This guide covers common elements included in a departmental network. If you have special needs such as highly sensitive systems, please reach out to GT CyberSecurity at firstname.lastname@example.org for help.
A typical network has four zones: clients, printers, public servers, and sensitive servers. Putting each of these in distinct zones with firewalls between them helps lower risk by separating high value assets from large exposure assets.
Client networks are places where users are browsing the internet. Users are one of the most likely sources of malware to enter your network so this is the most vulnerable section of the network. In a high-security environment it might make sense to force users through a proxy and only allow business use sites to reach the internet, but generally in an academic environment that you would find at Georgia Tech all outbound connections are allowed. Inbound connections, however, should not be allowed because those would make the systems servers, not clients.
These are servers that offer services to the internet as a whole or potentially large groups at Georgia Tech (for instance all of campus). Optimally they will allow the people on the internet who need to use the service to connect inbound to the service and the systems to connect outbound for updates and other systems they need. They should not, however, allow the systems to perform all outbound connections. Servers aren’t clients and allowing them to connect to unknown systems can facilitate data breaches. Additionally they should allow administrative connections where needed from the client network, but they should not be able to initiate a connection to the client network.
These are systems that contain sensitive data. Access to that data should be controlled by programs on the Public Servers which control what data is available. For instance if an employee wants to change their withholdings they access techworks which formats their request and sends it to the database. Users should not have direct access to the database. These systems should allow inbound connections from the Public Servers that need access to their information and those clients that require access either to manipulate the data or administer the system. As in Public Servers they should be able to reach the internet for patching, but should not be allowed all outbound connections.
This is a distinct subnet because printers frequently have vulnerabilities that cannot be patched. Because of this it doesn’t make sense for them to be on the server subnet where they might be reachable from the internet or the client subnet where malware could spread to them. They should allow access only to the printing systems that are actually used and only from the clients that need to print. Another option is to house a print server on the public server subnet and only allow access to the printer network from that server.