5.1 Network Architecture, OSI/TCP/IP, and Secure Design

Architecture before devices

A secure network is not a shopping list of routers, firewalls, and switches. It is a design that moves business traffic in predictable ways, protects valuable data, keeps critical services available, and gives operations enough visibility to detect failure or attack. CISSP judgment starts with business context: which services generate revenue, which data creates regulatory exposure, which partners need access, and how long the organization can tolerate degraded communications.

The OSI and TCP/IP models help translate that context into control placement. Physical controls protect rooms, racks, circuits, and cabling. Data link controls govern switching, VLAN tagging, media access, and local broadcast behavior. Network controls address IP routing, packet filtering, path selection, and address management. Transport controls handle ports, sessions, reliability, and encryption endpoints. Application controls deal with protocol behavior, input validation, authentication handoffs, and business logic.

A layered model also helps during incidents. If users cannot reach a payment system, the problem could be DNS, route convergence, firewall policy, TLS negotiation, certificate expiration, application load, or identity provider failure. A disciplined team works layer by layer and avoids changing several controls at once. That discipline protects availability because troubleshooting itself can become a business risk.

Secure topology choices

Common topology patterns include flat networks, tiered networks, hub-and-spoke, mesh, spine-leaf, and hybrid cloud connectivity. Flat networks are simple but dangerous for high-value environments because one compromised endpoint can often scan or reach many systems. Tiered designs separate user, application, data, management, and security services so a failure or compromise has a smaller blast radius. Hub-and-spoke designs centralize inspection, shared services, and egress controls while allowing business units to operate separate environments.

Redundancy must be intentional. Dual links do not create resilience if both links share the same conduit, provider, power source, or routing failure domain. High availability pairs do not protect the business if change procedures update both devices with the same bad policy at the same time. Defense in depth therefore includes technical diversity, operational controls, and rollback plans. A mature design asks how a failure will be detected, who can make the failover decision, and whether the failover path has enough capacity.

Addressing and routing are governance topics as much as engineering topics. Overlapping private address ranges complicate mergers, cloud migrations, partner connections, and incident containment. Poor route summarization can make networks fragile and difficult to audit. Weak egress routing allows systems to reach unsanctioned services and weakens data loss prevention. A security leader should insist on an address management process, documented route ownership, and review of routes that bypass inspection.

Secure design checklist:

• Define business services, owners, data classifications, and recovery targets before drawing the network.
• Identify trust boundaries such as internet edge, user access, partner access, cloud account, production, and management plane.
• Place preventive controls close to the boundary they enforce and detective controls where they can observe meaningful traffic.
• Remove unnecessary any-to-any paths and document approved exceptions with expiration dates.
• Validate that monitoring, logging, time synchronization, backup access, and emergency administration still work during failover.

The CISSP mindset is not to maximize restriction blindly. A hospital, manufacturer, bank, or software platform may need different latency, uptime, privacy, and inspection tradeoffs. The right architecture is the one that reduces material risk while supporting the mission. Network design succeeds when business leaders understand the remaining risk and operations teams can run the design consistently.

Architecture decision checkpoint

Before approving a topology, ask whether the design supports the most important business processes during both normal operations and failure. A design that depends on a single inspection point, one identity provider path, one DNS service, or one undocumented route can look secure in a diagram while creating unacceptable outage risk. The security leader should require evidence that critical traffic paths are known, least privilege is enforced where it matters most, and operational teams can recover without bypassing controls.