Network Security Architecture: Defense-in-Depth Strategy

Network breaches cost organizations $4.24M on average, with 85% involving network security failures. Properly architected network security reduces breach risk by 70% and contains incidents within hours instead of months.

Defense-in-Depth Layers

Perimeter Security

Internet Edge Protection:

• Next-generation firewalls (NGFW)
• Intrusion Prevention Systems (IPS)
• DDoS protection
• Web Application Firewall (WAF)
• DNS filtering

DMZ Architecture:

Internet → External Firewall → DMZ → Internal Firewall → Internal Network

DMZ hosts:
- Web servers
- Email gateways
- VPN concentrators
- Reverse proxies
- Public-facing services

Firewall Rules:

Default deny all traffic
Allow only necessary services:
- HTTP/HTTPS (80, 443) to web servers
- SMTP (25) to mail servers
- SSH (22) from management IPs only
- VPN (443, 1194) from anywhere

Log all denied traffic
Review rules quarterly

Network Segmentation

Segmentation Strategy:

By Function:

• Corporate network (users, workstations)
• Production environment (servers)
• Development/test environment
• Guest/contractor network
• OT/ICS networks

By Security Level:

• Public (internet-facing)
• Internal (corporate resources)
• Restricted (sensitive systems)
• Highly restricted (critical infrastructure)

Micro-Segmentation:

Traditional: Network zones (10.1.0.0/16)
Micro: Workload-level policies

Example:
- Web tier → Only talks to app tier
- App tier → Only talks to DB tier
- DB tier → No outbound internet

VLAN Design:

VLAN 10: Management (10.0.10.0/24)
VLAN 20: Servers (10.0.20.0/24)
VLAN 30: Workstations (10.0.30.0/24)
VLAN 40: Guest WiFi (10.0.40.0/24)
VLAN 50: IoT devices (10.0.50.0/24)

Inter-VLAN routing through firewall
ACLs control traffic between VLANs

Zero Trust Network Access (ZTNA)

Core Principles:

1. Never trust, always verify
2. Assume breach
3. Verify explicitly
4. Least privilege access
5. Microsegmentation

Implementation:

Identity-Based Access:

Access decision based on:
- User identity (who)
- Device posture (what)
- Location (where)
- Time (when)
- Context (why)

Not based on:
- Network location
- IP address
- Being "inside" network

Continuous Verification:

• Re-authenticate periodically
• Monitor session behavior
• Detect anomalies
• Revoke access dynamically
• Log all access

Software-Defined Perimeter (SDP):

Traditional VPN: Network-level access
SDP: Application-level access

User → Identity Provider → Policy Engine → Application Gateway → Application

Benefits:
- No exposed infrastructure
- Application-specific access
- Dynamic policy enforcement
- Better user experience

Security Controls

Firewall Technologies

Stateful Inspection:

• Track connection state
• Allow return traffic
• Session table management
• Basic packet filtering

Application Awareness:

Deep packet inspection:
- Identify applications (not just ports)
- Block risky applications
- Control by category
- User-based policies

Example:
Block Facebook games
Allow Facebook messaging
Control by user group

Intrusion Prevention:

• Signature-based detection
• Anomaly detection
• Protocol validation
• Threat intelligence integration
• Automated blocking

SSL Inspection:

Decrypt → Inspect → Re-encrypt

Considerations:
- Performance impact
- Privacy concerns
- Certificate management
- Exclude sensitive sites
- Compliance requirements

Intrusion Detection/Prevention

IDS vs IPS:

IDS (Detection):
- Monitor only
- Alert on threats
- Out-of-band
- No traffic impact
- Analysis/forensics

IPS (Prevention):
- Inline blocking
- Stop threats
- In-band
- Can impact traffic
- Active protection

Detection Methods:

Signature-Based:

• Known attack patterns
• Low false positives
• Misses new threats
• Regular updates required

Anomaly-Based:

• Baseline behavior
• Detect zero-days
• Higher false positives
• Learning period needed

Policy-Based:

• Violation of rules
• Custom policies
• Business-specific
• Clear expectations

Network Access Control (NAC)

Pre-Admission:

Device connects → NAC authenticates
Check:
- User credentials
- Device compliance
- Security posture
- Authorization level

Then:
- Grant/deny access
- Assign VLAN
- Apply policies
- Monitor activity

802.1X Authentication:

Supplicant (device) → Authenticator (switch) → Authentication Server (RADIUS)

Certificate-based or username/password
VLAN assignment
Dynamic ACLs
Guest access

Posture Assessment:

• Antivirus status
• OS patch level
• Firewall enabled
• Encryption status
• Authorized software only

Secure Remote Access

VPN Technologies

SSL VPN:

• Browser-based access
• No client required
• Application-level access
• NAT-friendly
• Easier deployment

IPsec VPN:

• Network-layer encryption
• Site-to-site connectivity
• Full network access
• Better performance
• More complex setup

VPN Best Practices:

