What IP addressing scheme should I use for the assignment?

Use RFC 1918 private address ranges for internal devices: 10.0.0.0/8 for a large corporate network is the most flexible. Assign a logical subnet to each network segment — for example, 10.0.1.0/24 for the DMZ, 10.0.2.0/24 for the server zone, 10.0.10.0/24 for Engineering, 10.0.20.0/24 for Finance. The edge router's external interface gets a public IP (you can use a fictional routable address like 203.0.113.1 — IANA reserves the 203.0.113.0/24 range for documentation purposes, making it the correct choice for academic assignments).

How many pages should the Part 2 paper be?

The assignment specifies 6–10 pages. With 14+ devices to document and a multi-element planning and testing section, hitting 8–10 pages is realistic if you include the required detail: vendor, model, IP address, operating system, five security features, administrative controls, and configuration impact for each device. Do not pad — but do be specific. Vague device descriptions and generic security feature lists are the fastest way to lose marks on this assignment.

What does 'four-fifths of the devices' mean for Part 3?

The original device list has 14 items. Four-fifths of 14 is approximately 11–12 devices. Your Part 3 diagram must include at least 11 of the 14 listed device types. The four specific requirements about VPN access, VPN termination, Engineering/Finance segmentation, and daily vulnerability scanning must be visually represented in the diagram with supporting labels or annotations.

How to Complete a Three-Part Secure Network Infrastructure Design

Q: What diagramming tool should I use for the network infrastructure diagram?

Microsoft Visio is the standard tool, but free alternatives work just as well for academic purposes. draw.io (now diagrams.net) is the most widely used open-source option — it runs in a browser with no installation required and has dedicated network topology shape libraries including routers, switches, firewalls, and servers. Lucidchart also offers a free tier with network diagram templates. Export your finished diagram as a PNG or PDF and embed it in your paper document.

Q: What credible sources should I cite for this assignment?

Strong sources for this assignment include NIST Special Publications (especially SP 800-41 on firewalls, SP 800-94 on IDS/IPS, and SP 800-123 on server security), Cisco documentation and white papers, vendor configuration guides from Fortinet, Palo Alto, or Juniper, and peer-reviewed journal articles on network security architecture from IEEE Xplore or the ACM Digital Library. Avoid generic IT blogs or vendor marketing materials — your citations need to support specific technical decisions.

Assignment Overview

What This Three-Part Assignment Actually Involves

Assignment at a Glance

You are designing a secure corporate network infrastructure across three deliverables: (1) an initial network diagram in Visio or an open-source alternative, (2) a 6–10 page technical paper documenting device selection, configurations, IP addressing, security features, and planning/testing considerations, and (3) a final updated diagram that incorporates vendor details, IP addresses, and four specific security enforcement requirements. All three parts must be cited with specific, credible sources.

Before you open Visio, understand the scope. There are 14 distinct device types to place, configure, and document. The paper is not a narrative essay — it is a technical specification document, and your marker is looking for precision. Vague statements like “the firewall provides security” will not earn marks. Specific statements like “the Cisco ASA 5506-X uses stateful packet inspection to allow outbound HTTP/HTTPS while blocking all uninitiated inbound connections from the untrusted zone” will.

The good news: once you understand the logical architecture — the zones, the traffic flows, and the security rationale — the device placement, configuration, and IP addressing fall into place fairly naturally. Start with the architecture. Let the devices follow from it. If you need expert help getting any part of this assignment done, Smart Academic Writing’s computer science specialists work on exactly this type of infrastructure design assignment.

🗺️

Part 1: Initial Diagram

Visio or draw.io network topology showing all 14 device types placed logically within the corporate network.

📄

Part 2: 6–10 Page Paper

Vendor, model, IP, OS, five security features, admin controls, and configuration impact for every device — plus planning and testing elements.

🔒

Part 3: Final Diagram

Updated diagram with vendor/model/IP annotations and four specific enforcement rules about VPN, segmentation, and vulnerability scanning.

📚

≥4 Credible Sources

Academic or technical sources — NIST publications, Cisco documentation, peer-reviewed security papers — cited at least once each.

Part 1

Part 1: Building the Network Diagram

The diagram is not decorative. It is an argument — a visual claim about where each device belongs and why. Before you place a single icon, decide on your network zones. A well-structured corporate network diagram for this assignment will have three to four distinct zones, and every device the assignment lists maps logically to one of them.

