When designing a network for an organization, what are the key considerations that should be factored into the design? Why do you recommend those considerations? Also consider how you would address the inevitable situation of scarce resources; how would you prioritize?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Anthony Wong says
When designing a network, there are a few considerations when it comes to the network design. The first item to understand is the requirements, which includes how many users will be on the network, how many employees will be using the network in the next 3-5 years, and need to perform an analysis on how many network devices would be connected to the network. All of this information will help the design and performance of the network. In terms of technologies, firewalls and data loss protection are essential for minimizing the risk of potential network attacks. To handle inevitable scarce resources, we can utilize cloud computing for on-demand self service and rapid elasticity and scalability to increase network capacity. The cloud must be considered early on in design as well.
Mohammed Syed says
Also, The essential requirements that need to be understood when architecting a network such as a scalability, redundancy, performance and security, manageability, and maintainability.
Anthony Wong says
Hi Mohammed,
I definitely agree all of these aspects are important in designing a network. Redundancy and scalability stick out to me the most because if the network fails then there must be some alternative to enable business continuity. And as organization’s growth, the network needs to be expanded to handle the new capacity, which is why the cloud is a great solution. Due to its flexibility, enterprises can determine if the cloud deployment model that fits best for their business.
Antonio Cozza says
It seems difficult not to choose a cloud provided solution to address scalability with all of the various cloud solutions for different business functions. The three primary models essentially solve the most common resource scarcity categories, and help make delivering a given product more efficient as things like hardware/middleware/server concerns can more or less be overlooked to a degree based on a cost-cutting solution that will provide the same desired result.
Anthony Wong says
Hi Antonio,
There’s no doubting the benefits of leveraging cloud capabilities. Although, the enterprise must determine which services can help meet the network requirements. For example, PII or HIPAA data is regularly used and sent across the network, a public cloud deployment model wouldn’t be a good idea. Instead, a private cloud is more suitable, but has higher costs than the public cloud. These discussions must happen between senior management to align the strategies.
Mitchell Dulaney says
Hi Anthony, you make a good point that networks must be designed for the way they will be used not just now but for the foreseeable future. Network engineers need to have an understanding of the different business needs of the organization and the direction the company is moving so that they can future-proof the network architecture. This will prevent unnecessary costs resulting from work having to be re-done when the company expands.
Vraj Patel says
Hello Anthony,
That is a great post. I do agree that the first step is to understand the requirement of the network. As such, if the network being set up is not capable of processing the business process could be create a risk, if the requirements of the network is not well understood. Even not knowing the requirements of the network ahead of time could impact the budget of the implementing the network.
Kelly Sharadin says
When designing a network for an organization, key considerations include determining traffic capacity needs, understanding how data will flow through the network and placing adequate security controls at entry and exit points. Network engineers are responsible for providing high availability which can be achieved through implementing load balancers to help offset influxes in network traffic. In the event of incident response and disaster recovery, network resources should have redundancy to help reduce downtime by utilizing alternate and backup locations. Network segmentation is an architectural requirement that helps secure critical resources from adversaries attempting to traverse the network. Network segmentation can be achieved by installing firewalls, creating access control lists, and placing network objects in separate subnets. Each of these considerations, require network administrators to maintain visibility into the network therefore logging of firewalls, IDPS and servers should be recorded and centralized via a SIEM where possible.
Mitchell Dulaney says
Hi Kelly, I agree that networks need to be designed with the business’s operational data flows and typical capacity requirements in mind. If network engineers build a network purely with security considerations in mind, then the network might not be able to handle the traffic involved in the business’s actual profit-generating functions.
Vraj Patel says
Hey Kelly,
That key consideration of knowing the traffic capacity is important requirement to know prior designing the network. It would assist in know how many devices there will be needed, such as how many routers, switches, firewalls, and other networking equipment will be needed. If those requirements are not well understood, then it could significantly affect the budget of implementing and maintaining the network later on.
Kyuande Johnson says
When designing a network for an oganization, it essential for these five basic components to ensure the network is has the required capabilities. Clients are computers that are utilized by “users”. These users access shared components of the network such as servers and file shares. Servers are powerful computers that provides functionality for clients. A server stores, sends, and receives data. Channels are the pathway over which information travels between the different computers (clients and servers that comprise the network. Interface devices are hardware components that enable users to internact with network resources. Operating Systems is the networks software that manages computer hardware and software resources
Mohammed Syed says
Agree, Johnson, and access to shared resources is a significant drive of the evolution of networking. Today, we need to understand the infrastructure that supports shared resources, the services those components provide are secret, and what type of network equipment we are using in our environment.
