Network Security Architecture Best Practices



Designing a secure network involves taking many factors into consideration, this article looks at network security architecture best practices so organisations can identify methods of securing their infrastructure appropriately. There are numerous requirements that must be understood initially and any network security architect will first understand the business processes and requirements before implementing any technical controls. The final aims of the organisation is to identify the topology of the network, including where the hosts will be placed, their access requirements, the selection of technologies and the configuraiton of these components. These are network security architecture best practices that every organisation should follow as part of a wider risk management approach. So, lets begin by looking at network security architecture issues before continuing to look at network security architecture best practices.

It is important to note that no two network designs are alike and there are multiple approaches to securing networks through appropriate design decisions. With a plethora of technologies available in the modern world, it is up to the organisation to decide which technology to implement to secure their network. However, the most important thing to take away from this article is to identify risks to the network and implement controls, whether technical or non-technical, in response to those risks. Implementing technical controls for the sake of it will result in a potential waste of time, money and resources, while still not mitigating the actual risk.

This article will examine network security architecture best practices to secure local area networks, this includes analysing common network topologies which make up the physical and logical design, the configuration of components on the network and securing the boundary points on the network appropriately. This holistic approach ensures that each aspect of the network is analysed from routing through the network to individual components on the network.


As stated above, before designing a network the designer must understand both the business or organisation as well as the threats to it. For example, a small sized business with a minimal amount of external connections will have significantly less threats to that of a high profile large organisation with multiple connections. This is down to a number of factors such as the value of the data on the network itself – attackers are much more likely to commit extensive effort to hack into a business where they can gain millions of valuable customer records to that of a small corner shops network where they will only have access to stock level data. The organisation must take a realistic view point of the threats to their network – are they susceptible to attention from serious or organised crime groups? Are they only a small, local business and therefore less likely to be attacked? These are questions that the organisation should ask themselves.

External connections are also a big factor in determining threat as this allows organisations to determine realistic attack paths. For example, an organisation with multiple connections in and out of the network from the Internet, partner networks and remote workers is a lot more vulnerable to attack than an air gapped network with no connections to the Internet, simply because of access purposes. The organisations should identify all data flows in and out of the network, analyse their profile and assets and determine what kind of threats they need to protect themselves from.

As an example, the organisation may need to secure themselves from Internet based attackers – this includes protecting all their internal assets as well as public facing web and mail servers. Once the organisation has identified their assets (what they need to protect) and threats (who they are protecting from) then they can begin to look at network security architecture best practices as well as wider policy, procedural and personnel controls. It is at this point that the organisation should put together a secuurity policy that reflects these details as well as the overall goals and ambitions of the organisation.

Network Topology

The first step in network security architecture best practices is to determine the network topology to utilise. The organisation must determine where its users will sit, what they will need access to, how they will segregate accesses, what technologies to use to enforce this and how they will achieve the goals laid out in their security policies. The topology will consist of both the physical and logical layout of the network – for example, where users will physically sit and how we will logically provide them access to everything required. While the phsyical and logical layouts may be similar, technologies such as virtual private networks (VPNs) and virtual local area networks (VLANs) mean that users can be grouped by access requirements and controlled appropriately. The organisation should identify how users will be grouped based on trust and access requirements – what users will need access to what requirements? Which users can we deem as trusted and less trusted? What files and data should be secured only to those with privileged accesses and why? These are all initial questions that should be answered before proceeding.

The first, and most important, consideration companies need to make is how to appropriately segregate the network. Segregating the network means splitting the network into security zones, or zones of trust. A well designed network will provide these security domains for different user levels of trust. So, a typical example of this is a de-militarized zone (DMZ), where publically accessible components are placed to prevent having to have them inside a completely trusted zones. A DMZ is typically contained between two firewalls, one facing external networks such as the Internet and one facing the Internal, highly protected, internal network. Organisations would typically put publically accessible functions in here such as web servers or mail servers, so that, if compromised, the attacker is not then able to access all sensitive company assets such as databases and applications. The same principle may apply inside the internal network, where the organisation may only allow certain employees access to a subset of resources, the rest may be protected by access control lists or other logical controls. This practice of segregating the network will not only save the company time, costs and resources but allow better organisation and ease of management. The topology shown below shows typical network security architecture best practices where there is a DMZ housed between two firewalls containing a publicly accessible web server, with the internal network housing databases and valued assets in a higher security domain.


network security architecture

This basic architecture shows the publicly accessible web server residing between two locked down firewalls, with valued assets such as databases residing in the internal network

Management VLAN

Virtual Local Area Networks (VLANs) allow the organisation to logically achieve separation between users on the network. By grouping users together via VLANs, the organisation can apply their security policies in a group fashion, maintaining access control lists and locking down users. It might be appropriate to create a management VLAN, where privileged users such as system and network admins may reside. They should have access to services to manage the network which may consist of authentication servers. This VLAN should be separated from the rest of the network via firewalls and access control lists, as this will be an area highly targeted by attackers as it essentially contains the keys to the kingdom.

Management traffic should be kept off the production network to reduce the risk of interception in transit. It is network security architecture best practice to protect management traffic through encryption in transit, or ideally in a completely segregated environment. Accesses to the management VLAN should be kept to a minimum and accesses should be regularly reviewed. Once you have secured a management VLAN as well as production VLAN’s then the topology of your network will start to come together.

Device Lock Down

Once you have determined how the network will be laid out phsyically and logically, you can then start to identify the types of technologies needed for the environment. While this will vary dependent on business requirements and technologies available, a common theme is that whatever technology is chosen should be locked down to the bare minimum services required as well as on a least privilege basis. So, for example, a firewall used to segregate security zones or logical VLAN’s should have a minimum rule set that only allows access to certain services, as identified by the business. Under no circumstances should an organisation allow a default allow stance where the firewall rule allows an any to any rule to take place. The organisation must identify what services are required, allow these and block all other connections as required.

Similarly, devices residing on the network should be locked down to the bare minimum required services to reduce the attack surface of the machine. Devices with unnecessary services open to them are prone to a host of vulnerabilities and notoriously difficult to manage. The same applies to user privileges, the organisation must continue to review user privileges to ensure that the user only has access to what is required.


This article has given a high level view of network security architecture best practices. With an ever increasing number of technologies available for organisations to choose from, the organisation must ensure that standard approaches are maintained – for example, identifying risks to the organisation and establishing security policies first and then segregating the network by business processes and requirements. The organisation can then build on these requirements and constraints to establish the network. Technical controls can then be put in place to restrict traffic flows based on levels of trust. The organisation should always try to implement a defence in depth approach via a tiered architecture to ensure that attackers must jump through many hoops before gaining access to the organisations data and valued assets.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *