060
ENTERPRISE SECURITY BLUEPRINT
APPENDIX
A
Design Pattern
Access Network (Workstations)
The Access Network design pattern is used to host end-user workstations in office sites ranging
from small branch offices to large headquarters. End-user workstations typically access internal
server applications and selected services and applications outside of the organization. In most
cases, they do not interact directly with other workstations.
Segmentation
The segmentation model for Access Network segments is constructed using the same five-step
method as described for the data center design pattern. Consider the following items:
End-user workstations should be controlled using on-host security software.
Each workstation is considered to be an atomic
2
segment that applies controls
on its interactions over the network and other I/O interfaces
End-user workstations are grouped into Access Networks segments. Each of
these segments contains workstations that share a simple security profile. Users
with distinct security profiles (e.g., admin, customer service representatives,
manufacturing, HR, finance) should be grouped behind segment boundary
security enforcement points
Workstations run application clients that connect to servers. The client/server
interactions should be controlled. See previous chapter for discussion on data
center enforcement points
Access Networks are connected to Wide Area Networks (WAN) for remote
services access. Regardless of the level of trust awarded to the inter-site
communications infrastructure, the physical site perimeter should be configured
Access Network
design pattern
Figure A-E
Main
Office
Servers
Access Network
WAN
Internet Access
Figure A-e: Access Network design pattern
2
If security software also controls inter-process interactions on a host, then the atomic entity is the process, and the host-level boundary is considered
to be a hierarchically superior segment.
