.. include:: global.rst ******************************************************** Chapter 4: Network Design Considerations ******************************************************** Overview ======== Chapter 4 explains how secure network designs are built using layered security principles and risk-based planning. The chapter focuses on creating resilient networks that can withstand modern threats by eliminating weaknesses and reducing single points of failure. Core Security Principles ======================== Defense in Depth ---------------- Defense in depth means layering multiple security controls throughout a network instead of relying on a single protection mechanism. Examples: - Firewalls - Intrusion Detection/Prevention Systems (IDS/IPS) - Endpoint protection - Encryption - Network segmentation Purpose: - Reduces vulnerabilities - Prevents a single failure from compromising the entire system - Slows attackers and limits damage Redundancy ---------- Redundancy ensures that backup systems or components are available if a primary system fails. Goal: - Maintain availability - Eliminate single points of failure - Improve reliability and uptime Endpoint Security ----------------- Endpoints (devices like laptops, servers, and mobile devices) must be hardened and secured to prevent exploitation. Methods: - Patch management - Antivirus/anti-malware - Configuration hardening - Access controls Network Protection Technologies ================================ IDS (Intrusion Detection System) -------------------------------- - Monitors network traffic - Detects suspicious or malicious activity - Alerts administrators - Does NOT actively block traffic IPS (Intrusion Prevention System) --------------------------------- - Monitors network traffic - Detects threats - Actively blocks or prevents malicious traffic Key Difference: IDS detects; IPS detects AND prevents. Encryption ---------- Encryption protects data by converting it into unreadable ciphertext. Used to: - Secure communication pathways - Protect sensitive data in transit - Prevent unauthorized access IP Addressing Concepts ====================== Static IP Addressing -------------------- - Manually assigned - Does not change - Often used for servers and network devices Dynamic IP Addressing --------------------- - Automatically assigned (typically via DHCP) - Can change over time - Common for user devices IPv6 Basics ----------- - Newer version of IP addressing - Larger address space than IPv4 - Designed to solve address exhaustion - Supports improved efficiency and security Risk Management in Network Design ================================== Risk Assessment --------------- Risk assessments help identify: - Threats - Vulnerabilities - Potential impact - Likelihood of occurrence Why It Matters: - Guides selection of security controls - Ensures resources are used effectively - Aligns security measures with organizational priorities What to Focus On ================ - Understand defense in depth and why multiple layers are critical. - Be able to identify single points of failure in a network design. - Know the difference between IDS and IPS. - Understand why encryption protects communication pathways. - Recognize how risk management drives security decisions. - Understand static vs dynamic IP addressing. - Know the purpose and advantages of IPv6. Summary ======= Secure network design relies on layered defenses, redundancy, endpoint protection, secure communications, and informed risk management decisions. Combining these elements creates networks that are resilient, reliable, and better protected against modern cyber threats.