Learn About Enterprise Network Security Controls

Enterprise Security Controls

Electronically stored academic, administrative, and research information is a critical University resource. All University units are required to use enterprise email, web services, and network firewalls. These Enterprise Security Controls help protect University data and significantly reduce security vulnerabilities. See the Enterprise Security Controls Policy for additional information about these requirements.

Additional Needs

As Enterprise Security Controls were implemented, the following needs were identified by the University's research community:

• Enhanced Research Collaboration that enables individuals from other universities and institutions to transfer files, retrieve files, or execute programs.
• “Power” VPN usage that delivers secure, remote access to University resources, meets the need for increased performance associated with large files, and provides support for 64-bit Linux operating systems.
•  

Solutions

A Research VPN is well-suited for high-capacity uses and supports 64-bit Linux operating systems.This solution supports research collaboration with external institutions while also protecting the University’s computing environment.

Types of Firewall Zones

There are three types of firewall zones that protect the University’s computing network. Each has been created to address a specific set of needs and requirements while also providing the correct amount of security for each environment:

1. Workstation Zone

2. Server Zone

3. DMZ (Public Access Zone)

Descriptions of Firewall Zones

Workstation Zone

• Purpose: The Workstation Zone protects the University's personal computers, workstations, and printers. For example, desktop and laptop computers with access to email and internet resources are protected by this firewall zone.

• Inbound Access: Inbound access is not permitted to the Workstation Zone, except when using the PittNet VPN (GlobalProtect) service or the Research VPN (which requires Pitt IT approval).

• Outbound Access: There are no restrictions on outbound access.

• Controls: A 60-minute idle session timeout is the only special control in place for this zone.

Server Zone

• Purpose: The Server Zone protects servers that store information that is used only by a department or a subset of a department. For example, file servers, application servers, and database servers are protected by this firewall zone.

• Inbound Access: With a few exceptions, no inbound access is permitted to the Server Zone. Inbound access is permitted from the proper Workstation Zone and DMZ Zone with Pitt IT-approved firewall exceptions. Inbound access is also permitted when using the PittNet VPN service or the Research VPN.

• Outbound Access: There are no restrictions on outbound access.

• Controls: A 60-minute idle session timeout is the only special control in place for this zone.

DMZ (Public Access Zone)

• Purpose: The DMZ protects servers that require inbound access from the internet. Sensitive data cannot reside on these servers. Examples include departmental media servers (such as CIDDE’s Mediasite) and web servers that are used for departmental websites and housed on Pitt IT’s Enterprise Web Infrastructure (EWI).

• Inbound Access: Inbound access to servers in a DMZ is permitted from any device anywhere on the internet via http or https protocols. Additional inbound access, which requires Pitt IT approval, can be granted to allow for server administration or file transfers. This requires either a special firewall exception from another secure Pitt zone, or use of the PittNet VPN service or Research VPN.

• Outbound Access: There are no restrictions on outbound access.

• Controls: A 60-minute idle session timeout is the only special control in place for this zone.