Skip to content

Chapter 31: Network Security Architecture

Overview

Network security architecture defines how data flows safely through an organization — from the internet perimeter through internal segments to critical assets. The traditional castle-and-moat perimeter model has been supplanted by Zero Trust Architecture (ZTA), where no implicit trust exists based on network location. This chapter covers modern network segmentation, Zero Trust principles, next-generation firewalls, secure access service edge (SASE), intrusion detection and prevention, DNS security, and network traffic analysis for threat detection.

Learning Objectives

By the end of this chapter, students SHALL be able to:

  1. Design Zero Trust network architectures based on NIST SP 800-207 principles
  2. Configure and manage next-generation firewalls for micro-segmentation
  3. Implement secure remote access using ZTNA/VPN with strong authentication
  4. Deploy network-based threat detection using IDS/IPS and NTA
  5. Harden DNS infrastructure against DNS hijacking, poisoning, and tunneling
  6. Design SASE architecture for distributed enterprise networks

Prerequisites

  • Strong networking fundamentals (TCP/IP, routing, VLANs, firewalls)
  • Basic understanding of BGP and SD-WAN concepts
  • Chapter 20 (Cloud Security) for cloud network security context

Why This Matters

The Colonial Pipeline ransomware attack was facilitated by a VPN account without MFA — a single credential compromise shut down 45% of East Coast fuel supply. The SolarWinds attack spread through trusted internal network connections because east-west traffic was largely unmonitored. Modern attackers exploit implicit network trust to move laterally after initial access. Zero Trust — verifying every connection, at every point, regardless of network location — is the fundamental architectural response to these threats.

31.1 Zero Trust Architecture

31.1.1 Zero Trust Principles (NIST SP 800-207)

graph TB
    subgraph "Traditional Network Security"
        T1[Trust inside\nthe perimeter]
        T2[Perimeter\nFirewall]
        T3[Implicit trust\nfor internal traffic]
    end

    subgraph "Zero Trust Architecture"
        Z1[Never Trust\nAlways Verify]
        Z2[Verify Explicitly\nIdentity + Device + Context]
        Z3[Least Privilege\nMinimum access]
        Z4[Assume Breach\nLimit blast radius]
    end

    subgraph "ZTA Components"
        PE[Policy Engine\nAccess Decisions]
        PA[Policy Administrator\nSession Management]
        PEP[Policy Enforcement Point\nGateway / Proxy]
    end

    PE --> PA --> PEP

    style Z1 fill:#e63946,color:#fff
    style Z4 fill:#780000,color:#fff
    style PE fill:#1d3557,color:#fff

31.1.2 Zero Trust Design Pillars

Pillar Traditional Zero Trust
Identity Username + password MFA + identity risk score + device health
Device Domain-joined = trusted Every device must meet compliance policy continuously
Network Inside = trusted All traffic encrypted and inspected regardless of location
Application IP-based access Application-level micro-segmentation; per-app authorization
Data Perimeter-protected Data classification + DLP + encryption everywhere
Visibility Perimeter logs Complete telemetry from all resources and sessions

31.1.3 NIST ZTA Reference Architecture

NIST SP 800-207 ZTA Implementation:

Resource Plane (what you're protecting):
├── Enterprise assets: servers, services, applications
├── Subject: users and devices requesting access

Control Plane (access decisions):
├── Policy Engine (PE): Brain — grant/deny/revoke access
├── Policy Administrator (PA): Communicates policies to PEP
├── Data sources: IdP, PKI, SIEM, CMDB, threat intel

Data Plane (traffic enforcement):
└── Policy Enforcement Point (PEP): Gateway that enforces decisions

Decision Flow:
Subject (user + device) → PEP → PA → PE → Access decision
PE checks: identity, device posture, behavioral analytics, threat intel
PE returns: Allow / Deny / Allow with conditions (MFA step-up)
PEP enforces decision; session monitored continuously

