Security Is Pervasive

ccde-written
Published

April 12, 2026

Overview

Security is truly pervasive in today’s networks. It is present in each place in the network, in each product architecture, and horizontally interlocked across an end-to-end enterprise. Today’s converged networks carry much business-critical information (voice, video, and data), making security a foundational design requirement, not an afterthought. A successful network design must facilitate the integration of security requirements by following the top-down approach: starting from business goals, to compliance with the organization’s security policy, to detailed design and integration of network technologies and components.

Security Policy

To secure any system or network, there must be predefined goals and specifications to ensure outcomes are measurable and meet the organization’s standards. This is what is commonly known as a security policy.

A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide. It should also specify the mechanisms through which these requirements can be met and audited for compliance.

A good understanding of the organization’s security policy and its standards is a crucial prerequisite before starting any network design or optimizing an existing design. For example, a network architect may suggest redesigning an existing 1G dark fiber to a virtual leased line (VLL) solution (L2VPN based). However, if the security policy dictates that any traffic traversing a network not owned by the organization must be encrypted, the designer must add IPsec or MACsec to the proposed solution to ensure compliance.

Security and Network Infrastructure Integration

The integration of network infrastructure and network security can be seen as a double-edged sword. On the one hand, security offers privacy, control, and stability. On the other hand, if both are designed in isolation (a siloed approach), the following issues arise when they are integrated:

  • Complex integration
  • Traffic drop
  • Reduced performance
  • Redesign or major design changes
  • Design failure

For example, as shown in Figure 1, a network infrastructure designed for Internet edge access using EIGRP internally and eBGP externally may later require a pair of firewalls in routed mode to be introduced, along with remote-access VPN termination on those firewalls (Figure 2). If the firewalls support only static routing, this seemingly simple change requires a full review of the entire design, including IGP, BGP, inbound and outbound traffic flows, asymmetrical routing policies, and NAT configuration. Therefore, it is important to adopt a holistic approach to promote an optimal, integrated, and secure network design.

OSPFeBGPInternetInternal Network
Figure 1: Network Design Before Inserting Security Devices
StaticOSPFeBGPInternetInternal Network
Figure 2: Network Design After Inserting Security Devices

Security Domains and Zones

To simplify the overall security design in a more controlled manner, a structured modular approach should be used by splitting the network into multiple domains. This approach introduces chokepoints between domains to enforce structured control. Each domain is assigned a level of trust based on security requirements, and various mechanisms such as packet filtering with iACLs or specialized security appliances (firewalls, IPS) are positioned at each chokepoint.

Within each security domain, subdomains (zones) can be defined with their own specific security policies. For example, inside a data center, web servers can be placed in their own zone, database servers in another, and so on, as illustrated in Figure 3.

Note

The core block is typically not placed in its own domain to offload additional processing from the network core, such as security policies. However, some design requirements may require the core to be treated as a separate security domain.

Security Domain E(Out of Band Management)Security Domain CSecurity Domain ASecurity Domain D(Data Center)Security Domain BZone 2Zone 1CoreCheckpoint
Figure 3: Security Domains and Zones

Security devices are placed at chokepoints, but the types and roles vary based on the domain or zone being protected. For example, a firewall at the network management zone boundary fulfills packet filtering and inspection requirements for OAM traffic, while at a public DMZ, multiple specialized security nodes such as a web application firewall, data loss prevention, and IPS may be deployed.

Zero Trust Architecture

Zero Trust Architecture (ZTA), or Zero Trust Networking, is a paradigm shift for security. It moves away from the perimeter firewall model and toward a perimeterless architecture focused on denying all access until explicitly allowed.

The pillars of Zero Trust Architecture are:

  • The network is always assumed to be hostile.
  • External and internal threats exist at all times and in all places.
  • Every device, app, user, and network flow is authenticated and authorized.
  • Automation systems are what allow a Zero Trust network to be built and operated.
  • Policies must be dynamic and calculated from as many sources of data as possible.
  • All activity is logged.

Zero Trust Architecture Concepts

All resources (users, devices, infrastructure, applications, services) are authenticated and all access is authorized by a real-time policy engine. Contextual data on these resources is collected and, based on the correlation of that data and the trust level, the associated risk is evaluated. Access can change dynamically based on this evaluation, as shown in Figure 4 and Figure 5.

