Network Architecture: A Guide for Modern IT Professionals
Network architecture defines how an organization’s information resources communicate internally and externally. An organization’s actual network architecture, however, often evolves through a mix of top-down design and bottom-up decision-making. As a result, network architectures often hinder IT & Security teams.
Our guide to network architecture will help you understand the issues companies face as they design networks to handle modern complexity. We will review common types of network architectures, the pressure placed on these architectures in today’s IT environment, and discuss the architecture decisions that matter in modern network design.
Network architectures set the overarching structure for the way data flows to, from, and between resources. In this context, a “resource” could be something like a file server, a customer relationship management system, or a user device. Designing a network architecture requires the consideration of various aspects, including:
- Logical networks - Logical networks are established by a set of policies that define which resources may connect with each other, how they connect, and any conditions for that access. Manufacturing systems, for instance, may only be limited to managed devices on managed networks. Mail servers, on the other hand, may be accessed by VPN-connected user devices.
- Physical networks - Distinct from the logical structure is the hardware that transports data within company boundaries and interfaces to the internet. This structure guides decisions such as when to segment local area networks and when wireless LANs are appropriate.
- Performance, reliability, and efficiency standards - These standards help IT professionals design cost-effective networks that support business objectives. Clear guidance on latency and bandwidth requirements, for example, lets them address chokepoints such as VPN gateways early in the network design process.
- Security and access control standards - Network architectures balance the accessibility users need with the need to secure proprietary and customer information. To help strike this balance, a network architecture could require that all access control investments support role-based access.
Historically, these aspects of network architecture were inextricably linked. That is less true today thanks to trends such as virtualization, software-as-a-service, and remote access.
- Virtualization - With the rise of virtualization, dedicated hardware appliances like routers and firewalls are no longer necessary. Physical networking equipment can now be replaced with software on virtual appliances and servers in the cloud that deliver the same functionality. A company’s physical network must address a virtualized network architecture’s unique requirements.
- Software-as-a-Service - Companies are turning away from monolithic applications and on-premises licensed client software to use subscription-based cloud services. This decision, however, impacts the degree of integration between a company’s users, private networks, and the internet.
- Remote access - Mobile computing has weakened the idea that employee productivity depended on being in the office. Yet expanding remote access requires changes to networks and security systems.
Organizations have many different types of networks to choose from. It can be useful to loosely group them as private or internet-based networks.
You have the most control over private networks such as your on-premises LANs and how you link networks at other facilities. For example, your network architecture could guide evaluations of the trade space between a telco’s managed WAN services, a vendor’s VPN technology, or emerging Secure Access Service Edge (SASE) solutions.
However, private networks have a cost. You generally have to manage them yourself. Over time, they become more expensive and difficult to manage. And without constant vigilance, your network could fall prey to cyberattacks.
Internet-based services are transforming the way business works. Cloud services can be more capable and performant than traditional software. Better yet, the vendor assumes responsibility for maintaining the underlying computing and networking systems.
Administrative overhead, however, may offset some of those savings. Unless cloud services integrate with your security stack, for instance, you will be managing parallel access control systems.
A new direction in network architecture design is undoing the legacy of trust. Typical corporate networks assume that certain users and devices directly connected to those networks are more trustworthy than others. This is why common technologies such as VPNs, which serve as entry points into those networks, have become vectors for cyberattacks. Traditional architectures mitigate these weaknesses through micro-segmentation, defense-in-depth, and other expensive measures.
Zero trust network access (ZTNA) is a more modern approach to network architecture. Rather than defending a trusted network, ZTNA protects each resource individually. No matter who the user is, what device they use, or their method of connection, every attempt to access any resource requires authentication and authorization.
Nobody will ever develop the perfect network architecture, and architectural needs change as organizations and technology evolve. Your organization’s context will determine your optimal network design. Some of the factors you must consider include:
- Business stage - Unlike startups, established businesses cannot take clean sheet approaches. Network architectures must factor in legacy systems and business processes.
- User base - The number of users, the mix of employees and contractors, and the degree of remote working profoundly affect network architecture.
- Regulations - Defense contractors and banks have stringent requirements for data security. Less regulated industries must still consider GDPR and other data protection rules.
Increasingly, traditional network architectures are cracking under the strain imposed by trends such as work-from-home, bring-your-own-device, and cybercrime.
- Work-from-home - Pundits speculated that remote working would eventually become the norm. Then the pandemic made work-from-home an overnight reality. Networks designed for office working nearly broke when everyone went home. For too many companies, staying in business meant compromising performance and security.
- Bring-your-own-device (BYOD) - This was another slow-burning trend that exploded in 2020. Employees had to use their home computers and networks to get their jobs done (or just felt that it was more convenient). Most companies are still dealing with the performance, productivity, and security issues BYOD systems create.
- Cybercrime - The tools criminals use to penetrate networks are simultaneously more sophisticated and easier to use. Syndicates rent ransomware-as-a-service and malware-as-a-service. Advanced actors invest in zero-day vulnerabilities. At the same time, employees remain vulnerable to social engineering attacks.
These trends, combined with the complexity of modern networking technologies, are making it more difficult to manage networks and keep those networks secure.
Any evaluation of your network architecture must consider where the business is heading. The decisions you make will either hinder or accelerate that progress.
- Blended workforce - Will the number of employees expand or contract and what role will on-demand freelancers and contractors play?
- Hybrid workforce - Was work-from-home a temporary fix during a crisis or will it be the way a part of your business operates from now on?
- Cloud versus private - Can you replace on-premises systems with cloud solutions? Or does the control you have over private networks matter more?
- Managed devices and services - How far can you take BYOD policies? Can you entrust third-party cloud solutions with business-critical applications? Or do you need the control and security that comes with owning and managing things internally?
- Resource invisibility - Twingate draws a secure SDP around each resource to hide it from public networks. Unlike VPN or RDP, the Twingate connector does not use publicly visible inbound ports that cybercriminals could discover.
- Resource compatibility - Twingate can protect any resource located on-premises or in the cloud. As a result, you can apply consistent access control policies to office workers and remote workers, managed devices and user devices, automated processes and services, LAN connections and internet connections.
- Direct tunnels - Once authenticated and authorized, an encrypted tunnel connects the user’s device and the resource. This connection is not impaired by the backhaul and latency bottlenecks inherent in legacy VPN systems. At the same time, split-tunneling routes non-work traffic to the internet to reduce the burden on your networks.
- Software implementation - Deploying Twingate does not require additional hardware investments, works on top of your existing network infrastructure, and integrates with your existing security stack.
Over the past decade, the IT ecosystem’s diversity has exploded. Business resources exist along a spectrum of legacy, on-premises systems, and innovative cloud services. Connections come from myriad managed and user-provided devices. Users may be employees or on-demand workers who access resources from just about anywhere.
Despite this diversity, your network architecture does not need to be complex, expensive, or difficult to manage. The old ways of managing communications between resources relied too much on physical networks and assumptions of trust.
Twingate’s combination of SDP and ZTNA is a modern approach to securing information resources. We help you migrate from legacy access control solutions to Twingate’s simpler, more performant solution and make it easier to apply role-based access control policies to improve resource security.
Contact us to learn more about how easy and cost effective implementing a modern zero trust solution can be.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.