Corporate Internet module Contains ingress router, switches, NAS, firewall, DMZ servers with HIDS, NIDS on DMZ and campus approach paths, and egress router. Design alternatives are to add a stateful firewall at ingress, place a NIDS in front of the existing firewall, eliminate the egress firewall (at egress to the campus), and add content inspection/URL filtering capability.
WAN module Contains ingress router for frame relay/ATM leased circuits; passes traffic directly into the campus. Alternatives are to add a firewall or use encryption.
Campus module Contains Layer 3 switch with NIDS, Layer 2 switches, users, corporate servers with HIDS, and management server with HIDS. Design alternatives are to eliminate Layer 2 switches (Layer 3 switch supports all traffic), eliminate Layer 3 switch and add a router for iltering and segmentation, and replace the NIDS appliance with a blade on the Layer 3 switch to handle more throughput.