Skip to main content

Next Generation Network Design

September 16, 2014

In my previous blog post, I discussed the basic level of network segmentation. While segmentation creates separate compartments between different areas of the business, as with the Titanic, it does not make it unsinkable. Diving deeper into the world of network segmentation, past virtual local area network (VLAN) segmentation, having compartments between different parts of the network is not enough. There has to be a seal that only allows authorized traffic between the compartments. 

In the basic segmentation example there was a router routing traffic between segments. While a router can add access control lists, and filters can allow or block traffic between segments, these are not enough in today’s environment because basic port filtering allows too much. Even stateful inspection is not enough today, as that would allow unauthorized and malicious traffic to traverse known and allowed protocols like Hypertext Transfer Protocol (HTTP). In today’s environment where most applications no longer use dedicated ports and instead use HTTP as the transport for an application, something more is required.

Many of the firewalls currently on the market support identification of apps running over different protocols. Collectively these firewalls are called next generation firewalls (NGFWs). One example is how one of these NGFWs identifies Facebook traffic over HTTP. This isn’t just basic Facebook traffic, but games, chat and file sharing that Facebook offers to its users. Perhaps more important are the applications that are trying to be evasive and avoid detection, bypassing organizational policies, attempting to hide command and control traffic, or in the worst case, leaking information like credit card numbers to the outside.

In the past, replacing a router with a firewall has not been feasible for most organizations as the cost of the firewall was exponentially higher. NGFWs – with purpose-built hardware that scales from small offices to large datacenters – and the cloud make it possible to replace a router or Layer 3 (L3) switch with a firewall. In smaller or branch offices, it might actually cost less to use the same device for Internet traffic and internal segmentation. Network design is evolving to include the use of NGFWs to identify traffic between segments. This is the next generation of network design: security incorporated as a central element in the network, not as an afterthought.

When a next generation firewall is inserted on the internal network as the gateway between segments, the visibility it provides creates a “wow” factor. Suddenly, traffic is classified by application, risk, and bandwidth consumption and in most cases, users. For most organizations, increased visibility alone is enough of a return on investment, as it is now possible to determine the traffic paths in an easy, visual manner. However, there is more to be gained from the next gen firewall; the next step in this process is determining why traffic is traversing the network, which will be the topic of my next post. 

Related Blogs

April 03, 2018

Escape and Evasion Egressing Restricted Networks – Part 2

Attackers and security assessors alike are utilizing a technique called domain fronting, which masks malicious command and control (C2) traffic. This ...

See Details

February 13, 2018

Using Micro-Segmentation to Protect Your Data – Part 2

While micro-segmentation, software-defined networking (SDN) and software-defined data center (SDDC) technology providers VMWare, Cisco and Amazon Web ...

See Details

November 06, 2017

Using Micro-Segmentation to Protect Your Data – Part 1

As software-defined networking (SDN) technologies have become more prevalent and organizational perimeters have become blurred, micro-segmentation is ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

December 05, 2014

Know Your Firewall

Firewalls have been around for decades, and many organizations have had the same firewall technology in place for just as long. Even with the evolutio...

See Details

December 01, 2011

Securing Network Architecture - Part 1 | Optiv

Today, securing a network cannot be fully accomplished with just a product or a solution. Rather, an in-depth holistic approach is required to protect...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.