• Did you know that 79% of the organizations have not
    documented their network architecture diagram ?

    Did you know that only 7% of the organizations
    practise deleting expired firewall rules ?

    Are you aware that very few organizations incorporate security
    into the network from the design stage itself ?
  • Did you know 45% of organizations do not segregate
    the network based on the criticality of the data ?

    Did you know that 76% enterprises aren't aware
    how many third parties connect to their network and how and when ?
    Did you know only 15% organizations test
    for business reslience ?

Network Architecture Review

Advisors at Defenseroot Consulting can assesses an organization’s overall network design from a security perspective, including DMZ placement, network segmentation, external presence, and hardening techniques.Our design reviews are performed in accordance to Zero Trust Model approach and can be based on the requirements of an internal business policy regarding network design. Existing network diagrams and documentation would be reviewed and network engineers, administrators and network architects would be interviewed to confirm documentation.

In this type of assessment, we would be reviewing your network security posture but not limited to the below :


Check if the design of the network complies with relevant & applicable standards & regulations (e,g RBI guidelines, PCI-DSS, Data Privacy) also if the design incorporates consistent naming standard for the various components in the network.

Here we check firewall rules are configured with default-deny stance , also if firewall rules for traffic filtering ports by IP address & ports. We review the routing table and verify that the route followed is optimal for dynamic routing.

We review if network is divided into sub-networks based on criticality; and also we check if the traffic between the sub-networks are protected by a network filtering device (e.g. firewall, core switch with FWSM). Not only we check if the wired & wireless networks are segregated by a firewall, but also whether all public facing systems placed on different DMZ's based on criticality & functionality of the system.

Check if all entry & exit points are protected by appropriate filtering using firewalls, UTM or screening routers and confirm that all entry / exit points are clearly identified in the network design. We also verify the security requirements for all entry/exit points such as Encryption, VPN, access control filtering for each entry/exit point.

Check if IDS/IPS sensors are placed in a position to detect attempts to penetrate.(e.g. before or after firewalls or all points of entry and exit in a network). We discuss with Network Admin/Architect to check if the critical & sensitive systems are protected by IDS/IPS

Network diagram helps identifying all the third party connections. We verify if access is restricted to only certain parts of the network through firewall configuration. Our team also verifies if appropriate level of encryption is implemented (i.e. VPN).

We review TACACS or RADIUS is in place for network and security devices. We also review that when external connections are no longer required, they are removed promptly.

We check the availability of NTP server and also if all devices get their time synchronized from this NTP server.

We ensure all devices events are logged and directed to syslog. We verify if log access review is carried out. We also check the availability of Log correlation tools and effective use of it.

We ensure that the fall-back measures specified exist and have been tested to ensure they work correctly. We would check whether there is a programme of testing to ensure fall-back mechanisms operate correctly. This testing would simulate, as far as possible, the live operational conditions that will be required (e.g. similar volumes of traffic). We confirm that all critical network devices can be reached via more than one path.

We request an explanation of how remote users are authenticated. We check that all remote connections are logged. We not only confirm that remote access logs are reviewed but also user access review is carried out regularly.

We check whether the network address ranges contiguous and facilitate a hierarchical approach to network. Also if the private address ranges being used facilitate easy diagnosis of network problems."