Where in edge network designs should internal proxy servers be placed?

If proxy servers are mandated in your design because of policy requirements, they can most easily be placed in your internal campus network or off a dedicated public server segment if you value treating them as a semitrusted resource. Both options are discussed in Chapter 7.

How should connections from the edge be made back to the campus network?

It depends on the number of connections. In the case of the small network, there is only one connection point, so it is easy to connect it directly to the campus. A high-end network might have an Internet, e-commerce, extranet, and remote access edge. With this many technologies, it can be appropriate to aggregate the connectivity at an edge distribution layer. This is discussed more in Chapter 14, "Campus Security Design."

How do the NIDS systems report data back to the management network?

Most NIDS appliances have two interfaces. One sniffs for attack traffic and has no IP address til the other connects to the management network where all alarms are sent and command and control information is received. These second interface connections are not seen in the diagrams in this chapter but connect back to your management network.

Are there any security issues resulting from having a redundant infrastructure in which each path through the edge is equally preferred by the campus?

The main issues center around the handling of asymmetric traffic when you have stateful security devices such as firewalls or NIDS. Chapter 6 covers this issue in detail.

Based on your understanding of this chapter, which edge design is currently closest to your own network?

Which design most mirrors how you intuitively think your network should be designed?

Looking at the design most similar to the design you envision for your own network, find at least one place where you disagree with the layout or function of the design. How and why would you do it differently?