Which Tool to Use

Microsoft Visio works. If you do not have access to it, draw.io (diagrams.net) is free, runs in the browser, and has dedicated network shape libraries that include all the device types you need. Export as PNG or SVG and embed in your paper. Lucidchart also has a free tier with network templates. Do not use PowerPoint — it lacks the proper network shape sets and will look like it.

The Zone Framework

Think in terms of trust levels. Devices on the public internet are untrusted. Devices inside your network are trusted. Devices that need to be reachable from both — your web server, FTP server, VPN server — sit in a demilitarized zone (DMZ), which is semi-trusted. This three-zone model (Internet → DMZ → Internal Network) is the foundation of nearly every secure corporate network design. Add an internal segmentation layer for your server zone and your departmental VLANs, and you have your architecture.

Device Placement

Network Zones and Where Each Device Belongs

This is the section most students get wrong. They place devices randomly rather than according to security logic. Here is the correct placement rationale for all 14 required device types — not a prescription to copy, but a framework for building your own justified design.

1

Internet-Facing Layer (Untrusted / Edge)

Edge router, edge firewall — the outermost protection boundary

The edge router is the first device in your network that touches the internet. It handles routing between your ISP and your network and typically performs basic access control list (ACL) filtering. Behind it sits the edge firewall — the primary defense against inbound threats. The edge firewall performs stateful packet inspection, NAT, and enforces the policy that separates the untrusted internet from your DMZ and internal network. In your diagram, both devices should be clearly placed between the “Internet” cloud and the DMZ. The edge router connects to the internet cloud; the edge firewall connects to the edge router on one side and the DMZ on the other. Do not skip this separation — placing the edge firewall directly at the internet connection without the edge router misses the routing layer that handles ISP handoff.

2

DMZ (Demilitarized Zone)

Web server, FTP server, VPN server — publicly accessible but isolated from internal network

The DMZ is the network segment that hosts services that must be reachable from the internet but should not have direct access to the internal corporate network. Your web server, FTP server, and VPN server all live here. The key design principle: a device in the DMZ compromised by an attacker should not give that attacker lateral access to internal resources. The edge firewall controls traffic between Internet → DMZ, and a second internal firewall controls traffic between DMZ → Internal Network. This creates a “two-firewall DMZ” architecture, which is the industry standard and the design you should implement in your diagram. The VPN server is in the DMZ specifically because it terminates VPN connections from external users before passing authenticated traffic through the internal firewall to the corporate network — as the assignment explicitly requires.

3

Internal Server Zone

Authentication server, anti-virus server, vulnerability scanner, IDS, web proxy

Behind the internal firewall, your server zone hosts the infrastructure devices that support internal operations. The authentication server (e.g., Microsoft Active Directory / RADIUS) handles user identity. The anti-virus server pushes signature updates to clients and aggregates scan results. The vulnerability scanner (e.g., Nessus / Tenable) needs network access to all subnets to perform its daily scans. The IDS sits inline or in monitoring mode — typically connected to a SPAN port on the core switch so it can inspect traffic across all internal segments. The web proxy handles outbound web traffic from internal users, filtering content and caching responses. These devices need to reach user workstations, so they sit in a server subnet with firewall rules permitting specific traffic flows rather than broad access.

4

Core Infrastructure Layer

Core router, distribution router, switch — the internal routing and switching fabric

The core router provides high-speed routing between internal subnets and connects the internal network to the DMZ through the internal firewall. The distribution router aggregates connections from the access layer (departmental switches) and applies inter-VLAN routing, QoS policies, and access control. The switch (or multiple switches) at the access layer connects end-user workstations and departmental devices. For the Part 3 segmentation requirement — where Engineering and Finance cannot communicate — the distribution router is where you implement the ACL or firewall rule that blocks inter-departmental traffic. Each department (Engineering, Finance/Accounting, IT) should be on a separate VLAN with its own subnet, connected through the distribution router.

💡

Diagram Layout Tips for draw.io

Use draw.io’s built-in network shape library (Extras → Edit Diagram, or the search bar for “router,” “firewall,” “server”). Structure your diagram top-to-bottom with the internet cloud at the top, edge devices below it, DMZ in the middle, and internal network at the bottom. Use labeled boxes or swim-lane backgrounds to visually define each zone. Add brief annotation labels to each device connection explaining what traffic is permitted. For Part 3, use color-coded VLANs to show the departmental segmentation visually.

Part 2

Part 2: Structuring the 6–10 Page Configuration Paper

The paper has two main bodies of content: device documentation and planning/testing elements. Do not try to write these as a continuous narrative. Use clear headings for each device and each planning element — this makes the paper easier to write, easier to read, and easier for your marker to verify that all required elements are present.