Static Factors + Dynamic Factors = Trust Score: 70%
Static Factors + Dynamic Factors = Trust Score: 70%Static Factors are assignedtrust values and weights:• Credential• Level of Confidence• Device Trust• Network• Physical Location• Biometrics• Device Orientation and PeripheralsStatic Factors are assessedand scored at time of access:• Threat intelligence• Geovelocity• GPS Coordinates
Trust Score is a combination of
factors and are used to continually
provide identity assurance.
Trust Score determines level of
access as required by the level of
risk value of the resource being
accessed.
Trust Score is a combination of...Text is not SVG - cannot display
Figure 4: Zero Trust Architecture Concept of Trust Score and Access Authorization
ApplicationsDataNetworkSegmentsPhysicalAccessTrust Score: 70%Risk ScoreResources have level of risk scoreswhich are threshold that must be exeededfor access to be permitted.In general, the security plan categorizationdetermines asset level or risk
Figure 5: Zero Trust Architecture Concept of Trust Score vs. Risk Score

The following factors all equate to the authorization for access for a specific user and device:

  • Static factors: Items that can be preemptively used to base access and authorization on. The most common are credentials, but can also include confidence level, device trust, network, physical location, biometrics, and device orientation.
  • Dynamic factors: Sources of data analyzed at the time of access to change the level of access and authorization (the trust score). The most common is threat intelligence, but can also include geo velocity, GPS coordinates, and real-time data analytics.
  • Entitled to access: Users have various roles and, based on those roles, are entitled to specific access. A financial user needs different access than a human resource user. This also applies to devices; printers have a different entitlement level than IoT devices.
  • Trust score: A combination of static and dynamic factors used to continually provide identity assurance. Determines the level of access required by the risk value of the asset being accessed.
  • Risk score: Resources such as assets, applications, and networks have risk score thresholds that must be exceeded for access to be permitted. The security plan categorization determines the asset level of risk.
  • Authorization for access: For a resource to be authorized for access to another resource, the trust score and entitlement level are combined. A high trust score alone is not sufficient; the user or device must also have the correct entitlement.

Zero Trust Capabilities

The following capabilities within Zero Trust are important from a network design perspective. Vendor-specific solutions can provide multiple capabilities simultaneously.

  • Inventory: Single point of truth for all resources (users, devices, workloads, and applications) across the entire enterprise. Also known as a policy information point (PIP).
  • Policy engine: Location where policy is implemented, rules are matched, and associated access (authorization) is pushed to policy enforcement points. Also known as a policy administration point (PAP) and policy decision point (PDP).
  • Trust engine: Dynamically evaluates overall trust by continuously analyzing the state of devices, users, workloads, and applications. Utilizes a trust score built from static and dynamic factors. Also known as a policy information point (PIP).
  • Endpoint device: Any device an end user can leverage to access the enterprise network, including business-owned assets and personally owned devices (BYOD). In some implementations, also called a policy enforcement point (PEP).
  • Infrastructure devices: Networking devices within the enterprise such as switches, routers, and firewalls. Also called policy enforcement points (PEPs).
  • Policy enforcement points (PEPs): Locations where trust and policy are enforced.
  • Feedback loop: Continuous information sharing to allow for dynamic changes to policy based on constant analysis of new information via AI/ML, Big Data, and data lakes.

Figure 6 shows the Zero Trust Architecture components and Figure 7 shows a theoretical Zero Trust Architecture example.

Application
Application
Application
Application
SW/IPS
FW/etc.
SW/IPS...
Internet
Internet
Application
Application
Application
Application
Endpoint
Endpoint
Data Plane
Data Plane
Control Plane
Control Plane
Trust Engine
Trust Engine
Policy Engine
Policy Engi...
Inventory
Inventory
Users
Users
Devices
Devices
Workloads
Workloads
Apps
Apps
PiP
PiP
PAP
PAP
PiP
PiP
PdP
PdPText is not SVG - cannot display
Figure 6: Zero Trust Architecture Components
Application
Application
Application
Application
SW/IPS
FW/etc.
SW/IPS...
Internet
Internet
Application
Application
Application
Application
Endpoint
Endpoint
Data Plane
Data Plane
Control Plane
Control Plane
Trust Engine
Trust Engine
Policy Decision
(PdP)
Policy Decisio...
Inventory
Inventory
Users
Users
Devices
Devices
Workloads
Workloads
Apps
Apps
PIP
PIP
PAP
PAP
PIP
PIP
Policy Engine
Policy Engine
PEP
PEP
PEP
PEP
PEP
PEP
PEP
PEP
PEP
PEP
Feedback Loop
Feedback Loop
Near the Resource
Near the ResourceText is not SVG - cannot display
Figure 7: Theoretical Zero Trust Architecture

Zero Trust Migration Steps

An organization can migrate from its current security model to a Zero Trust Architecture model in three high-level steps:

  1. Establishing trust
    • Multiple factors of user identity
    • Device context and identity
    • Device posture and health
    • Location
    • Relevant attributes and context
    • Development, deployment
  2. Providing trust-based access
    • Networks
    • Applications
    • Resources
    • Users and things
  3. Continuous verification of trust
    • Original tenants used to establish trust are still true
    • Traffic is not threat traffic
    • Behavior for any risky, anomalous, or malicious actions
    • If compromised, then the trust is broken

Review Questions

1. Which of the following are examples of static factors in regard to a Zero Trust Architecture? (Choose all that apply.)

