{"id":30613,"date":"2018-08-15T14:08:33","date_gmt":"2018-08-15T14:08:33","guid":{"rendered":"https:\/\/www.techopedia.com\/tutorials\/how-to-build-network-architecture-that-facilitates-better-it-security\/"},"modified":"2022-03-22T15:42:46","modified_gmt":"2022-03-22T15:42:46","slug":"how-to-build-network-architecture-that-facilitates-better-it-security","status":"publish","type":"tutorials","link":"https:\/\/www.techopedia.com\/6\/33455\/networks\/how-to-build-network-architecture-that-facilities-better-it-security","title":{"rendered":"How to Build Network Architecture That Facilitates Better IT Security"},"content":{"rendered":"

Security is No Longer About the Perimeter<\/span><\/h2>\n

Years ago, cybersecurity<\/a> practices emulated that of the medieval lord who relied on the fortified castle wall to protect his inner kingdom. Castle defenses were designed around securing an impermeable wall while the attackers relied on their ability to break through the perimeter wall, upon which their soldiers would flood in through the exposed break. In similar fashion, enterprises have relied on a robust firewall<\/a> appliance that established a perimeter to protect the network<\/a> from attacks from the outside in order to counter the efforts of external attackers who diligently probed the perimeter for exposed or neglected ports.<\/p>\n

It is a different world today, however. Just as military defense strategy has evolved in order to combat advanced offensive tactics driven by technology innovation, today’s enterprise can no longer rely on single-focus solutions to protect itself from all threats. Modern-day military defensive strategy no longer commits most of its resources to the front line due to the swift mobility of attack mechanisms. Just as the French failed to stop the German Blitzkrieg, the antiquated model of perimeter security can no longer protect the expansive fluid enterprises of today, as pervading attackers can run unabated and perform mayhem at will. Instead, military strategists rely on what is referred to as defense in depth, where reserves are positioned behind the front lines in layers, allowing those forces to counterstrike and combat any enemy attackers that manage to breach the line.<\/p>\n

Cybersecurity strategists now incorporate this philosophy of multiple defensive layers to combat embryonic threats of attackers. Hackers<\/a> continue to advance their attack methodologies and take advantage of users and their devices in the mobile digitally connected world that we live in today. IT security professionals need to think about network architecture<\/a> in a way that incorporates multi-layer defensive strategies, creating a systematic approach in which multiple defense strategies cover for the failings of other components. In order to combat the endless list of zero-day exploits<\/a>, destructive malware<\/a> strains and financially motivated attacks, enterprises must incorporate multiple defense strategies to stop gap attack avenues that can serve as unabated highways into the heart of the data center<\/a>. In the process of implementing these tools into a comprehensive strategy, the whole is greater than the sum of its parts. The idea is to incorporate information security at every level of your physical network and software landscape, a strategy recommended by the National Security Agency<\/a> (NSA).<\/p>\n

The role of internal IT today begins and ends with cybersecurity. In the following sections of this tutorial, we will look at the required security components that make up a typical multi-layer security model today and how they should be a natural part of your enterprise architecture<\/a>. While the firewall appliance is still a paramount centerpiece of an enterprise security architecture, the subsequent components are equally necessary and serve a vital role in ensuring the security of users, devices, data and infrastructure.<\/p>\n

Firewalls Methodologies<\/span><\/h2>\n

Whether you are creating the architecture for a small business office of less than ten people or a global conglomerate composed of hundreds of thousands of employees, it all starts with the establishment of a perimeter, which constitutes some type of firewall<\/a>. At the very least, a firewall appliance establishes a demark<\/a> between your internal LAN<\/a> and the external WAN<\/a>. It then serves as the traffic cop that either allows or discards traffic flows that attempt to stream between the internal and external zone. Many organizations may have additional zones as well. One common example is referred to as the DMZ<\/a>, which hosts internet resources such as web hosting, FTP<\/a> or email servers<\/a>. The DMZ is a less restrictive zone than the LAN, as anonymous external users must access these servers<\/a>. While the firewall would reject HTTP<\/a>\/HTTPS<\/a> traffic originating from outside the network into the LAN, it would allow authorized web traffic into the DMZ. This obviously opens up the enterprise to potential vulnerabilities, which is why the firewall restricts traffic between the DMZ and the LAN in order to contain malicious traffic within the DMZ and prevent it from infiltrating more valuable assets and resources. <\/p>\n

An organization may have restricted zones housing business-critical systems and large repositories of sensitive information. Restricted zones usually include databases<\/a> comprising HR, financial or intellectual property. These zones are far more restrictive in order to protect against any threats that could damage an organization’s competitive advantage or reputation. Controls should be in place to not only face internet traffic, but also secure authorized access from internal assets as well.<\/p>\n

Firewalls have evolved over the years and now utilize a number of methodologies in order to examine network traffic<\/a> in order to discern the intent of the traffic flows. The main types are as follows:<\/p>\n