31.2 Network Segmentation

31.2.1 Segmentation Architecture

graph TB
    subgraph "DMZ"
        WEB[Web Servers\n443/80]
        EMAIL[Email Gateway\n25/587]
        DNS_EXT[External DNS]
    end

    subgraph "Internal Network — Segmented"
        CORP[Corporate LAN\nUser Workstations]
        SERVER[Server Segment\nInternal Apps]
        DB[Database Segment\n1433/5432/3306]
        IT[IT Management\nActive Directory, PKI]
        PRIV[Privileged Access\nJump Servers, PAWs]
        OT[OT/ICS\nAir-Gapped or DMZ-separated]
    end

    subgraph "Cloud Tenant"
        VNET[Azure VNet / AWS VPC]
    end

    INTERNET --> FW_EXT[External Firewall\nNGFW]
    FW_EXT --> DMZ
    DMZ --> FW_INT[Internal Firewall\nNGFW]
    FW_INT --> CORP
    FW_INT --> SERVER
    SERVER --> FW_DB[Micro-seg Firewall]
    FW_DB --> DB
    CORP <-..-> VPN_GW[ZTNA Gateway]
    VPN_GW <-..-> VNET

    style DB fill:#e63946,color:#fff
    style PRIV fill:#780000,color:#fff
    style OT fill:#f4a261,color:#000

31.2.2 Micro-Segmentation

Micro-segmentation extends traditional VLAN segmentation to per-workload policies:

# NSX-T / VMware micro-segmentation policy example
# Allow only specific traffic between application tiers

DFW Rule Set: 3-Tier App - Production
  Rules:
    - Name: Web-to-App
      Source: Security Group "Web Tier"
      Destination: Security Group "App Tier"
      Service: HTTP (8080), HTTPS (8443)
      Action: Allow
      Direction: Inbound to App Tier

    - Name: App-to-DB
      Source: Security Group "App Tier"
      Destination: Security Group "DB Tier"
      Service: PostgreSQL (5432)
      Action: Allow

    - Name: Default Deny All
      Source: Any
      Destination: Any
      Service: Any
      Action: Deny
      Log: True  # Log all denied traffic for security analysis

31.3 Next-Generation Firewalls

31.3.1 NGFW Capabilities

Feature Traditional FW NGFW
Filtering IP/port/protocol Application identity, user identity, content
SSL inspection No Yes (TLS termination + inspection)
IPS Separate device Integrated inline
URL filtering No Yes (75+ categories)
DNS security No Integrated
Cloud management No Yes (Panorama, Panorama Cloud, Strata)
Threat intelligence No Integrated (WildFire, Cortex XSOAR)
User identity No Integrated (AD, LDAP, SAML)

31.3.2 Palo Alto Networks Policy Best Practices

NGFW POLICY DESIGN PRINCIPLES:

1. Application-based rules (not port-based)
   WRONG: Allow TCP/80 from any to any
   RIGHT: Allow "web-browsing" and "ssl" from Users to Internet

2. User-based policy
   Allow "finance-team" to access "banking-sites" application
   Block "guest-wifi" from internal resources

3. SSL/TLS inspection
   Decrypt outbound HTTPS for inspection (with proper cert trust)
   Exclude: financial sites (banking), healthcare (HIPAA concerns)

4. Default deny posture
   Last rule: Block All from Any to Any with logging enabled
   Log all blocked traffic to SIEM

5. Threat prevention profiles
   Attach threat prevention profile to all allow rules
   Anti-Spyware: Block critical/high, alert on medium
   Vulnerability Protection: Block critical/high
   Antivirus: Block on all alert threshold
   Wildfire: Block on malicious

6. Application groups
   Create custom application groups for:
   - Approved collaboration: Teams, Zoom, Slack
   - Development: GitHub, GitLab, npm
   - Marketing: approved social media

