Chapter 4: Network Design Considerations

Overview

Chapter 4 explains how secure network designs are built using layered security principles and risk-based planning. The chapter focuses on creating resilient networks that can withstand modern threats by eliminating weaknesses and reducing single points of failure.

Core Security Principles

Defense in Depth

Defense in depth means layering multiple security controls throughout a network instead of relying on a single protection mechanism.

Examples: - Firewalls - Intrusion Detection/Prevention Systems (IDS/IPS) - Endpoint protection - Encryption - Network segmentation

Purpose: - Reduces vulnerabilities - Prevents a single failure from compromising the entire system - Slows attackers and limits damage

Redundancy

Redundancy ensures that backup systems or components are available if a primary system fails.

Goal: - Maintain availability - Eliminate single points of failure - Improve reliability and uptime

Endpoint Security

Endpoints (devices like laptops, servers, and mobile devices) must be hardened and secured to prevent exploitation.

Methods: - Patch management - Antivirus/anti-malware - Configuration hardening - Access controls

Network Protection Technologies

IDS (Intrusion Detection System)

  • Monitors network traffic

  • Detects suspicious or malicious activity

  • Alerts administrators

  • Does NOT actively block traffic

IPS (Intrusion Prevention System)

  • Monitors network traffic

  • Detects threats

  • Actively blocks or prevents malicious traffic

Key Difference: IDS detects; IPS detects AND prevents.

Encryption

Encryption protects data by converting it into unreadable ciphertext.

Used to: - Secure communication pathways - Protect sensitive data in transit - Prevent unauthorized access

IP Addressing Concepts

Static IP Addressing

  • Manually assigned

  • Does not change

  • Often used for servers and network devices

Dynamic IP Addressing

  • Automatically assigned (typically via DHCP)

  • Can change over time

  • Common for user devices

IPv6 Basics

  • Newer version of IP addressing

  • Larger address space than IPv4

  • Designed to solve address exhaustion

  • Supports improved efficiency and security

Risk Management in Network Design

Risk Assessment

Risk assessments help identify: - Threats - Vulnerabilities - Potential impact - Likelihood of occurrence

Why It Matters: - Guides selection of security controls - Ensures resources are used effectively - Aligns security measures with organizational priorities

What to Focus On

  • Understand defense in depth and why multiple layers are critical.

  • Be able to identify single points of failure in a network design.

  • Know the difference between IDS and IPS.

  • Understand why encryption protects communication pathways.

  • Recognize how risk management drives security decisions.

  • Understand static vs dynamic IP addressing.

  • Know the purpose and advantages of IPv6.

Summary

Secure network design relies on layered defenses, redundancy, endpoint protection, secure communications, and informed risk management decisions. Combining these elements creates networks that are resilient, reliable, and better protected against modern cyber threats.