When designing a network for an organization, what are the key considerations that should be factored into the design? Why do you recommend those considerations? Also consider how you would address the inevitable situation of scarce resources; how would you prioritize?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
The first thing in designing a network is to first assess how many devices are estimated to be connected to the network. These devices include servers, PCs (desktops and laptops), cell phones, printers, storage, routers, and switches. From there, the network should be segmented into different device types that have different needs from the network. For example, servers, storage, and printers are devices that will always stay online in a network to be accessed by all other machines. These devices should be placed on a higher priority switch or router to always have the most stable and fastest connection. I recommend these considerations to have the most organized topology possible, especially to ease the upgrades, removals, or additions of hardware, such as adding a new desktop. Hopefully, if there is a plan from the beginning, an organization can slightly future-proof resources and get slightly more than they need, and if it gets to a point where more network connections are needed, that can be assessed at a later date.
I know we’ve always been told to look at our tech topology and understanding what the needs are for the business, but there are some basic things that can be decided upon – or at least recommended before coming to the stakeholders. Part of that initial meeting is not only to assess the business needs in terms of ongoing technological support and building a secure network around it but there’s also the piece where you come in with the base set of recommendations to start. Location of servers, cold/hot sites, network redundancy, etc. Would you agree?
When designing a network for an organization, what are the key considerations that should be factored into the design? Why do you recommend those considerations? Also consider how you would address the inevitable situation of scarce resources; how would you prioritize?
I would recommend the following key considerations:
1. Connect with your business stakeholders and define the goals of the organization. Consider balancing security with the desire for easy access to data. Understand how risk averse and the risk appetite/tolerance the organization has.
2. I would suggest to consider connectivity and security. Where are the access points, what kind (remote or onsite) Consider security risks with the mobilization of access points, data storage, data types and device types (hardware/software)
3. Based on your initial risk assessment/stakeholder meeting you should now consider redundancy and back up requirements. Critical applications/data should be housed in identical servers with fail-safes in case one goes down. Consider extra switches, routers, spare laptops, etc.
4. Be selective in your hardware/software technologies. Standardization of hardware keeps maintenance costs low. If you are designing from scratch, then you have full control from the start but if you are redesigning, then obtain a full inventory of systems, software and peripherals.
5. Network design should include a DRP that provisions for power outage backup, recovery procedures for servers and network outages, data backup method and location, etc. Consider a variety of scenarios that may trigger the DRP.
6. Finally, I would consider scalability in your design. Your current workforce/business landscape + some percentage of estimated annual growth. This is strategy and should be decided upon with your primary stakeholders.
Having a finite amount of resources requires you to prioritize your resources to add the most value with the least expense (not necessarily $$). The key here is to have a good working relationship with your business stakeholders and let them have a say in what their most important needs are vs those nice to haves. Having a good understanding of what would impact the business and add the most value is critical and the best way is to communicate with your stakeholders frequently. As an IT Network Architect you can make recommendations on security and design based on the “technology” but aligning the IT to the business needs is going to be the bread and butter of the design.
Hi Vanessa, great job on summarizing key considerations in the design process! I agree with your takeaways as well, the main consideration would always be the stakeholders. They’re the ones signing off on the design, responsible for protecting the organization’s security, and most importantly, paying for the work. They have the clearest idea of what their expectations are, the responsibilities this architecture addresses, and maintaining compliance in their design.
Hi Vanessa,
I like your 6th point on the post, Scalability is a very important aspect in building resilient architectures especially when there are overloads, you would not want your system to break down.
When designing the network for organizations, some key considerations would be the stakeholders’ perspective, the business needs of the organizations, inventory of resources, and the environment currently hosting the network.
The key consideration when designing anything for an organization is the stakeholders’ input, they will be the ones signing off on the design, communicating what their business needs are, what compliance frameworks the architecture should be built around, their risk appetite, and what they can afford to spend. Throughout the design process, the security architects should maintain communications with the key stakeholders every step of the way.
The security architecture is built around the devices connected to the network so another key consideration is to take inventory of what is being connected: firewalls, devices, data centers, backups facilities, routers, switches, etc. After taking inventory and communicating with the stakeholders what they have and what they want to add, we can factor it into our design. We also need to assess the environments our connections are hosted in and if concerns arise, either add countermeasures or move it depending on our stakeholder’s needs.
For situations where resources may be scarce, we will have to bring the situation back to the stakeholders. They will have to account for what their priorities are, what is absolutely necessary, what can be omitted from the design, and even what risk can be accepted. To allocate resources effectively, we must consider what can either bring the most value to the organization or can cause the most damage if not addressed in the architecture.
Great post!
Inventory is paramount. Having a listing of your technological landscape and how technology is influenced by your business can help a network engineer make sound decision when it comes to supporting applications. Knowing this information not only allows the architecture to be designed but also what controls (technological) need to be in place to harden the system overall. From software to hardware, having a comprehensive list of the technologies, physical mechanisms and the data types they support is crucial in the design of a network.
Vanessa
Hi Mei,
I agree that it begins and ends with the stakeholder. IT Security management needs to convey the importance of their security recommendations. Stakeholders need to be shown convincing proof and understand the horror show that a breach is. They must not limit the budget for solutions. There has to be a solid balance between business and security.