31.4 Secure Remote Access

31.4.1 Traditional VPN vs. ZTNA

Dimension Traditional VPN ZTNA
Trust model Trusted once connected Zero trust — verify per connection
Access scope Full network access Application-specific access only
MFA enforcement Optional Mandatory
Device posture Not checked Continuously evaluated
Lateral movement Easy Nearly impossible
Performance Hair-pins through VPN Direct-to-cloud or app-optimized
Examples Cisco AnyConnect, OpenVPN Zscaler ZPA, Cloudflare Access, BeyondCorp

31.4.2 ZTNA Implementation (Cloudflare Access)

# Cloudflare Zero Trust Access Policy
Application: Internal HR Portal
  Domain: hr.internal.example.com → tunneled to 10.0.1.50:443

  Access Policy:
    Name: HR Staff + IT Access
    Action: Allow

    Include (all must match):
      - Identity Provider: AzureAD
      - Group: HR-Department OR IT-Team
      - Device Posture:
          OS Version: Windows >= 10.0.19041
          Disk Encryption: Required
          Anti-Malware: Required (CrowdStrike running)
      - Country: United States

    Authentication:
      - SAML SSO via Azure AD
      - MFA: Conditional on risk score

    Session Duration: 8 hours (re-auth required after)
    Audit logging: All access logged to SIEM

31.5 Intrusion Detection and Prevention

31.5.1 IDS/IPS Placement

Optimal IDS/IPS placement:

1. External (perimeter): Between internet and DMZ
   - Detects inbound attack patterns, scanning, known exploits
   - High volume; tune carefully to avoid alert fatigue

2. Internal (east-west): Between network segments
   - Detects lateral movement, C2, data exfiltration
   - Most valuable for detecting advanced attackers

3. Critical asset protection: In front of database / financial servers
   - Highly tuned ruleset for specific asset type
   - Minimal false positives required

IPS Mode (inline — can block):
   - Perimeter: Appropriate — block known malicious patterns
   - Internal: Caution — false positive blocks can cause outages

IDS Mode (out-of-band — monitor only):
   - Always safe — no impact on traffic
   - Alert then investigate

31.5.2 Suricata Configuration

# Suricata — open source IDS/IPS
# /etc/suricata/suricata.yaml key settings

af-packet:
  - interface: eth0
    cluster-id: 99
    cluster-type: cluster_flow

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: /var/log/suricata/eve.json
      types:
        - alert:
            payload: yes
            payload-printable: yes
            metadata: yes
            http-body: yes
        - http
        - dns
        - tls:
            extended: yes
        - files:
            force-magic: yes

rule-files:
  - /etc/suricata/rules/emerging-all.rules  # ET Open rules
  - /etc/suricata/rules/local.rules          # Custom rules

# Detection rule example — detect Cobalt Strike beacon
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"ET MALWARE CobaltStrike Beacon Pattern";
  flow:established,to_server;
  content:"Content-Type|3a 20|";
  content:"application/octet-stream";
  content:"Accept-Encoding|3a 20|identity";
  content:!"Referer|3a 20|";
  classtype:trojan-activity;
  sid:2034999;
  rev:1;
)

31.6 DNS Security

DNS is both the most important protocol on the internet and one of the most abused by threat actors.

31.6.1 DNS Attack Types

Attack Description Defense
DNS Tunneling Encode data in DNS queries/responses for C2 DNS analytics, length/entropy monitoring
DNS Hijacking Redirect queries to malicious resolver DNSSEC, resolver monitoring
DNS Cache Poisoning Inject false records into resolver cache DNSSEC validation, randomize ports
DGA C2 Malware uses randomly generated domains Threat intel feeds, ML-based DGA detection
Lookalike Domains Typosquatting in DNS Brand monitoring, DMARC, typosquat alerts
Fast Flux Rapidly rotate IPs for C2 Reputation-based DNS filtering

31.6.2 Protective DNS

# Cloudflare Gateway / Umbrella / Quad9 DNS filtering
# Change resolver to protective DNS:
# Cloudflare: 1.1.1.2 (malware blocking) / 1.1.1.3 (malware + adult)
# Quad9: 9.9.9.9 (threat intelligence blocking)
# Cisco Umbrella: Deploy as forwarder on internal resolvers

