Information technology (IT) and enterprise networks have become the core of many organizations. Critical business functions often depend on a fully functioning IT infrastructure: no network means no ability to generate revenue. To this end, an organization's growth and evolution should be reflected in the growth and evolution of its network. Organizational changes can include new or expanded missions, new factors such as mobile workers, and growth or downsizing in response to purely external factors. Infrastructure changes that stem from these factors can include additional network components (of a type already present), new types of components, and additional subnets or Internet connections.
Secure infrastructure design can be a tricky proposition, but a methodical approach to planning will pay dividends in implementation. The first step is a thorough evaluation of the organization's current and potential business needs and assets, grouped by mission, capability, and requirements. The network design should support compartmentalization of information, and should allow room for expansion as the organization grows. Mission and security requirements can change rapidly and should be re-evaluated on a regular basis; once a month would not be too often. Personnel should keep abreast of industry developments: new technologies may be helpful in solving old problems. Finally, the two principles of risk management are a good yardstick for evaluating proposed changes to a mission-critical infrastructure.
Example of a typical Network Design for Security:
Here is a hypothetical large corporation. The mission is complex, and so is the layout of the network. Dual Internet connections provide redundancy for business continuity. Each connection has its own screening router and firewall, and the external web server is on its own appropriately filtered router interface. Behind the firewalls are the premise routers, where each workgroup is connected using its own—again, appropriately filtered—interface. This means, for example, that the chemistry group's access to the IT group's segment can be controlled in a broad fashion. Note the additional firewall between the two premise routers. This firewall controls the type of access that the upper workgroups may have to the lower workgroups' resources, and vice versa. Using a compartmented approach to the application of technology, this organization can control access to its many assets.