Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
Secure Network Architecture

Secure Network Architecture

12.08.2024

Until recently, network architecture design has only been thought in terms of connectivity and resource and equipment management.

Today, design scope goes beyond this basic concept, with a particular emphasis on protecting organizations’ assets, as the number network threats, both internal and external to the organizations, keeps increasing.

In this context, physical networks should be implemented correctly in order to enable reliable and secure processing of the data to be transported, and for that purpose, a robust and thoroughly structured design should be prepared.

A thoroughly structured network architecture combines design innovation to handle commercial and technological challenges, efficient management, and regular changes in its functional patterns. It also allows organizations to maintain borderless networks that can be connected at any time without having to add devices, providing a reliable, secure and seamless connection.

Network Hierarchy

Building a borderless switched network requires compliance with solid design principles that provide maximum availability, flexibility, security and easy management, without compromising its scalability over time.

Generally, fundamental rules of switched network design are based on following principles:

  • Hierarchy: simplifies comprehension of function of every device on every network layer, simplifies implementation, operation and management, while reducing error areas on every layer.
  • Modularity: enables network extension and adding integrated services, seamlessly and as necessary.
  • Recoverability: complies with users’ expectations of permanent network availability.
  • Flexibility: enables smart distribution of traffic load using all network resources.

These principles are not independent, they are complementary, so that for a good design of a switched network, they combine interconnectability, security and mobility. In this context, layer design models represent a well-structured hierarchical framework.

There are three fundamental layers in network design: access, balancing and core. Each layer can be considered a structured and defined module, with its specific roles and functions in the network.

Modularity in hierarchical network design provides stability and flexibiliyt that are sufficient for providing services and enabling growth and changes that can be implemented over time.

Access Layer

Access layer is the internal perimeter of a network where traffic enters the network or leaves it. In general, primary function of communication devices of this layer (mostly switches) is providing network access to the user. Moreover, they provide connection to the equipment of the balancing layer.

Balancing Layer

Balancing layer works between access and core layers, and routing, security and service quality technologies are implemented there. Its most important functions are:

  • Connecting to other networks
  • Providing smart routing functions to access the rest of the network
  • Balancing network connections to quarantee high availability for end users
  • Providing different services to specific types of applications within the network perimeter

Central Core Layer

Core layer is the center of the network and it works as an “aggregator” for other inftrastructure elements, connecting them to the rest of the network (Internet). Its primary purpose is providing failure isolation and high-speed backbone connectivity.

Sometimes, if no high network scalability is present, core and balancing layers should not necessarily be separated. In smaller locations where there are fewer users that access the network, or in locations that only consist of one building, it's not necessary to separate these layers. In this case, as an alternative design for these two layers, a “Contracted Core network design” is recommended.

Form Factors

In business networks, different types of communication devices are used (including switches and routers), depending on proper implementation of requirements to each network layer. Here are some common business considerations to take into account when choosing equipment:

  • Costs: this economic aspect defines network design to be implemented and directly affects number and speed of necessary devices, management dunctions that they provide, and their ability to provide extension over time.
  • Port density: defines the number of connections that a communication device allows.
  • Connection speed: network connection speed is one of the fundamental features for end users, and that's why it is thoroughly considered at the design stage.
  • Buffer size: data packet capacity of a communication device necessary for handling access congestions, for example, for application servers or other network areas.
  • Scalability: generally, the number of users in the network grows over time, so a communication device should provide extension ability.
  • Power supply: today, a common way of power supply is power over Ethernet alongside with usual power supply, which is used in network design as a redundancy power source.

Secure Networks

Secure network design should be focused on compliance with data security standards for all its parts, where such features as availability, integrity and privacy are important for its implementation.

Availability

To guarantee service availability, it's necessary to make sure that following infrastructure devices used in network design and operation provide uninterrupted function: UPS, power banks, Internet connections, servers etc., and other devices, such as switches, routers and firewalls, should provide uninterrupted processes.

As for switches, they should be configured as clusters or mirror systems to guarantee connection redundancy. Routers should establish alternative routes with other network segments and provide reconnection mechanisms in case of a data channel failure.

As for firewalls, it's possible to opt for high availability systems, configuring them in clusters in active/passive or active/active modes. For intrusion detection/ prevention systems (IDS/IPS), it's important to configure them correctly to avoid blocking important applications or services because of false positive alerts.

On top of that, services that require failover functionality should be provided with it, and services that depend on public DNS should be able to resolve other DNS in case of a channel failure.

Logging systems should run continuously, as well as alert configurations for tracking important incidents. In the same way, management and access to equipment configurations should be constantly available in different ways and only for administrators of that equipment.

Integrity

Tor provide inftrastructure integrity, regular equipment check is required in order to verify that its configuration is not altered, it is intact and optimal conditions are provided.

Strengthening network protocols, in particular for switching equipment (such as switches, routers) protects it against changes made by improper configuration or possible intruders.

Network infrastructure documentation and equipment configuration files should be kept securely and up-to-date, so that it can be correctly restored in case of any incident, and protected against unauthorized access.

Another equally important aspect is creating data security workplace culture in the organization.

Privacy

In this part, it should be guaranteed that only authorized staff can access systems and equipment. Two important aspects are considered: physical and logical.

Physical aspect implies access control devices on premises where systems are located: presence, temperature and smoke sensors, necessary alarms etc. that are important when the organization has an adequate physical security policy.

Logical aspect implies authentication procedures, proper use of robust access passwords, system and equipment update to the newest and most stable versions, as well as use of secure protocols and encryption of connections.

It’s also important to establish efficient security policies for network usage focused on user management, roles and access privileges, in order to achieve adequate infrastructure performance.

In general, secure network design and implementation should be carried out thoroughly, with consideration to all components, their configuration at each level, and expertise of staff that generally and particularly interacts with infrastructure.

Arquitectura de Redes Seguras

Blog

Wireless Connection Security - WiFi
25.11.2024
In the technology world, the term WiFi (an acronym for Wireless Fidelity) is synonymous with wireless access in general, although it is a specific trademark owned by the WiFi Alliance, a group dedicated to certifying that WiFi products comply with the 802.11 set of wireless standards of the IEEE (Institute of Electrical and Electronics Engineers), a worldwide association of engineers dedicated to standardization and development in technical areas.
Cybersecurity Common Nouns: A guide for learning the basics (Part 1)
18.11.2024
Cybersecurity is a vast and complex field, but certain terms and concepts stand at the core throughout all aspects. These “common nouns” in cybersecurity are essential elements that professionals and enthusiasts alike should understand to better navigate and safeguard against digital threats.
Why Secure Mobile Communication is Crucial for Critical Infrastructure and Defense Sectors
15.10.2024
In today's hyper-connected world, secure mobile communication is not a luxury but a necessity, especially for high-risk industries like critical infrastructure and defense. These sectors handle sensitive, classified, and mission-critical information that, if compromised, could result in catastrophic consequences.