Hardware Firewall Zones

The Information Security Office manages enterprise firewalls for the University. One important aspect of this service is to decide what access is needed between computers. Often, an intelligent way to do this is to create buckets of similar risk, but to keep a manageable number of buckets. Each bucket is called a zone, and a zone may be one or more network subnets. However, a network subnet can be a member of only one zone. Since the firewalls operate at L3 (routing), any communications wholly within the network subnet does NOT traverse the firewall. Typically, the firewall is only filtering or blocking communications between zones. Systems within a zone have little protection from each other, similar to people within a house.

Below is some guidance about groupings/buckets that we generally suggest departments work within:

DMZ – The de-militarized zone. For each department/entity we will suggest that their servers that are widely accessible are placed into this zone. Widely accessible usually means hundreds or more clients access the service. This is often the case with public web servers or school-wide file servers. It is recommended, but not required, that servers in this zone do not store sensitive data.

TRUST – A restricted zone for highly trusted systems. We will often suggest a school/department create a zone for servers that have few access requirements. Typically, no more than tens of clients will connect to these servers. These systems are more likely to store sensitive data. Examples of systems in this zone may include database servers, servers for a specific project involving sensitive data, or an administrative backend system. Systems in this zone or which connect to this zone must meet a high level of security requirements such as up-to-date patching, antivirus, etc.

USERS – A zone for workstations, laptops, printers, and other end-user devices. This zone is generally created for departments as they computers that are physically possessed by end-users. Generally, no access is needed to this zone other than remote administration tools such as Remote Desktop or SSH.