=================================================
Network Security Architecture Redesign
=================================================

Overview
--------

This project focuses on analyzing and improving the network architecture for a fictional organization, *Regional Insurance Group*. The goal of the project was to evaluate the organization's original network design and implement a more secure and scalable architecture using modern network security principles.

The redesign introduces network segmentation, layered firewall protection, a demilitarized zone (DMZ), and centralized authentication. These improvements follow established cybersecurity practices such as defense-in-depth, least privilege access, and secure network design.

The project demonstrates practical application of networking concepts including IP addressing, subnetting, VLAN configuration, firewall placement, and authentication infrastructure.


Objectives
----------

The primary objectives of the project were:

- Analyze the weaknesses of the existing network infrastructure
- Implement logical network separation between departments
- Improve perimeter and internal security through firewall placement
- Introduce a DMZ for public-facing services
- Implement centralized authentication for internal resources
- Document the updated network architecture and security improvements


Original Network Architecture
-----------------------------

The original network infrastructure supported internal operations and customer access through a simple architecture protected by a single perimeter firewall. While functional, the design lacked internal segmentation and relied on minimal security controls between network resources.

Key characteristics of the original network included:

- Single border firewall protecting the entire network
- Public-facing Linux/Apache web server
- Windows-based application servers hosting customer management systems
- Database servers storing sensitive customer records
- File and print servers supporting internal operations
- Approximately 50 employee workstations
- Limited network segmentation and internal access controls

The following diagram shows the original network configuration.

.. raw:: html

   <iframe src="../../../_static/lab_five_original_diagram.pdf"
           width="100%"
           height="800px"
           style="border: none;">
   </iframe>

Original Documentation
----------------------

The initial documentation described the existing network configuration, hardware components, and system interconnections. This documentation served as the baseline for identifying architectural weaknesses and security risks in the original design.

.. raw:: html

   <iframe src="../../../_static/lab_five_original_doc.pdf"
           width="100%"
           height="800px"
           style="border: none;">
   </iframe>


Redesigned Network Architecture
-------------------------------

The redesigned network introduces several improvements to strengthen security and improve manageability. The architecture now includes logical network segmentation using VLANs, multiple firewall layers, and a properly implemented DMZ.

Major design improvements include:

Department Segmentation
^^^^^^^^^^^^^^^^^^^^^^^

The Accounting and Sales departments are separated using VLANs to isolate network traffic and reduce the risk of lateral movement within the network.

Example VLAN structure:

- VLAN 10 – Accounting Network
- VLAN 20 – Sales Network
- VLAN 30 – Server Infrastructure
- VLAN 40 – Authentication Services
- VLAN 50 – DMZ Network

Firewall Architecture
^^^^^^^^^^^^^^^^^^^^^

A layered firewall strategy was implemented to provide defense-in-depth protection.

- Perimeter firewall protecting the network from internet-based threats
- Internal segmentation firewall controlling traffic between the DMZ and internal networks
- Host-based firewalls enabled on servers and workstations

DMZ Implementation
^^^^^^^^^^^^^^^^^^

A demilitarized zone (DMZ) was created to isolate publicly accessible services from internal network resources. The customer portal web server was placed within this DMZ to prevent direct exposure of internal systems.

Network Authentication
^^^^^^^^^^^^^^^^^^^^^^

Centralized authentication was implemented using directory services. Dedicated authentication servers provide identity management, enforce access control policies, and support secure user login across the organization.


Updated Network Diagram
-----------------------

The updated network diagram illustrates the redesigned architecture, including VLAN segmentation, firewall placement, authentication services, and the DMZ.

.. raw:: html

   <iframe src="../../../_static/lab_five_updated_diagram.pdf"
           width="100%"
           height="800px"
           style="border: none;">
   </iframe>

Final Design Report
-------------------

The final design report provides detailed explanations of the network improvements, including the technical rationale behind segmentation, firewall placement, DMZ architecture, and authentication mechanisms.

.. raw:: html

   <iframe src="../../../_static/lab_five_final_report.pdf"
           width="100%"
           height="800px"
           style="border: none;">
   </iframe>


Skills Demonstrated
-------------------

This project demonstrates several practical cybersecurity and networking skills:

- Network architecture analysis
- Secure network design
- VLAN segmentation and subnet planning
- Firewall strategy and placement
- DMZ implementation
- Authentication and access control design
- Technical documentation and reporting


Conclusion
----------

The redesigned network architecture significantly improves the security and organization of the Regional Insurance Group infrastructure. By introducing segmentation, layered firewalls, a DMZ, and centralized authentication, the network now follows industry best practices for protecting sensitive data and maintaining secure operations.

This project highlights the importance of thoughtful network design and demonstrates how security principles can be applied to strengthen enterprise infrastructure.