Campus networks carry almost every type of network traffic imaginable. Faculty and staff computers are similar to the devices in any workplace, but they’re just the tip of the iceberg in higher education. Students connect video game consoles, smart assistants, cameras and even smart microwaves to the same networks that connect temperature sensors and research equipment.
Given that degree of diversity, a one-size-fits-all network is impractical. Yet it would be too expensive to run completely separate networks for each of those applications. Fortunately, networking and security professionals have a trick up their sleeves: network segmentation.
This strategy lets administrators define separate logical networks that run on the same physical infrastructure. A student’s laptop and a scanning electron microscope might be connected to the same switch, but they’re logically separated from each other. Segmentation allows each device to operate under distinct security policies and have a different quality of service, depending on campus needs and priorities.
Network Admission Control Automates Traffic Assignments
Colleges and universities typically implement network segmentation using two types of devices: switches and firewalls. Switches reside at the edge of the network, providing access for individual devices and then aggregating traffic from other switches at higher levels in the network. Modern switches let administrators define virtual local area networks that separate devices from each other. For example, administrators might define four VLANs on a switch corresponding to networks earmarked for faculty/staff, students, guests and infrastructure.
When a new device connects to the switch, network admission control (NAC) technology interrogates the device to determine proper placement. A laptop connecting with student credentials gets routed to the student network. The same laptop logging in with a professor’s credentials would be routed to the faculty/staff network. If a physical plant engineer connects a new heating, ventilation and air conditioning controller, the NAC system might find that controller’s media access control address on a whitelist and automatically assign it to the infrastructure network.
Once the switch connects a device to a VLAN, that device can directly contact only other devices on the same VLAN. Network engineers typically carry the same network across switches on campus using VLAN trunking technology. This means that infrastructure devices can connect to each other and student devices can connect to each other, but no communication is permitted between devices on different VLANs, even if they’re connected to the same switch.
There may be cases where traffic does need to cross networks. For example, an engineer using a laptop on the faculty/staff network might need to connect to a device on the infrastructure network. That’s where firewalls enter the picture. Firewalls can connect VLANs to each other, allowing only traffic that meets predefined rules. Just as a firewall might serve as the gatekeeper between the internet and a campus network, firewalls can also limit the traffic flow between VLANs of differing security levels.
Each Campus Requires a Particular Mix of Network Segments
The biggest challenge when designing a segmented network is choosing the right mix of segments. Campuses that have too few segments are in danger of exposing devices to undesirable security risks. Choose too many segments, on the other hand, and the network may prove too unwieldy to manage efficiently. Technology leaders should conduct a risk assessment to identify the correct network segments for their operating environment. Each time you consider creating an additional network segment, you can ask the straightforward question: “Does this additional segment significantly reduce risk?”
If the answer isn’t a resounding “Yes!”, chances are that the subdivision may have too many segments. Unfortunately, there’s no pat answer for the appropriate mix of network segments across all institutions. The four primary networks (faculty/staff, students, guest and infrastructure) are a sensible starting point, but more granular segments will require insights that are unique to each campus.
For example, does it make sense to segment credit card processing systems from other network devices? Almost certainly. In fact, compliance obligations may dictate that approach. But does it make sense to segment the philosophy faculty from the physics faculty? Probably not. That move is unlikely to reduce risk significantly. But if the physics faculty is known to run risky applications on their devices, that might change the story.
Strategic Segmentation Lets IT Administrators Refine User Experiences
Rolling out network segmentation may seem fraught with overwhelming complexity, but that doesn’t need to be the case. Once you’ve designed your network segments, you can deploy VLANs without disrupting other network activity. Simply allow the existing flat network to ride alongside the segmented network on switches and then slowly move systems to the new network in a phased manner.
Typically, it’s a good idea to move workgroups at the same time to minimize the impact on operations that require communication between devices. Segmentation is a powerful technology that brings valuable security and performance benefits to the campus network. Create and deploy a segmented network carefully to protect devices from compromised or malicious systems on other segments, and allow administrators to craft different experiences for a variety of devices. After all, nobody wants student Netflix streaming to interfere with the transmission of time-sensitive research data.