A clean structure for the paper looks like this: an introduction stating the network’s purpose and architecture overview, a device documentation section (one subsection per device), a planning and testing section covering each of the 13 required elements, and a references section. With 14+ devices and 13 planning elements to cover in 6–10 pages, you are working at roughly 200–250 words per device and 80–120 words per planning element. That is not much. Be precise. Cut everything that does not directly address a required element.

If the writing volume and technical depth of this paper feel unmanageable alongside your other coursework, the technical writing specialists at Smart Academic Writing handle exactly this type of paper — from device selection through full configuration documentation.

Device Documentation

How to Document Each Device: The Required Elements

For every device in your network, the assignment requires vendor/make, model, IP address, OS identification, five security features, administrative controls, and an explanation of each configuration’s impact on overall network security. Here is how to approach that for each category of device.

🔥

Firewalls (Edge Firewall + Internal Firewall)

The primary enforcement points of your security architecture

For vendor and model, Cisco is the most commonly documented choice for academic assignments — the Cisco ASA 5506-X for the edge firewall and the Cisco ASA 5505 for the internal firewall are well-documented in vendor documentation and widely cited in network security literature. Alternatively, Fortinet’s FortiGate series (e.g., FortiGate 60F) or Palo Alto Networks’ PA-220 are strong choices with extensive configuration documentation available.

When documenting the five security features, go beyond generic statements. For a Cisco ASA, your five security features might be: (1) stateful packet inspection, (2) application-aware firewall (Layer 7 inspection), (3) intrusion prevention integrated with Cisco Firepower, (4) site-to-site and remote-access VPN support, and (5) identity-based access control via Cisco ISE integration. For administrative controls, cover role-based access to the management interface, management plane separation, SNMP monitoring, syslog integration, and scheduled configuration backups. Each of these should be tied back to its impact on overall network security — not just listed in isolation.

🌐

Web Server, FTP Server, VPN Server

DMZ-hosted services with controlled external accessibility

For the web server, a common academic choice is an Apache HTTP Server running on Ubuntu Server 22.04 LTS, or Microsoft IIS on Windows Server 2022. For the FTP server, vsftpd (Very Secure FTP Daemon) on Linux is a well-documented, security-focused option that is straightforward to configure. For the VPN server, Cisco ASA 5506-X with AnyConnect is the standard enterprise choice; OpenVPN on Linux is a well-documented open-source alternative. Assign each server an IP in your DMZ subnet. The web server configuration should cover TLS 1.3 enforcement, HTTP-to-HTTPS redirection, disabling unused modules, access logging, and OS hardening. The VPN server configuration needs to explicitly address the Part 3 requirement — that all VPN connections terminate at the VPN server in the DMZ before passing authenticated traffic through the internal firewall.

🔑

Authentication Server

Identity and access management for the corporate network

The most commonly used and best-documented choice here is Microsoft Active Directory Domain Services on Windows Server 2022. For RADIUS authentication (required for VPN and network device access), you can run Network Policy Server (NPS) as a RADIUS server on the same Windows Server instance, or use a dedicated appliance like Cisco ISE. Five security features to document: Kerberos authentication, LDAP over SSL (LDAPS), Group Policy Objects for workstation configuration enforcement, account lockout policies after failed login attempts, and Multi-Factor Authentication via Azure AD integration or similar. The administrative controls section should cover the principle of least privilege for service accounts, separation of administrator and user accounts, privileged access workstations for AD administration, and audit logging of all authentication events.

🛡️

Anti-Virus Server, IDS, Vulnerability Scanner

Threat detection and continuous monitoring layer

For the anti-virus server (which includes both server-based and client-based components as noted in the assignment), Symantec Endpoint Protection Manager or McAfee ePolicy Orchestrator (ePO) are well-documented enterprise options. The client component is installed on each workstation; the server component manages signature updates and policy enforcement centrally. The IDS should be Snort (open-source, extremely well-documented, backed by Cisco) or a commercial option like Cisco Secure IDS. Position the IDS sensor at the SPAN port of your core switch for maximum internal visibility. For the vulnerability scanner, Tenable Nessus Professional is the industry-standard choice and has comprehensive documentation. Document how Nessus is scheduled for daily scans with credentialed access to all subnets — this directly addresses the Part 3 requirement for daily workstation scanning.

🔄

Web Proxy, Routers, Switch

Traffic control, routing infrastructure, and internal connectivity

For the web proxy, Squid Proxy running on Linux is the most widely used open-source option, with extensive academic and technical documentation. The proxy enforces content filtering, caches frequently accessed content, and logs all outbound web requests. For routers, Cisco is the standard choice: Cisco 4321 ISR for the edge router and core router, Cisco 3750 for the distribution layer. Assign IP addresses to each router interface: the edge router has one interface facing the internet (public IP) and one facing the DMZ; the core router connects the DMZ to the internal network via the internal firewall; the distribution router aggregates the departmental VLANs. For the switch, a Cisco Catalyst 2960-X running in managed mode with VLAN configuration is the natural complement to the Cisco router stack. Document port security, VLAN segmentation, and STP configuration as key security features.

IP Addressing

Building a Coherent IP Addressing Scheme for the Entire Network

Every device needs a specific IP address in the paper and in the Part 3 diagram. Use RFC 1918 private addressing for all internal devices. Here is a clean scheme you can adapt.

Zone / Segment	Subnet	Example Devices and IPs
Edge / External	203.0.113.0/30 (documentation IP per RFC 5737)	Edge Router WAN: 203.0.113.1 / Edge Router LAN: 10.0.0.1
DMZ	10.0.1.0/24	Web Server: 10.0.1.10 / FTP Server: 10.0.1.11 / VPN Server: 10.0.1.12 / Edge Firewall DMZ: 10.0.1.1
Server Zone (Internal)	10.0.2.0/24	Auth Server: 10.0.2.10 / AV Server: 10.0.2.11 / Vuln Scanner: 10.0.2.12 / IDS: 10.0.2.13 / Web Proxy: 10.0.2.14 / Internal FW: 10.0.2.1
Core Routing	10.0.0.0/30 (transit links)	Core Router: 10.0.0.2 / Distribution Router: 10.0.0.5
IT Department (VLAN 10)	10.0.10.0/24	IT Desktops: 10.0.10.100–10.0.10.150 / IT Laptops: 10.0.10.200–10.0.10.220
Engineering (VLAN 20)	10.0.20.0/24	Engineering Workstations: 10.0.20.100–10.0.20.200
Finance & Accounting (VLAN 30)	10.0.30.0/24	Finance Workstations: 10.0.30.100–10.0.30.200

📌

Using Documentation IP Addresses in Academic Work

For the public-facing IP on your edge router, use addresses from IANA’s designated documentation ranges rather than inventing arbitrary public IPs. 203.0.113.0/24 (TEST-NET-3 per RFC 5737) is specifically reserved for documentation and examples, which makes it the correct choice for academic assignments. Using real public IP addresses that belong to actual organizations in your diagram is technically incorrect and may appear sloppy to a marker who notices it. Cite RFC 5737 as your source for this choice — it demonstrates that you understand IP address management conventions.

Security Documentation

How to Document Five Security Features and Administrative Controls Per Device

This is the highest-volume requirement in Part 2 and the area where students most often lose marks by being generic. Your marker has read a hundred papers where “the firewall protects the network” is listed as a security feature. That earns nothing. Here is how to write device security documentation that actually scores.

What a Strong Security Feature Entry Looks Like

Cisco ASA 5506-X — Edge Firewall

Generic (earns no credit): “The firewall blocks unauthorized traffic.”

Specific and credible (earns credit):

Security Feature 1: Stateful Packet Inspection (SPI)
The ASA 5506-X maintains a connection state table that tracks the state of all active TCP/UDP sessions. Inbound packets are only permitted if they correspond to an established outbound session or match an explicitly permitted access control entry. All other inbound traffic is dropped by default. This prevents TCP session hijacking, port-scanning-based reconnaissance, and unsolicited inbound connections from reaching the DMZ or internal network. Configuration is enforced at the interface level using inspect class maps within the global policy framework (Cisco, 2023).

Security Feature 2: Network Address Translation (NAT)
The ASA performs dynamic PAT on outbound traffic, translating internal RFC 1918 addresses to the single public-facing IP on the outside interface. This conceals the internal addressing scheme from external observers, preventing reconnaissance of internal subnet structure. Static NAT entries are configured for the DMZ servers (web, FTP, VPN) to allow controlled inbound access to specific services.

Continue this pattern for all five features. Each entry should name the feature, explain how it is configured in this specific device, and state its direct impact on network security.

For administrative controls, document the management-plane configuration separately from the data-plane security features. Administrative controls for most devices should cover: who can access the management interface and how (role-based access, SSH only, no Telnet), how authentication for administrative access is handled (local accounts vs. RADIUS/TACACS+), how configuration changes are logged and monitored, how software/firmware updates are managed, and what backup and recovery procedures exist for the device configuration.