  1. Credentials
  2. Threat intelligence
  3. Real-time data analytics
  4. Network
  5. GPS coordinates
  6. Biometrics

a, d, and f. Static factors are items that we know and can preemptively base access and authorization on. The most common of these factors are credentials, but could also include the level of confidence, device trust, network, physical location, biometrics, and device orientation. Threat intelligence, real-time data analytics, and GPS coordinates are all dynamic factors, meaning sources of data that can be analyzed at the time of access to change what level of access and authorization is being provided.

2. Which of the following are examples of dynamic factors in regard to a Zero Trust Architecture? (Choose all that apply.)

  1. Credentials
  2. Threat intelligence
  3. Real-time data analytics
  4. Network
  5. GPS coordinates
  6. Biometrics

b, c, and e. Threat intelligence, real-time data analytics, and GPS coordinates are all dynamic factors, meaning sources of data that can be analyzed at the time of access to change what level of access and authorization is being provided. Static factors are items that we know and can preemptively base access and authorization on. The most common of these are credentials, but could also include the level of confidence, device trust, network, physical location, biometrics, and device orientation.

3. Which of the following make up the trust score in regard to a Zero Trust Architecture? (Choose two.)

  1. Risk score
  2. Static factors
  3. Entitled to access
  4. Dynamic factors

b and d. A trust score is created by a combination of static and dynamic factors, and is used to continually provide identity assurance. Risk score refers to the thresholds that resources have which must be exceeded for access to be permitted. Entitled to access means users have various roles and, based on those roles, are entitled to specific access, which is a separate concept from the trust score itself.

4. Which of the following make up the authorization for access in regard to a Zero Trust Architecture? (Choose two.)

  1. Entitlement
  2. Static factors
  3. Dynamic factors
  4. Trust score

a and d. For a resource such as a user or device to access another resource, the authorization for access is determined by combining the entitlement level and the trust score. Although static and dynamic factors contribute to the trust score, they do not directly comprise the authorization for access.

5. Which of the following is where policy is implemented, rules are matched, and associated access is pushed?

  1. Trust engine
  2. Endpoint device
  3. Inventory
  4. Policy engine

d. A policy engine is the location where policy is implemented, rules are matched, and associated access (authorization) is pushed to the policy enforcement points. This is also known as a policy administration point (PAP) and a policy decision point (PDP). A trust engine dynamically evaluates overall trust by continuously analyzing the state of devices, users, workloads, and applications. An endpoint device is any device an end user can leverage to access the enterprise network. Inventory is a single point of truth for all resources.

6. Which of the following evaluates overall trust by continuously analyzing the state of devices, users, workloads, and applications?

  1. Trust engine
  2. Endpoint device
  3. Inventory
  4. Policy engine

a. A trust engine dynamically evaluates overall trust by continuously analyzing the state of devices, users, workloads, and applications. It utilizes a trust score built from static and dynamic factors, and is also known as a policy information point (PIP). A policy engine is where policy is implemented and rules are matched. An endpoint device is any device an end user can leverage to access the enterprise network. Inventory is a single point of truth for all resources.

Security CIA Triad

Confidentiality, integrity, and availability, collectively known as the CIA triad, are considered the fundamentals of information security. These elements help construct secure systems that protect information and resources from unauthorized access, modification, inspection, or destruction. Network designers must be aware of these elements and how each impacts the network design.

Table 1: CIA Triad Summary
CIA Triad Element Characteristic Mechanisms to Achieve
Confidentiality Protect against unauthorized access to information to maintain the desired level of secrecy of transmitted information across the internal network or public Internet. Cryptography, encryption, user ID and password (two-factor authentication), or security tokens. Cryptography modifies data into a format that can be understood only by the authorized entity.
Integrity Maintain accurate information end to end by ensuring that no alteration is performed by any unauthorized entity. Cryptography, data checksum. Cryptography enables the receiving entity to verify whether there was any alteration to the original, such as hashing.
Availability Ensure that access to services and systems is always available and information is accessible by authorized users when required. In modern networks, availability is also measured by quality; malicious traffic may increase latency, degrading VoIP quality even when the network is technically up. Systems designed with high availability at different levels (network, storage, compute, application) and that protect against attacks such as DoS.

Review Questions

7. Which of the following are the correct elements of the CIA triad? (Choose three.)

  1. Compliance, integrity, availability
  2. Confidentiality, integrity, and availability
  3. Confidentiality, information, and availability
  4. Confidentiality, integrity, and assurance

b. The CIA triad includes confidentiality, integrity, and availability. Confidentiality protects against unauthorized access to information. Integrity maintains accurate information end to end by ensuring that no alteration is performed by any unauthorized entity. Availability ensures that access to services and systems is always available and information is accessible by authorized users when required. Compliance is a distractor answer.

