Placement of Computing Devices in Network Security Zones | IT Services

I. Definitions

University’s Network

The University’s network is that accessed by any computing device to which is assigned an IP address in the University’s registered IP address space. These are:

IP addresses between 128.135.0.0 and 128.135.255.255,
IP addresses between 205.208.0.0 and 205.208.127.255, and
IP addresses between 192.170.192.0 and 192.170.223.255.

Inbound versus Outbound Traffic

In this document, network traffic that transits from a point outside of the University’s network to a point inside that network is called “inbound” and network traffic that transits from a point inside of the University’s network to a point outside of that network is called “outbound.” Network interactions initiated from the University network to a service outside it will typically result in inbound traffic, for example, to convey the contents of a web page that was requested. Other inbound traffic is called “unsolicited”; it is initiated by actions outside of the University network.

Supporting IP Address Plan

An IP address plan designed to support network security zones must be in place in a given location before computing devices there can be placed in security zones. As network infrastructure is updated, users will begin to be able to place computers in the appropriate security zone to afford optimal protection.  In the meantime, users will continue to operate with security equivalent to the “Unprotected” zone defined below.

Network Security Zones

Network security zones are defined by the combination of security controls applied to inbound network traffic at the border of the University’s network, including firewalls and other measures that selectively block network traffic that constitutes known threats or that are outside of the definition of the corresponding security zone. Outbound traffic and network traffic between zones within the University network is not limited by this policy. The most commonly used zones are listed below:

Protected

Computing devices in this security zone may initiate and maintain connections to computers outside of the University’s network without restriction. All unsolicited inbound traffic is blocked.

Servers

Computing devices in this network security zone may initiate and maintain connections to computers outside of the University’s network without restriction. Inbound connections supporting common services (except remote management) are also permitted. Other unsolicited inbound traffic is blocked.

Unprotected

Computing devices in this network security zone may initiate and maintain connections to computers outside of the University’s network without restriction. Unsolicited inbound traffic is also permitted without restriction outside of that blocked by long standing best practice.

Other

Other zones may be defined and populated at the discretion of IT Security in IT Services to provide for the University’s diverse needs. For example, zones are defined to block remote management to computers that are otherwise Unprotected, and to provide remote management to machines that are otherwise Protected. Such additional zones may be used for dedicated devices with special requirements as well as to better protect specific classes of machines.

The capacity of the University’s network border to operationally sustain security zones additional to those defined above is limited; hence, any request to do so must be authorized by the University’s Chief Information Officer in consultation with IT Security in IT Services.