Planning & Testing

Addressing the 13 Planning and Testing Elements

The second major body of the paper requires you to address 13 specific planning and testing considerations. Each one needs a paragraph or two — not a textbook definition, but a specific statement of how it applies to your corporate network design. Here is a brief orientation for each element so you know what to actually write.

Element	What to Address in Your Paper	Key Consideration
Organizational requirements	Define the assumed organizational context — size, industry, regulatory environment (e.g., PCI-DSS if Finance is involved)	Regulatory compliance shapes every security control — name applicable regulations
Budget	Acknowledge that vendor and model choices reflect budget constraints; discuss TCO of hardware vs. cloud-based alternatives	Academic assignments need a budget rationale, not a real budget number
Modularity for security and testing	Explain how your VLAN segmentation allows changes to one segment without impacting others; how devices can be tested in isolation	Segmentation is the key word — connect it to your actual VLAN design
Naming conventions	Define a device naming scheme that encodes location, role, and sequence — e.g., `FW-DMZ-01`, `RTR-CORE-01`, `SW-DEPT-IT-01`	Naming conventions that reveal zone and function simplify troubleshooting and audit trails
Network speed and data capacity	Specify interface speeds for each segment — 1Gbps access layer, 10Gbps core uplinks — and justify based on workload assumptions	Bottlenecks at the distribution or core layer affect the entire network’s availability
Vendor support	Discuss the support lifecycle for chosen vendors (Cisco SmartNet, Microsoft Premier Support) and the risk of EOL hardware	Unsupported hardware is a direct security risk — unpatched vulnerabilities cannot be fixed without vendor support
Risk and redundancy	Identify single points of failure in your design and propose redundancy (dual firewalls in HA mode, redundant core switches)	Your vulnerability scanner’s daily scan schedule is a risk event that should not degrade production performance — schedule off-peak
Uptime requirements	Define expected uptime (99.9% = 8.76 hours downtime/year) and map it to redundancy, UPS, and failover configuration	Finance department systems often have stricter uptime SLAs — note this in relation to the Finance VLAN design
Continuous data monitoring	Explain how the IDS, web proxy logs, firewall logs, and vulnerability scanner outputs feed into a centralized SIEM or log management system	The IDS alone is not enough — you need a monitoring architecture that aggregates events across all devices
Load balancing	Discuss load balancing for the web server (if serving external users) and the VPN server (if handling multiple concurrent sessions)	The VPN server is a likely bottleneck if all remote users connect simultaneously — address this explicitly
Testing for latency	Explain how tools like ping, traceroute, and iPerf can identify latency at each network hop; set acceptable latency thresholds by segment	VPN adds encryption overhead and latency — document expected VPN throughput impact
Bandwidth and throughput	Distinguish between bandwidth (maximum capacity) and throughput (actual utilization); describe how SNMP-based monitoring tracks both	Web proxy caching reduces bandwidth consumption — document the expected cache hit rate as a bandwidth optimization
Specific software and tools	Name the specific tools used for each function — Nessus for vulnerability scanning, Wireshark for packet capture, SolarWinds for SNMP monitoring, Splunk for SIEM	Every tool name should link back to a device or function you have already documented — no orphan tool references

According to NIST Special Publication 800-41 Revision 1, firewalls should be deployed as part of a layered security architecture — not as standalone protection. Every element of your network design should demonstrate that you understand defense-in-depth.

— NIST SP 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy (Scarfone & Hoffman, 2009), available at nvlpubs.nist.gov

Part 3

Part 3: Creating the Final Annotated Diagram

Part 3 builds directly on Part 1. You are updating your initial diagram to include: vendor names, model numbers, and IP addresses on every device; at least 11 of the 14 required device types; and four specific enforcement requirements that must be visually represented and verifiable in the diagram.

Do not start from scratch. Take your Part 1 diagram, add the vendor/model/IP annotations in callout boxes or tooltip labels beside each device icon, and update it to reflect the four requirements. The annotations make the diagram denser and harder to read if done carelessly — use consistent label formatting and consider a legend box in the corner of the diagram that clarifies the annotation format.

A clean annotation format for each device: [Device Name] | [Vendor Model] | [IP Address]
Example: Edge Firewall | Cisco ASA 5506-X | 10.0.1.1

The Four Enforcement Rules

Meeting the Four Specific Security Requirements in the Final Diagram

These four requirements are the hardest part of Part 3 to get right, because they require both a design decision and a visual representation in the diagram. Here is exactly what each requirement means and how to show it.

