-
7/28/2019 Network Segregation
1/11
Network Segregation
-
7/28/2019 Network Segregation
2/11
What is Network Segregation
A method of controlling the security of large
networks is to divide them into separate
logical network domains
A graduated set of controls can be applied in
different logical network domains to further
segregate the network security environments
Quoted from ISO/IEC 17799:2005(E)
-
7/28/2019 Network Segregation
3/11
Why
Segregating the network will lessen the
burden of security controls in areas with open
access requirements and high tolerance for
downtime yet will strengthen security for
those areas that need additional protection
and high availability.
-
7/28/2019 Network Segregation
4/11
Security Zone 5
Systems that are outside
University controls.
Systems in this zone are
treated as any other on theinternet.
Examples: The Internet,
Flux/Planet Lab, Hotspot,
and other institutions
5 -
Untrusted
-
7/28/2019 Network Segregation
5/11
Security Zone 4
5 -
Untrusted
4 Lightly
Protected
Systems in this zone
will be lightly protected
bi-directional access to
Zone 5 with limited
controls as needed
Examples: Housing, DSL,
CHPC, uconnect wireless,
-
7/28/2019 Network Segregation
6/11
Security Zone 3
Client systems whoseprimary purpose is theaccess, maintenance
andcreation of confidential orregulated data.
Will not have directaccess to Zone 5
Examples: ClinicalWorkstations, RegistrarsWorkstations,
FinancialBilling and HR systems
5 -
Untrusted
4 Lightly
Protected
3-
Managed
Clients
-
7/28/2019 Network Segregation
7/11
Security Zone 2
Systems that provide
services to internal or
external clients
Will have necessary accessto and from upper zones
Examples: web servers,
Email servers, VPN
Concentrators, remote
access systems,
5 -
Untrusted
4 Lightly
Protected
3-
Managed
Clients
2 - Public Services
-
7/28/2019 Network Segregation
8/11
Security Zone 1
Systems that will not
serve data directly, these
systems support client
facing servers
Will have limited access
to and from Zone 2
Examples: Database servers,Exchange backend servers,
and backup systems
5 -
Untrusted
4 Lightly
Protected
3-
Managed
Clients
2 - Public Services
1 Protected Servers
-
7/28/2019 Network Segregation
9/11
Security Zone 0
Systems that need the mostprotection and will neverprovide
services directly toclients
limited management access
Examples: patient attachedbio-medical devices,management
interfaces,
HVAC management,physical security, andKronos backend
5 -
Untrusted
4 Lightly
Protected
3-
Managed
Clients
2 - Public Services
1 Protected Servers
0 Zero Direct Client Access
-
7/28/2019 Network Segregation
10/11
Classification and Controls
Data Stewards willdetermine appropriateSecurity Zone by data
classification. Access between
assigned security zoneswill be appropriately
controlled as determinedby risk assessment andpolicy.
5 -
Untrusted
4 Lightly
Protected
3-
Managed
Clients
2 - Public Services
1 Protected Servers
0 Zero Direct Client Access
-
7/28/2019 Network Segregation
11/11
Questions and Feedback