Vraj Patel says
Hello Kyuande,
That was a great post. Furthermore, it is critical to prepare for network redundancy ahead of time, since if there is only one channel for end users to reach the server, and there are any conflicts within that path, no one will be able to access the server.
Shubham Patil says
When designing a network some key considerations to make are, least privilege – Traffic should be allowed to flow between any two points that are required to communicate to satisfy a valid organizational requirement, and nowhere else. Privacy by design, encrypting your network traffic is a good start toward protecting privacy, everything that happens on the network should be auditable, meaning that there should be a record of who is talking with whom, when, and why. This is normally done by ensuring logs are properly configured and protected against tampering or accidental loss. Defense in Depth should always be the strategy concentric defenses should be built around our most valuable assets. Zero Trust – Services and traffic on your network should all be authenticated and encrypted. When two servers are part of a system (e.g., the web server and its backend database), they should authenticate each other and have rules around what requests each is allowed to make of the other. One method for prioritizing is to understand what vulnerabilities are most likely to be targeted. Knowing the kinds of vulnerabilities attackers probe for the most can help determine which assets require prioritized patching.
Mohammed Syed says
Before least privilege and network traffic are allowed, you should consider most excellent topology for a particular network depends on such things as how nodes are supposed to interact, which protocols are used, what type of applications are available the reliability and expandability and physical layout of the facility, cable wiring, and the technologies implement otherwise topology and combinations of topology can negatively affect the network’s performance, productivity, and growth possibilities.
Kelly Sharadin says
Mohammed,
Great points about the physical considerations when designing a network. I think this is the most exhausting aspect of network design understanding how the pieces fit together. Such as how will the air flow through the server and data center? How will the servers on each floor of a building connect to the ground floor data center? Easy to see why many are opting for the cloud 🙂
Kelly
Shubham Patil says
Kelly,
Yeah no wonder why many organizations are opting for cloud infrastructures, But as the demand is increasing the customers are speeding up to spin up their infrastructure in cloud, the most common vulnerability that we see is the security misconfigurations. Security misconfigurations are security controls that are inaccurately configured or left insecure, putting your systems and data at risk. Basically, any poorly documented configuration changes, default settings, or a technical issue across any component in your endpoints could lead to a misconfiguration.
Kelly Sharadin says
Hi Shubham,
I completely agree, M365 for example is slowly beginning to disable common misconfigurations on the behalf of customers such as diasbling legacy authentication. However, many business productivity platforms still require manual configuration to reduce security risk.
Kelly
Antonio Cozza says
It is crucial for organizations now to include privacy by design. Privacy simply cannot be an afterthought, as it will not be attributed with the same level of security and effectiveness had it been part of the original design. Without inclusion in the original design, difficulties in compliance with privacy requirements for different business may arise as they are unlikely to be as effective as an architecture that considered privacy in the design phase.
Shubham Patil says
Antonio,
I agree with the points you made, It is also critical to understand where the data is collected and for what purpose. Privacy should be built into the system by default.
Mitchell Dulaney says
Hi Shubham, you make a lot of good points. I think it’s important to keep in mind that the ability to audit and inspect all network traffic all the time might conflict with the principle of privacy by design. Some network traffic may need to go uninspected, for example if an employee is communicating with a personal health provider or if they are conducting personal financial transactions, they may have a reasonable expectation that the company won’t be able to read that data (or at least the company wouldn’t choose to read it). There should be measures in place to help a company interpret network traffic and identify private communications before reading the traffic.
Mitchell Dulaney says
There are a few key considerations when designing an enterprise network. Two of the most important ones from a security perspective are the locations of information assets in the network and the data flows that occur on each segment of the network. It is critical to design a network around the potential locations of data at rest, so that the data is accessible to the degree that it needs to be for the organization’s operations, but also so that the appropriate controls are able to be implemented in front of those assets. Similar logic applies to the data flows that any segment of the network will carry: the segment must be capable of moving the appropriate data across it, but the design must include and account for the appropriate controls that should be in place. Other considerations include the volume of traffic that must be carried by each segment of the network and the endpoints that will be connected to each segment (for example, internal servers, employee workstations, external customers or suppliers, etc.). For both of these items, it is important to design the network so that impediments to the company’s business functions are minimized. I recommend these considerations be kept in mind first and foremost so that the network is designed around business operations so that the associated risks are at a level tolerable by senior management.