R1

VPN sessions are only allowed to access IT department desktops — by IT employees only

This is an access control rule, not a topology change. It should be implemented at the internal firewall or the distribution router as an ACL: traffic arriving from the VPN server’s subnet (10.0.1.12) is only permitted to reach 10.0.10.0/24 (IT VLAN). All VPN traffic destined for Engineering (10.0.20.0/24) or Finance (10.0.30.0/24) is blocked. The authentication requirement (“by IT employees only”) is enforced at the VPN server via RADIUS authentication against the Active Directory group “IT Department.” In your diagram, show this with a labeled arrow from the VPN Server to the IT Department VLAN, with a red X or blocked arrow toward Engineering and Finance. Add a note: “VPN → IT VLAN only. ACL on Distribution Router blocks VPN subnet from VLAN 20 and VLAN 30.”

R2

All VPN connections from the Internet terminate at the VPN server

This is a topology requirement already addressed by placing the VPN server in the DMZ. The key is showing it clearly in the diagram. Draw the VPN connection path: Internet cloud → Edge Router → Edge Firewall → DMZ → VPN Server. Then show a separate authenticated path from VPN Server → Internal Firewall → IT VLAN. The internet cloud should have no direct path to the internal network — all paths pass through the edge firewall and then the VPN server. Add a diagram label: “All external VPN sessions terminate at VPN Server (10.0.1.12). No direct external access to internal subnets.” This makes the enforcement requirement visually unambiguous.

R3

Engineering and Finance/Accounting cannot communicate

This is inter-VLAN communication blocking. Engineering is on VLAN 20 (10.0.20.0/24) and Finance is on VLAN 30 (10.0.30.0/24). The distribution router routes between VLANs — and you need an ACL on the distribution router that denies traffic from 10.0.20.0/24 to 10.0.30.0/24 and vice versa. In your diagram, show the two VLANs connected to the distribution router, with a labeled blocking symbol between them. Add a note: “Inter-VLAN ACL on Distribution Router: deny 10.0.20.0/24 ↔ 10.0.30.0/24.” If you use VLAN color-coding in your diagram, use distinct colors for Engineering and Finance and no connecting line between them.

R4

Vulnerability scans occur daily, with all desktops scanned at least once per day

This is a scanning coverage and scheduling requirement. The Nessus vulnerability scanner (10.0.2.12) needs to reach all departmental VLANs — 10.0.10.0/24, 10.0.20.0/24, and 10.0.30.0/24. Show scan paths in your diagram from the Vulnerability Scanner to each departmental VLAN with a labeled arrow: “Daily credentialed scan, 02:00–04:00 UTC.” The firewall rules must permit Nessus to initiate connections to workstations on these subnets — document this firewall rule in Part 2. In Part 3, the diagram note should specify both the schedule and the credential approach: “Credentialed Nessus scan of all VLAN 10/20/30 hosts — scheduled 02:00 daily.” This directly addresses the “at least once per day” requirement.

✅

Four-Fifths Calculation for Part 3

The assignment requires four-fifths of the listed devices. The list has 14 device types: web server, FTP server, VPN server, authentication server, anti-virus server, edge firewall, firewall, vulnerability scanner, IDS, web proxy, edge router, core router, switch, distribution router. Four-fifths of 14 = 11.2, so you need at least 11 device types in your Part 3 diagram. If you include all 14 (which you should, since they are all already in your Part 1 diagram), you exceed the minimum. The three you could technically omit are the FTP server, the distribution router, or the web proxy — but omitting any of them weakens the diagram’s completeness and the paper’s device documentation. Include all 14.

Citations

Finding Four or More Credible Sources for This Assignment

The assignment requires at least four specific and credible academic sources, each cited at least once within the paper. Generic IT blogs or Wikipedia will not meet this standard. Here is where to look and what to look for.

1

NIST Special Publications

Free, peer-reviewed, government-authored — the gold standard for network security citations

The National Institute of Standards and Technology publishes Special Publications (SP) that are directly applicable to this assignment. SP 800-41 Rev. 1 (Guidelines on Firewalls and Firewall Policy) covers firewall placement, DMZ design, and policy configuration — cite this for your firewall documentation. SP 800-94 (Guide to Intrusion Detection and Prevention Systems) covers IDS placement and configuration — cite this for your IDS documentation. SP 800-123 (Guide to General Server Security) covers server hardening — cite this for your web server and authentication server configurations. All NIST SPs are free to download at csrc.nist.gov. These are the highest-credibility sources available for this type of assignment and eliminate any concern about source quality.

