Home » Network Security Architecture: Defense in Depth, Segmentation, DMZ, NAC, SIEM และ Incident Response
Network Security Architecture: Defense in Depth, Segmentation, DMZ, NAC, SIEM และ Incident Response
Network Security Architecture: Defense in Depth, Segmentation, DMZ, NAC, SIEM และ Incident Response
Network Security Architecture ออกแบบระบบป้องกันหลายชั้นเพื่อปกป้อง network Defense in Depth ใช้ security controls หลายระดับ, Segmentation แบ่ง network เป็นส่วนย่อยเพื่อจำกัดการแพร่กระจาย, DMZ แยก public-facing servers, NAC ควบคุมการเข้าถึง network, SIEM รวบรวมและวิเคราะห์ security events และ Incident Response เตรียมพร้อมรับมือเมื่อเกิด breach
Security architecture ที่ดีต้อง “assume breach”: ไม่ว่าจะป้องกันดีแค่ไหน → attacker จะเข้ามาได้ในที่สุด คำถามคือเมื่อเข้ามาแล้ว จะทำความเสียหายได้แค่ไหน? Segmentation จำกัด lateral movement, SIEM detect เร็ว, Incident Response ตอบสนองเร็ว → ลด impact จาก “ทั้ง network ถูก compromise” เหลือ “1 segment ถูก compromise” average breach cost $4.45M (IBM 2023) — ลดได้ 50%+ ด้วย proper architecture
Defense in Depth Layers
| Layer |
Controls |
Purpose |
| Physical |
Access control, cameras, locks, biometrics |
Prevent physical access to network equipment |
| Perimeter |
Firewall (NGFW), IPS, DDoS protection, WAF |
Filter traffic entering/leaving network |
| Network |
Segmentation, VLANs, ACLs, micro-segmentation |
Limit lateral movement within network |
| Host |
EDR, antivirus, host firewall, patching, hardening |
Protect individual servers and endpoints |
| Application |
Input validation, WAF, API security, code review |
Protect applications from exploits |
| Data |
Encryption (at rest + in transit), DLP, access controls |
Protect data even if other layers fail |
| User |
MFA, security awareness, least privilege, PAM |
Reduce human error and credential compromise |
Network Segmentation
| Method |
How |
Granularity |
| VLANs |
Layer 2 separation — different broadcast domains |
Coarse: per department/function (HR, Finance, IT) |
| Firewall Zones |
Firewall between segments — inspect and filter inter-zone traffic |
Medium: control traffic between VLANs/zones |
| VRF (Virtual Routing) |
Separate routing tables on same router — traffic isolation at L3 |
Medium: per tenant/function routing isolation |
| Micro-Segmentation |
Per-workload firewall (VMware NSX, Illumio, Cisco ACI) |
Fine: every VM/container has own security policy |
| Zero Trust |
Verify every access request regardless of network location |
Finest: per-request authentication and authorization |
DMZ Design
| Feature |
รายละเอียด |
| Purpose |
Buffer zone between untrusted (internet) and trusted (internal) networks |
| What Goes In DMZ |
Web servers, mail relays, DNS servers, reverse proxies, VPN concentrators |
| Single Firewall |
One firewall with 3 interfaces: outside, DMZ, inside — simpler but single point of failure |
| Dual Firewall |
Two firewalls: internet → FW1 → DMZ → FW2 → internal — more secure (different vendors) |
| Rules |
Internet → DMZ: allow specific ports (80, 443) | DMZ → Internal: minimal (specific DB ports) | Internal → DMZ: controlled |
| Best Practice |
No direct internet → internal traffic ever — always through DMZ proxy/relay |
NAC (Network Access Control)
| Feature |
รายละเอียด |
| Purpose |
Control who/what can access network — authenticate before granting access |
| 802.1X |
Port-based authentication: supplicant (client) → authenticator (switch/AP) → auth server (RADIUS) |
| Posture Check |
Verify device health: OS patched, AV updated, disk encrypted, compliant |
| Remediation |
Non-compliant device → quarantine VLAN → patch/update → re-assess → allow |
| Guest Access |
Unknown devices → guest VLAN with limited access (internet only, no internal) |
| BYOD |
Personal devices → limited access VLAN, device profiling, certificate-based auth |
| Vendors |
Cisco ISE, Aruba ClearPass, FortiNAC, Portnox |
SIEM (Security Information and Event Management)
| Function |
Description |
| Log Collection |
Collect logs from: firewalls, switches, servers, endpoints, applications, cloud |
| Normalization |
Convert different log formats into common schema → enable correlation |
| Correlation |
Match events across sources: failed login + port scan + lateral movement = attack chain |
| Alerting |
Generate alerts based on rules, thresholds, anomalies → prioritize by severity |
| Investigation |
Search and analyze historical data → threat hunting, forensics |
| Compliance |
Retain logs for regulatory requirements (PCI-DSS, HIPAA, SOX) — 1-7 years |
| Vendors |
Splunk, Microsoft Sentinel, Elastic SIEM, IBM QRadar, Wazuh (open-source) |
Incident Response
| Phase |
Action |
| 1. Preparation |
IR plan, team roles, communication plan, tools ready, tabletop exercises |
| 2. Identification |
Detect incident: SIEM alerts, user reports, threat intelligence, anomaly detection |
| 3. Containment |
Short-term: isolate affected systems (VLAN change, block IP) | Long-term: patch, rebuild |
| 4. Eradication |
Remove threat: malware cleanup, close vulnerability, reset credentials, patch systems |
| 5. Recovery |
Restore systems: from backup, rebuild, verify clean, monitor closely |
| 6. Lessons Learned |
Post-incident review: what happened, how detected, what to improve, update IR plan |
ทิ้งท้าย: Security Architecture = Layers + Detection + Response
Network Security Architecture Defense in Depth: physical → perimeter → network → host → application → data → user (7 layers) Segmentation: VLANs (coarse) → firewall zones → VRF → micro-segmentation → zero trust (finest) DMZ: buffer zone, dual-firewall recommended, no direct internet-to-internal, specific port rules NAC: 802.1X authentication, posture check, quarantine non-compliant, guest/BYOD VLANs SIEM: collect → normalize → correlate → alert → investigate → comply (Splunk, Sentinel, Elastic, Wazuh) Incident Response: prepare → identify → contain → eradicate → recover → lessons learned Key: assume breach — segmentation limits damage, SIEM detects fast, IR responds fast → reduce impact 50%+
อ่านเพิ่มเติมเกี่ยวกับ Firewall Deep Dive Stateful NGFW WAF IPS และ VPN Technologies IPsec SSL VPN WireGuard Zero Trust ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