I would address potential scarcity of resources from a risk management perspective. The potentials for network segments to be bottlenecked, or for the business to grow in a way that the original network design is rendered outdated, should be viewed as risks and should be evaluated as part of the information security risk assessment process. That risk assessment would lead to resources being prioritized for whatever assets or data flows are most critical to business operations, and appropriate controls can be implemented. These controls could include additional investment to increase bandwidth available to and from those critical network segments, duplicating servers to enable load balancing, or contracting with a third-party cloud provider so that requests that internal network resources are unable to complete can be redirected to secured external resources hosted by the provider.
Antonio Cozza says
Nice point regarding bottlenecking in a network segment, Mitch. If this seems to be a repeat issue for an organization, the staff may consider implementing a load balancer to resolve the network congestion and ensure more stable and consistent transmissions.
Kelly Sharadin says
Hi Mitchell,
Understanding the types of data and how it will flow through the network is vital for implementing the proper security controls. A video streaming company needs to be able to handle extreme volumes of traffic and will allocate resources to support avaliability. Where as a small financial firm will most likely prioritze confidentailty and integrity by implementing encryption and strong authentication controls and check points via firewall access control lists.
Kelly
Mohammed Syed says
To design the network for an organization, one needs to deep study the organization’s business type, various services, which distributed for the public or internal network, the importance of security, etc. cause it can be varied as per what service they are provided, what operations they are performing in the organization which play important role in organizational network structure implementation in the organization.
Because as per the organization service we can understand what type of threat they can face, which level of security is implemented there, and what type of hardware, network, and security software is used in network implementation. As per the requirement of organization structure, we can finalize how to set up access control, anti-malware software usage, anomaly detection tools, application security tools, data prevention techniques, endpoint security, firewall setup, IDS/IPS configuration, VLAN configuration, network segmentation, VPN setup, and other security devices proper implementation is very important to design one of the best network designs.
To address the inevitable situation of scarce resources need to sort the priority of network segments which is more sensitive as per protection and organization availability need to design and implement the whole network configuration in available hardware, software, and security appliances to achieve the best result.
Shubham Patil says
Mohammed,
Logical network segmentation is a popular way of segmenting a network. Instead of segmenting physical parts of the network such as routers and access points, logical segmentation uses concepts built into network infrastructure for segmentation, such as creating virtual local area networks (VLANS) that may share physical hardware.
Antonio Cozza says
There are a large variety of items to consider when architecting a network for an organization, which may have significant variance depending on the type and size of the business in question. The data being sent over the network needs to be protected with appropriate measures as understood by both industry best practices as well as federal regulations and guidelines if applicable. More stringent environments should have items within the network architecture which ensure high availability so that data transmission is reliable, through the use of measures such as high availability firewall pairs for example, or redundant servers and load balancers. To ensure sensitive information is not leaving an organization, endpoint and network DLP can be implemented. For ensuring confidentiality, secure connections should be established to authenticate into the internal network, via VPNs. Resource scarcity today is most effectively addressed via cloud provided solutions, which could solve issues with resources including short staffing and security needs through a SOC as a service for example, rapid scalability for a certain type of organization via a content delivery network, etc.
Shubham Patil says
I’d also like to add, Network DLP (NDLP) data protection policies should be applied for ensuring that the data is safe in motion. NDLP products are normally implemented as appliances that are deployed at the perimeter of an organization’s networks. They can also be deployed at the boundaries of internal subnetworks and could be deployed as modules within a modular security appliance.
Mitchell Dulaney says
Antonio, I agree with you that cloud solutions are the best solution to resource scarcity and to make sure that resources remain available when an organization is dealing with a higher-than-average network load. This is one of the best use cases for contracting with a cloud provider.
Vraj Patel says
Hello Antonio,
That is a great post. In addition, before deploying the DLP system, it is critical to have a good strategy in place, since if it is not correctly planned, data that does not need to be blocked might get blocked, while data that should be stopped may not get blocked.
Vraj Patel says
When creating a network, there are several factors to consider. The network’s objective is the first item to consider. Determine the network’s needs for the company, such as the number of users that will need access to the network and the devices that will connect to it. The second factor to examine is the network’s security requirements, which will ensure that the data stored on the network is safe. The network’s redundancy, on the other hand, ensures that the network remains operational in the event of an incident or other disruption. This consideration will assure that the organization’s network performance needs are met, as well as a secure connection.