2

Vendor Technical Documentation

Cisco, Fortinet, and Tenable publish detailed configuration guides that qualify as credible technical sources

Official vendor documentation is a credible source for configuration specifications. Cisco’s ASA Configuration Guide (available at cisco.com/c/en/us/support) documents every configuration parameter for the ASA series firewalls and is directly applicable when you document your edge firewall configuration. Tenable’s documentation for Nessus Professional (docs.tenable.com) covers scan scheduling, credentialed scanning configuration, and coverage requirements — use this to support your vulnerability scanner documentation and the Part 3 daily scan requirement. When citing vendor documentation, include the specific guide title, the vendor, and the access date or publication year. These count as credible technical sources even if they are not peer-reviewed academic journals.

3

Peer-Reviewed Academic Sources

IEEE Xplore and the ACM Digital Library for network security architecture papers

For peer-reviewed academic citations, search IEEE Xplore (ieeexplore.ieee.org) for terms like “network security architecture,” “DMZ design enterprise network,” or “intrusion detection system placement.” The IEEE/ACM literature on network topology, VLAN segmentation, and defense-in-depth architectures is extensive. Strayer University library also provides access to ProQuest, EBSCO, and other databases through the library portal linked in the assignment instructions — use these to find peer-reviewed articles on specific topics like VPN security, vulnerability scanning methodology, or firewall rule management. A good target is two NIST SPs, one Cisco or vendor guide, and one peer-reviewed journal article — that gets you four minimum with a credibility spread.

⚠️

Sources to Avoid

General IT news sites (TechRepublic, ZDNet, Bleeping Computer) — informative but not credible academic sources
Wikipedia — never acceptable as a citation in a technical paper at this level
Anonymous blog posts or forum threads — even Stack Overflow, despite its usefulness, does not qualify as a credible source for citations
Vendor marketing materials — distinguish between a Cisco white paper authored by engineers (acceptable) and a Cisco product brochure (not acceptable)
Sources older than 10 years for rapidly changing fields like network security — a 2012 source on firewall configuration may no longer reflect current best practices and may predate significant CVEs in the devices discussed

Watch Out For

Mistakes That Cost Marks on This Assignment

What Weakens the Submission

Placing the web server inside the internal network instead of the DMZ
Using the same IP address twice or using public IPs for internal devices
Listing security features without explaining how they are configured or what they protect against
Omitting the operating system identification for each device
Treating the IDS as a firewall — documenting it as blocking traffic when IDS only detects, not blocks (that is an IPS function)
Failing to show both the client and server components of the anti-virus deployment
Using generic sources like Wikipedia or IT news blogs instead of NIST or IEEE
Part 3 diagram that does not visually represent the four enforcement requirements
Planning and testing section that reads as a glossary rather than as design decisions applied to your network

What Strengthens the Submission

Two-firewall DMZ architecture with edge firewall and internal firewall clearly separate
Consistent IP addressing scheme across diagram and paper with no overlapping subnets
Security features that name specific technical mechanisms (stateful inspection, LDAPS, credentialed scanning) rather than generic terms
Administrative controls documented separately from data-plane security features
NIST SP citations for firewall, IDS, and server configuration documentation
Part 3 diagram with labeled ACL descriptions showing the four enforcement rules
Naming convention section that defines a scheme and applies it consistently to all devices in the diagram
Vulnerability scanner configuration that explicitly addresses the daily scan and desktop coverage requirement
All four Part 3 requirements traceable in the diagram — annotated, not just implied

Common Questions

FAQs: Secure Network Infrastructure Design Assignment

What diagramming tool should I use for the network infrastructure diagram?

Microsoft Visio is the stated tool, but the assignment explicitly permits open-source alternatives. draw.io (diagrams.net) is free, runs in the browser without installation, and has dedicated network shape libraries covering all 14 required device types. Lucidchart is another strong option with a free tier. Export your diagram as a PNG or high-resolution PDF and embed it in your paper. Do not use PowerPoint or generic drawing tools — they lack the network-specific shape sets that make the diagram look professional and communicate topology clearly.

What IP addressing scheme should I use?

Use RFC 1918 private address ranges internally: 10.0.0.0/8 is the most flexible for a corporate network. Assign a dedicated /24 subnet to each zone — DMZ, server zone, and each departmental VLAN. For the edge router’s public-facing interface, use an address from 203.0.113.0/24 (RFC 5737 documentation range) rather than a real public IP that belongs to another organization. Document every device’s IP in both the paper and the diagram — the assignment requires this in both parts. Keep a running IP address table as you build the design so you do not accidentally assign the same address twice.