- Multi-factor authentication
- Split tunneling policy
- Session timeouts
- Geo-blocking
- Device compliance checks
- Logging and monitoring

Secure Access Service Edge (SASE)

SASE Components:

Network Services:
- SD-WAN
- WAN optimization
- CDN

Security Services:
- Cloud firewall
- CASB
- ZTNA
- SWG (Secure Web Gateway)

Benefits:

• Cloud-delivered security
• Consistent policies
• Better performance
• Scalability
• Reduced complexity

Wireless Security

WiFi Security Standards

WPA3 (Current standard):

• 192-bit encryption
• Forward secrecy
• Protected management frames
• Easy Connect (IoT)
• Enhanced open (public WiFi)

Enterprise WiFi:

SSID Segmentation:
- Corporate (WPA3-Enterprise, 802.1X)
- Guest (WPA3, isolated)
- IoT (Separate VLAN, restricted)
- Management (Hidden, certificate-based)

Wireless Security Controls:

• Rogue AP detection
• Wireless IDS/IPS
• Client isolation
• Rate limiting
• MAC filtering (supplementary)

Network Monitoring

Traffic Analysis

NetFlow/sFlow:

Monitor:
- Top talkers (bandwidth)
- Unusual patterns
- Protocol distribution
- Geo-location
- Time-based trends

Packet Capture:

• Full packet analysis
• Forensic investigation
• Performance troubleshooting
• Security incidents
• Compliance requirements

Tools:

• Wireshark (packet analysis)
• Zeek (network security monitor)
• Suricata (IDS/IPS)
• PRTG (network monitoring)
• SolarWinds (flow analysis)

Anomaly Detection

Baseline Establishment:

• Normal traffic patterns
• Typical bandwidth usage
• Standard protocols
• Expected connections
• Business hours activity

Anomaly Indicators:

• Unusual traffic volumes
• New protocols
• Odd time-of-day activity
• Unexpected geo-locations
• Port scanning
• Data exfiltration patterns

Cloud Network Security

AWS Network Security

VPC Design:

Public Subnets:
- Internet gateway
- NAT gateway
- Load balancers
- Bastion hosts

Private Subnets:
- Application servers
- Databases
- Internal services
- No internet access

Security Groups:

Stateful firewall:
- Allow inbound rules
- Implicit deny
- Instance-level
- Return traffic allowed

Network ACLs:

Stateless firewall:
- Subnet-level
- Allow and deny rules
- Evaluate rule number order
- Return traffic must be explicitly allowed

Azure Network Security

Network Security Groups (NSG):

• Subnet or NIC level
• Inbound/outbound rules
• Service tags
• Application security groups

Azure Firewall:

• Centralized protection
• Threat intelligence
• Application FQDN filtering
• DNAT for inbound
• High availability

Cloud Security Best Practices

Principle of Least Privilege:

• Minimal network access
• Just-in-time access
• Role-based rules
• Regular reviews

Encryption in Transit:

• TLS 1.2+ only
• Certificate management
• Perfect forward secrecy
• Strong cipher suites

Architecture Patterns

Hub-and-Spoke

Central Hub (Security Services):
- Firewall
- IDS/IPS
- VPN concentrator
- Internet gateway

Spokes (Business Units):
- Development
- Production
- DR site
- Partner network

All traffic flows through hub

Mesh Network

Multiple interconnections:
- Direct peer connections
- Redundant paths
- High availability
- Distributed control
- Scalability

Hybrid Architecture

On-Premises ← → Cloud
- Site-to-site VPN
- Direct Connect/ExpressRoute
- Consistent security policies
- Unified management
- Hybrid identity

Implementation Roadmap

Phase 1: Assessment (Month 1):

• Document current state
• Identify gaps
• Risk assessment
• Prioritize improvements
• Create design

Phase 2: Quick Wins (Month 2):

• Firewall rule cleanup
• Enable logging
• Patch vulnerabilities
• Implement monitoring
• Basic segmentation

Phase 3: Segmentation (Months 3-4):

• Design VLANs
• Implement ACLs
• Test traffic flows
• Update documentation
• User communication

Phase 4: Advanced Controls (Months 5-6):

• Deploy IPS
• Implement NAC
• SSL inspection
• Zero trust pilots
• Automation

Best Practices

Design Principles:

• Defense-in-depth
• Least privilege
• Fail secure
• Simplicity
• Documented architecture

Operational Excellence:

• Change management
• Regular reviews
• Incident response plans
• Disaster recovery
• Continuous improvement

Compliance:

• Industry standards (PCI, HIPAA)
• Data residency
• Privacy regulations
• Audit trails
• Documentation

Conclusion

Network security architecture requires layered defenses, proper segmentation, and continuous monitoring. Modern approaches incorporate zero trust principles while maintaining practical usability.

Success requires balancing security with business needs, planning for scale, and adapting to evolving threats. Regular assessment and improvement ensure continued effectiveness.

Next Steps:

1. Document current network architecture
2. Perform security assessment
3. Design segmentation strategy
4. Implement priority controls
5. Monitor and iterate