Security Architecture 29%

1.1 Ensure an appropriate, secure network architecture for a new or existing network.
Services
 Load balancer
 Intrusion detection system (IDS)/network intrusion detection system (NIDS)/wireless intrusion detection system
(WIDS)
 Intrusion prevention system (IPS)/network intrusion prevention system (NIPS)/wireless intrusion prevention system
(WIPS)
 Web application firewall (WAF)
 Network access control (NAC)
 Virtual private network (VPN)
 Domain Name System Security Extensions (DNSSEC)
 Firewall/unified threat management (UTM)/next-generation firewall (NGFW)
 Network address translation (NAT) gateway
 Internet gateway
 Forward/transparent proxy
 Reverse proxy
 Distributed denial-of-service (DDoS) protection
 Routers
 Mail security
 Application programming interface (API) gateway/Extensible Markup Language (XML) gateway
 Traffic mirroring
- Switched port analyzer (SPAN) ports
- Port mirroring
- Virtual private cloud (VPC)
- Network tap
 Sensors
- Security information and event management (SIEM)
- File integrity monitoring (FIM)
- Simple Network Management Protocol (SNMP) traps
- NetFlow
 - Data loss prevention (DLP)
- Antivirus

- Segmentation

 Microsegmentation
 Local area network (LAN)/virtual local area network (VLAN)
 Jump box
 Screened subnet
 Data zones
 Staging environments
 Guest environments
 VPC/virtual network (VNET)
 Availability zone
 NAC lists
 Policies/security groups
 Regions
 Access control lists (ACLs)
 Peer-to-peer
 Air gap
- Deperimeterization/zero trust

 Cloud
 Remote work
 Mobile
 Outsourcing and contracting
 Wireless/radio frequency (RF) networks
- Merging of networks from various organizations

 Peering
 Cloud to on premises
  Data sensitivity levels
 Mergers and acquisitions
 Cross-domain
 Federation
 Directory services
- Software-defined networking (SDN)

 Open SDN
 Hybrid SDN
 SDN overlay

1. Load Balancer: A load balancer is a critical component in network architecture that helps distribute network traffic evenly
across multiple servers. It ensures optimal performance and reliability of the network by directing traffic away from
overloaded servers and preventing server failures.

2. Intrusion Detection and Prevention Systems (IDS/IPS): IDS and IPS are security measures that monitor network traffic
for suspicious activities or potential threats. IDS detects and alerts on suspicious activities, while IPS takes automated
actions to prevent intrusions when threats are detected.

3. Web Application Firewall (WAF): A WAF is a security device or application that filters, monitors, and blocks HTTP traffic to
protect web applications from various online threats, including SQL injection, cross-site scripting, and more.

4. Firewall/Unified Threat Management (UTM)/Next-Generation Firewall (NGFW): Firewalls, UTM, and NGFW are essential
security components that control and manage incoming and outgoing network traffic based on predefined security rules.
They act as a barrier between a trusted internal network and untrusted external networks.

5. Virtual Private Network (VPN): A VPN establishes a secure and encrypted connection over a public network (usually the
internet), allowing remote users or offices to securely access a private network. It enhances security and privacy.

6. Domain Name System Security Extensions (DNSSEC): DNSSEC is a set of security extensions to the Domain Name
System (DNS) protocol, providing authentication and integrity verification for DNS responses, thus preventing DNS spoofing.

7. Network Address Translation (NAT) Gateway: NAT gateways modify network address information within packet headers,
allowing devices with private IP addresses to communicate with devices on public networks. It's crucial for conserving IP
addresses.
8. Internet Gateway: An internet gateway connects a local network to the internet, serving as a point of entry and exit for
network traffic between the local network and the wider internet.

9. Reverse Proxy: A reverse proxy server sits in front of web servers and handles requests from clients. It enhances security
by acting as an intermediary between users and web servers.

10. Distributed Denial-of-Service (DDoS) Protection: DDoS protection mechanisms safeguard against distributed denial-of-
service attacks by identifying and mitigating abnormal traffic patterns to ensure network availability.

11. Routers: Routers are fundamental network devices that direct data packets between different computer networks, facilitating
efficient data transmission.

12. Mail Security: Mail security measures protect email communication from spam, malware, phishing attempts, and other
email-based threats.

13. Application Programming Interface (API) Gateway: An API gateway manages and controls traffic to and from APIs,
ensuring security, scalability, and efficient use of resources.

14. Traffic Mirroring: Traffic mirroring involves duplicating network traffic for monitoring or analysis purposes. Techniques like
SPAN ports, port mirroring, and network taps achieve this.

15. Sensors: Sensors are monitoring devices that gather data from the network to detect and respond to security incidents,
including SIEM, FIM, SNMP traps, NetFlow, antivirus, and more.

16. Data Loss Prevention (DLP): DLP systems prevent unauthorized access, sharing, or leakage of sensitive data, ensuring
compliance and data security.

17. Segmentation: Segmentation involves dividing a network into smaller segments to enhance security and control traffic flow,
limiting the potential impact of security breaches.

18. Microsegmentation: Microsegmentation takes segmentation further by dividing network segments into smaller, more
precise sections, allowing for granular control and security.

19. Local Area Network (LAN)/Virtual Local Area Network (VLAN): LANs and VLANs organize devices within a network to
enhance performance, management, and security by logically grouping devices.

20. Jump Box: A jump box is a secure intermediary computer used to access and manage devices within a secure network,
adding an extra layer of security.
21. Cloud, Remote Work, Mobile: These aspects address network security and architecture concerns related to cloud
environments, remote work setups, and mobile devices, which are essential in today's distributed work environments.

22. Software-Defined Networking (SDN): SDN separates the control plane from the data plane, allowing centralized network
management, increased flexibility, and efficient resource use.

23. Deperimeterization/Zero Trust: Deperimeterization and Zero Trust are security models that emphasize no trust by default,
treating both internal and external networks as untrusted to enhance security.

24. Peering, Cloud to On-Premises, Data Sensitivity Levels, Mergers and Acquisitions: These aspects address various
networking considerations related to interconnectivity, data handling, and security in different scenarios, such as
collaborations, data migration, and organizational changes.

25. Directory Services: Directory services manage and organize network resources, users, and devices, enabling secure and
efficient access control and authentication.

26. Wireless/Radio Frequency (RF) Networks: Managing wireless networks and addressing RF-related challenges and
security measures to ensure reliable wireless communication.

27. Cross-Domain, Federation: These aspects address network architecture considerations when integrating or federating
different domains or organizations, ensuring seamless and secure communication.

28. Hybrid SDN, SDN Overlay: These variations of SDN technology are explored to manage and optimize network
architectures, providing flexibility and scalability to network infrastructures.