How do I show the four Part 3 requirements in the diagram?

Each requirement should be visually represented with labeled arrows or annotations rather than implied by the topology alone. For VPN access restrictions: show a labeled arrow from the VPN server to the IT VLAN only, with a blocked line to Engineering and Finance VLANs. For VPN termination: show the VPN connection path ending at the VPN server, not passing directly into the internal network. For Engineering/Finance blocking: show both VLANs at the distribution router with an ACL annotation between them. For daily vulnerability scans: show labeled scan paths from the Nessus scanner to all departmental VLANs with a schedule note. A diagram that relies on the reader inferring these rules from the topology will not receive full credit.

Where do I place the IDS in the network?

The IDS should be connected to a SPAN port (also called a mirror port) on the core switch. A SPAN port copies all traffic passing through the switch to a designated monitoring port, giving the IDS full visibility into internal traffic without being inline in the traffic path. This is a passive deployment — the IDS observes and generates alerts but does not block traffic (that is an IPS function). In your diagram, show the IDS connected to the core switch with a dashed line labeled “SPAN/Mirror Port” to distinguish the monitoring connection from the data path. In the paper, explicitly note that Snort (or your chosen IDS) is in passive mode for detection-only operation, distinguishing it clearly from an intrusion prevention system.

What credible sources should I cite for this assignment?

The best sources for this assignment are NIST Special Publications — specifically SP 800-41 (firewalls), SP 800-94 (IDS/IPS), and SP 800-123 (server security). These are free, authoritative, and directly relevant to the devices you are documenting. Supplement with official Cisco configuration documentation for any Cisco devices you choose, Tenable documentation for Nessus, and at least one peer-reviewed journal article from IEEE Xplore or ACM Digital Library on network security architecture. Avoid IT news blogs, Wikipedia, and vendor marketing materials.

What is the difference between the edge firewall and the internal firewall in the design?

The edge firewall sits between the internet (via the edge router) and the DMZ. It enforces the policy that separates the untrusted internet from your semi-trusted DMZ, permits inbound traffic only to DMZ services on specific ports (80, 443 for web, 21/22 for FTP, 443/1194 for VPN), and performs NAT for outbound traffic. The internal firewall sits between the DMZ and the internal corporate network. It enforces the policy that even a compromised DMZ server cannot reach internal resources uninvited. Only specific traffic flows are permitted inbound from the DMZ — for example, the VPN server is allowed to forward authenticated tunnel traffic to the IT VLAN, but nothing in the DMZ can initiate connections to the Finance or Engineering VLANs. This two-firewall architecture is the standard for a secure DMZ design and is supported by NIST SP 800-41.

Can Smart Academic Writing help with this assignment?

Yes. Smart Academic Writing has specialists in computer science, network security, and technical writing who handle assignments exactly like this one — including the Visio/draw.io diagram creation, the full 6–10 page device configuration and planning paper, and the final annotated diagram meeting all four enforcement requirements. You can access computer science assignment help, cybersecurity assignment help, and technical writing services through the platform. If you are at Strayer University specifically, Strayer University assignment support is also available with writers familiar with Strayer’s formatting and citation requirements.

Wrapping Up

Where to Focus Your Time Across All Three Parts

The diagram in Part 1 is the foundation. Get the zone architecture right — two firewalls, DMZ in the middle, segmented internal VLANs — and everything else in the assignment flows from it. A logically sound Part 1 diagram means your Part 2 device documentation and Part 3 enforcement rules have a coherent structure to anchor them.

Part 2 is where most of the marks live, because it is where the assignment tests whether you actually understand the devices and not just their names. Do not rush the security features and administrative controls section. Five specific, technically accurate, cited security features per device takes time to write — but it is the difference between a passing grade and a strong one. Use NIST SPs as your citation backbone and vendor documentation to fill in the configuration specifics.

Part 3 is faster than it looks once Part 1 exists. Annotate the diagram, add the vendor/model/IP labels, and make the four enforcement requirements visually explicit. The diagram annotations should be clear enough that a reader who has not read your Part 2 paper can still understand what each enforcement rule does and where it is implemented.

If any of these three parts — the diagram, the paper, or the final annotated design — are beyond your current time or knowledge bandwidth, the technical specialists at Smart Academic Writing are available. You can access cybersecurity assignment help, computer science assignment support, technical writing services, and research paper writing — all with the documentation specificity and credible sourcing this assignment requires.