# DNSSEC validation
# Enable on internal resolvers:
# Unbound configuration:
cat >> /etc/unbound/unbound.conf << EOF
server:
    module-config: "validator iterator"
    auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
    val-log-level: 2
EOF

# Log all DNS queries for threat hunting
# Bind9 query log:
logging {
    channel query_log {
        file "/var/log/named/query.log" versions 5 size 20m;
        print-time yes;
        print-category yes;
        severity info;
    };
    category queries { query_log; };
};

31.7 SASE Architecture

Secure Access Service Edge (SASE) converges wide-area networking and security into a cloud-delivered service.

graph TB
    subgraph "Traditional WAN + Security Stack"
        HQ[HQ] --> MPLS[MPLS\nExpensive Private WAN]
        MPLS --> DC[Data Center\nFirewall, Proxy, IPS]
        BRANCH[Branch] --> MPLS
        REMOTE[Remote User] --> VPN[VPN]
        VPN --> DC
    end

    subgraph "SASE Architecture"
        HQ2[HQ] --> SASE[SASE Cloud\nZscaler / Netskope / Cloudflare One]
        BRANCH2[Branch] --> SASE
        REMOTE2[Remote User] --> SASE
        CLOUD[SaaS/IaaS] --> SASE

        SASE --> FW2[FWaaS]
        SASE --> SWG[Secure Web Gateway]
        SASE --> CASB2[CASB]
        SASE --> ZTNA2[ZTNA]
        SASE --> SD[SD-WAN]
    end

    style SASE fill:#1d3557,color:#fff

31.7.1 SASE Components

Component Function
SD-WAN Dynamic path selection for branch connectivity
FWaaS (Firewall as a Service) Cloud-delivered NGFW for all locations
SWG (Secure Web Gateway) URL filtering, SSL inspection, DLP
CASB (Cloud Access Security Broker) SaaS visibility, DLP, anomaly detection
ZTNA Zero-trust application access
ZTDNS (DNS Security) Protective DNS filtering

31.8 Benchmark Controls

Control ID Title Requirement
Nexus SecOps-NS-01 Network Segmentation Tiered segmentation; DMZ, servers, users, privileged access separated
Nexus SecOps-NS-02 Zero Trust Remote Access ZTNA or VPN with MFA + device posture checking for remote access
Nexus SecOps-NS-03 East-West Monitoring IDS/IPS coverage of internal network segments
Nexus SecOps-NS-04 DNS Security Protective DNS resolver; DNS query logging; DNSSEC where applicable
Nexus SecOps-NS-05 NGFW Deployment NGFW with threat prevention at all external boundaries
Nexus SecOps-NS-06 Network Traffic Analysis NTA solution capturing east-west traffic; 90-day retention

Exam Prep & Certifications

Relevant Certifications

The topics in this chapter align with the following certifications:

  • CCNP Security — Domains: Network Security Architecture, Firewalls, IDS/IPS
  • GIAC GCIH — Domains: Incident Handling, Network Defense, Intrusion Detection

View full Certifications Roadmap →

Key Terms

NGFW (Next-Generation Firewall) — A firewall that includes traditional packet filtering plus application identification, user identity awareness, SSL inspection, and integrated IPS.

SASE (Secure Access Service Edge) — A cloud-delivered security architecture converging SD-WAN with comprehensive security services (SWG, CASB, ZTNA, FWaaS) into a single platform.

Zero Trust Architecture (ZTA) — A security model based on the principle of "never trust, always verify" — requiring explicit verification of identity, device posture, and context for every access request.

ZTNA (Zero Trust Network Access) — Technology that provides application-specific, identity-verified remote access without placing users on the corporate network — replacing traditional VPN.

Micro-segmentation — Granular network segmentation at the workload or application level using software-defined policies, rather than relying solely on VLANs and physical network boundaries.