When designing a network for an organization, what are the key considerations that should be factored into the design? Why do you recommend those considerations? Also consider how you would address the inevitable situation of scarce resources; how would you prioritize?
The first few questions when setting up your Organizations network to ask is how large is the Organization? Is this a small organization? Is this large or a rapidly growing company that will be large in due time? How many devices will you have on your network? Some devices on the network could be VOIP phones, Desktops, Laptops, Servers, Printers / fax machines, etc. Once You know how large the organization is and the number of devices, it is important to prioritize which systems are considered essential. With that you can determine the most crucial devices you need on your network and prioritize them to other devices for resources. For example, the companies email servers and application servers over a printer or an interns desktop.
Hey Eugene,
Pretty much echoed my own thoughts. A network infrastructure is only as effective as how many devices are connected to it. Not only how many devices, but also the types of devices, as some devices need a higher priority for the network than other devices, such as servers.
Excellent points!
Another thing to consider is resources and their availability to support the infrastructure you need resources to implement and support. Another point that comes to mind is availability. Size, as you stated is a huge deal, but also what is the business’ requirement for availability of the network. Considering things like backups and redundancy. These are also key items to consider.
Vanessa
Hi Gino,
So many considerations when designing a network. So many devices in a large organization. I use to work on the helpdesk of a large law firm. I was involved in moving the firm to a new location and you don’t realize how much hardware there is on 7 floors until you have to move it all.
After meeting with stakeholders to approve the design and the $$$, I will set out to build the network using my recommendations considering best practices and a defense-in-depth approach.
I will start by building out the network infrastructure with the Main and multiple Intermediate Distribution Frames. I will add Cisco routers, Cisco switches and Palo Alto NGFW’s (WAF\trusted zones\IPS). The team will deal with the endpoints (desktops, servers, etc.) later in the build.
Cisco Secure Endpoint (formerly AMP) will provide endpoint detection and response. The SolarWinds Orion (yeah, I know) platform will be used to monitor the network and simplify IT administration. I will integrate a Zero Trust architecture using the three principles: verify explicitly (Cisco ISE), least privileged access (IAM), and assume breach. Another layer of defense is Cisco Umbrella for DNS-layer security. FireEye will be utilized for zero-day vulnerabilities and Advanced Persistent Threats (APT’s). I will deploy a secure DMZ for Internet-facing components as well as a honeypot, a DLP solution, IDS\IPS.
I will deploy a robust backup process and a solution such as Veeam, to protect the organization from failures, loss of data, and Ransomware. Data will be encrypted in motion and at rest. Redundant power supplies, Uninterruptible Power Supplies (UPS), and generators will be utilized to mitigate downtime\BC\DR. Once the network is up and being tested, I will integrate a SIEM like LogRhythm or Splunk for log aggregation and enhance it with context and prioritization of events. SIEM’s can quickly search across an organization’s massive amount of data to answer any question, identify security events, and troubleshoot operational issues. These are my recommendations. There are many ways to go but I think this will get us well on our way…
In order to combat scarce resources, I will use elasticity (cloud and\or onsite virtualization), component redundancy and high availability. Virtualization improves scalability while resulting in the use of fewer servers, less energy consumption, and less costs and maintenance.
https://logrhythm.com/products/nextgen-siem-platform/
https://www.solarwinds.com/orion-platform
https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html
https://www.cisco.com/c/en/us/products/security/identity-services-engine/what-is-identity-access-management.html
https://www.paloaltonetworks.com/
https://umbrella.cisco.com/blog/what-is-dns-layer-security
I agree with you Vincent,
The important step to get out of the way in the beginning is to have a “meeting with stakeholders to approve the design” as you have mentioned.
My first task would be to get a full buy-in on this project from management because without their commitment, the project is bound to face some resistance which would make it hard and slower to implement
My next step would be to meet with all other stakeholders to discuss the need for the system and what its expected to do or achieve. This is because from the go, we want to involve all parties so that we can come with a solutions that meets both the business, operational and security needs
On the technical front, i would then come up with a logical network diagram to visualize or put context on the security architecture. This is important because it determines how the network structure is going to be designed and implemented. For instance, placement of WAFs, Routers, Switches, DMZ, access points, DBs etc
I would then select a model to which to design the project, most preferably for me would be deploying the agile model with devops. so that there is input from all parties as the system is being built to completion.
Lastly, a long the whole process and steps, security and compliance input will be considered till completion plus continuous monitoring.
I think I already answered some of these, including this week, but I am not seeing my post.
I would first reach out to the stakeholders to gain insight into needs and concerns, to understand critical and vulnerable systems, and to build support for the project. It is vital to discuss these topics with stakeholders to fully grasp needs and goals before actually designing/building anything out.
I would compile a list of all devices that would be connected to the network, including technical detail (model, OS, technical needs) on each device. I would make note of any technical vulnerabilities associated with specific devices.
Armed with this information, I would build out the logical network diagram in a way that best fits the business and security needs of the organization.
In the event of scarce resources, I would consider laws, regulations, and the information that I gathered from stakeholders to prioritize the most vital information and systems. I would also research alternatives such as cloud hosting/storage. I would take this information to top management to discuss the next steps before making any decisions on my own.