus network, you should be intimately familiar with the L2 considerations defined in Chapter 6, "General Design Considerations."
Stateful Versus Stateless ACLs and L3 Versus L4 Filtering
The campus network usually doesn't have clean-cut notions of trust like the edge does. As you learned in Chapter 12, "Designing Your Security System," it is easy to call the Internet "untrusted" and your data center in your campus "trusted." There is a smaller gradient of trust between the data centers, user communities, and department-specific subnets, though. In Chapter 12 you learned that a smaller gradient of trust between two zones allows the security controls at the choke point between the zones to be lessened.
As a result, in most cases stateful firewalls aren't strictly necessary at choke points. Instead, stateless access control lists (ACLs) can be used on a router or L3 switch. This filtering can be done at L4 when the L4 information is easy to represent (as with an application that uses fixed ports) but must be done at L3 only when necessary (such as when an application negotiates dynamic ports).
Firewalls do become essential is some cases. When protecting the management network from the rest of the campus, they are recommended. Also, when protecting key applications from network attack, they can be valuable assets. For example, a stateful firewall can be appropriate in front of an accounting system.
Beware of installing stateful firewalls too close to the core of your campus because you will likely have a resulting firewall policy that is so open (to support all applications) that it might not be useful. In addition, a firewall near the core can have a disruptive effect on high availability (HA) and routing if deployed in your campus.
Intrusion Detection Systems
Intrusion detection systems (IDS) are the least intrusive way to increase the security of your campus systems. If you have the resources to monitor the logs, you can use IDS (host or network) to inspect flows at many places in your campus without adjusting the network design or access control policies at all. IDS can be installed without choke points. However, when paired with a firewall, network IDS (NIDS) allows enforcement of the policy to occur on the firewall as directed by the NIDS. As discussed earlier in the book, this isn't appropriate in most edge deployments, but it might be perfectly fine inside your campus.
WLAN Considerations
WLAN access is included in each design with the assumption that you are using some form of 802.11 security extensions (Wi-Fi Protected Access [WPA], 802.11i, vendor proprietary). Refer to Chapter 11, "Supporting-Technology Design Considerations," for more information on WLAN security designs including the IPsec option.
Network Management
It is expected that the campus network will house your network management systems. The various methods of secure network management are covered in Chapter 16, so management systems are not shown in this chapter's diagrams.
Rogue Devices
Rogue devices are one of the top 5 threat categories identified in this chapter. Rogue device detection best practices should be followed in each design. Rogue device detection is discussed in Chapter 5, "Device Hardening," in general and in Chapter 11 specifically as it pertains to WLAN.
NOTE
After you understand the designs in this chapter, you can merge an edge design from Chapter 13 and a campus design from this chapter into a single sample design suitable for an organization's entire connectivity requirements (minus teleworkers, which are discussed in Chapter 15, "Teleworker Security Design"). Worth noting is that although like-sized network segments will most commonly merge with one another (medium edge with medium campus), this isn't always the case. As an example, a large manufacturing company can have a large campus network but a more moderate-size edge network. A sample design for this network might be the high-end campus design from this chapter and the medium network edge design from Chapter 13.
Also, as was the case in Chapter 13, portions of the material in this chapter partially repeat to allow each design to stand alone. If you know, for example, that you have a large campus network, you can skip to that portion of this chapter. However, at least skimming the other designs will prove useful when designing branches or other connected networks.