8. Which of the following maintains accurate information end to end and is a key element of the CIA triad?

  1. Compliance
  2. Availability
  3. Integrity
  4. Confidentiality

c. Integrity maintains accurate information end to end by ensuring that no alteration is performed by any unauthorized entity. Compliance is a distractor answer. Availability ensures that access to services and systems is always available and information is accessible by authorized users when required. Confidentiality protects against unauthorized access to information to maintain the desired level of secrecy of the transmitted information.

Regulatory Compliance

A network designer should be able to take any compliance standard and design a solution that fits into each of the specific constraints the standard governs. This section provides a quick overview of the most common compliance standards: HIPAA and PCI DSS (U.S.) and GDPR (EU), as well as a brief discussion of data sovereignty.

HIPAA

The U.S. Health Information Portability and Accountability Act (HIPAA) was enacted in 1996 and is enforced by the Office of Civil Rights. HIPAA has three key rules:

  • The Privacy Rule: Protects the privacy of individually identifiable health information, or protected health information (PHI).
  • The Security Rule: Sets national standards for the security of electronic health information.
  • The Patient Safety Rule: Protects identifiable information being used to analyze patient safety events and improve safety.

HIPAA applies when designing networks for hospitals, doctors’ offices, clinics, insurance agencies, and service providers that work closely with covered entities.

PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) compliance is mandated by credit card companies to help ensure the security of credit card transactions. It is developed and managed by the PCI Security Standards Council. Within PCI DSS there are 12 requirements:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update anti-virus software programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Identify and authenticate access to system components.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

PCI DSS applies to all entities that store, process, and transmit cardholder data, including fast food restaurants, retail stores, online storefronts, and any business with a point of sale or online ordering system.

GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation for data protection that sets guidelines for the collection and processing of personal information from individuals. It applies not only to firms based in the EU, but to any organization providing a product or service to residents of the EU. The regulation pertains to the full data life cycle, including gathering, storage, usage, and retention.

Types of privacy data GDPR protects include:

  • Basic identity information such as name, address, and ID numbers
  • Web data such as location, IP address, cookie data, and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Specific criteria for companies required to comply:

  • A presence in an EU country
  • No presence in the EU but processes personal data of EU residents

Data Sovereignty

Data sovereignty is the requirement that information is subject to the regulations of the location from where it was collected and processed. It requires that information collected and processed in a country must remain within the boundaries of that country and be safeguarded according to the laws of that country. This is most commonly seen when businesses send data to other countries where their servers or data centers physically reside, and when migrating to cloud providers.

Review Questions

9. Which of the following compliance standards would a retail clothing franchise that leverages point of sale systems for payment be required to follow?

  1. HIPAA
  2. PCI DSS
  3. Policy Enforcement Points
  4. Policy Engine

b. The Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard focused on ensuring the security of credit card transactions. It specifies the technical and operational standards that businesses must follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. HIPAA is focused on protecting health and patient information. Policy enforcement points are the locations where trust and policy are enforced. A policy engine is where policy is implemented and rules are matched.

10. Which of the following compliance standards would a hospital that stores and transmits patient records be required to follow?

  1. HIPAA
  2. PCI DSS
  3. Policy Enforcement Points
  4. Policy Engine

a. The Health Information Portability and Accountability Act (HIPAA) is a compliance standard focused on protecting health and patient information. PCI DSS is a compliance standard focused on ensuring the security of credit card transactions. Policy enforcement points are the locations where trust and policy are enforced. A policy engine is where policy is implemented, rules are matched, and associated access is pushed to the policy enforcement points.

Summary

Security is truly pervasive today. It is in each place in the network, in each product architecture, and horizontally interlocked across an end-to-end enterprise. From a network design perspective, security is one of those areas that has a number of constraints we have to comply with when making our design decisions. This can be as simple as determining whether we have to use encryption (IPsec or MACsec) over transport circuits or as complicated as developing and implementing a full Zero Trust Architecture in the enterprise network.

Zero Trust Architecture is a critical shift in how network security is both thought of and implemented in today’s networks. Trust score, entitlement level, and authorization of access are some of the key concepts that dictate what a user or device can access within a Zero Trust Architecture. Zero Trust builds on the CIA triad of confidentiality, integrity, and availability, which are considered the fundamentals of information security.

The final topic covered in this chapter was regulatory compliance standards. HIPAA, PCI DSS, and GDPR were covered as quick overviews to give a general idea of how a network designer should understand a given standard and apply that understanding when making design decisions. These are just three examples of a growing landscape of security standards that impact the overall design and architecture of modern enterprise networks.

Previous: Designing for Business Success | Next: Reference Architecture Models and Frameworks