justinkendra - Fotolia

Get started Bring yourself up to speed with our introductory content.

Building an information security architecture step by step

Achieving cybersecurity readiness requires a solid information security architecture. Expert Peter Sullivan explains the core building blocks that enterprises need to build one.

Editor's note: This is part of a series on achieving cybersecurity readiness. Part one of this series looked at...

the concept of cybersecurity readiness and proposed seven elements or objectives as fundamentals for achieving that state. Part two of this series examines the first element on that list: building a cybersecurity plan. This article focuses on the technology aspects of information security architecture. The information security elements of process and people, which arguably are important parts of an information security architecture, are covered in the six other cybersecurity readiness objectives.

In part one of this series, information security architecture was described as a strong network security architecture that allows for secure local, wide-area and remote communication, as a necessary component for controlling and understanding how the network is operating and enables network monitoring.

Architecture, in simple terms, is the way in which the component parts of a thing are arranged and organized. If the thing in question is a networked information system, then the goal is to organize and operate that system in a manner that allows for control of the system and detection of unexpected, unwanted and malicious activity.

Secure gateway

If the traffic that flows into, out of and through an information network cannot be seen, it cannot be effectively monitored. In order to be able to monitor traffic that enters and leaves a computer network, that traffic needs to pass through a known and monitored gateway environment. Large enterprises may not have a good handle on how many internet access points are in use. Case in point: The U.S. Federal Executive Branch identified over 8,000 connections to the internet among its various agencies -- most of which were not monitored by any network or security operations center or any security devices, and represented a major vulnerability for the U.S. government. The ideal situation is to have a single gateway to concentrate and monitor traffic.

The secure internet gateway should provide the following services:

• Firewall to provide stateful packet inspection and access control;

• Intrusion detection system (IDS) /intrusion prevention service (IPS);

• Application proxy service for the following protocols -- HTTP/HTTPS, SMTP, FTP and others;

Spam filtering;

• Antivirus and malware filtering; and

• Network traffic analysis.


If recommending the use of a Firewall sounds outdated and overly obvious, remember this: The Sony PlayStation Network and the Sony Online Entertainment gaming services were breached in 2011, losing the personal data of over 100 million users. Those networks were not protected by firewalls.

From an information security architecture perspective, a firewall may be viewed as a device that implements security policy, particularly access policy. The presupposition is that a perimeter -- if that is where the firewall is placed -- access control policy has been defined and documented. Without a defined access control policy that serves as guidance for firewall configuration, the firewall implementation may not provide the level of security service that the organization requires.

Intrusion detection and prevention

An IDS or IPS is a critical function in a secure gateway architecture. A typical IDS/IPS in a gateway is network-based and relies upon a signature database for detecting potential intrusions or violations of policy, such as the use of unauthorized protocols. The signature database in an IDS is similar in concept to the signature database used in a virus detection system especially with respect to the fact that the IDS is not going to provide an alert for an intrusion signature that it not in its database and that the signature database needs to updated regularly, just as with a virus detection system.

Proxy everything

All application protocols that traverse the gateway must go through a full bidirectional proxy service so that they may be effectively monitored. Start with email (SMTP, IMAP, POP) and web (HTTP, HTTPS) protocols and the majority of network traffic will likely be covered. A bandwidth analysis will identify other application protocols, such as FTP and SSH, that may be in use. Sending these protocols through a full bidirectional proxy service will also provide visibility and the ability to monitor what information and files are entering and leaving the network. These proxy services include:

  • Email proxy

Email proxy appliances can filter out spam, conduct virus scans and control email attachments and HTML links. Active content and mobile code can also be filtered by a proxy service. Email may also be content scanned as a kind of a data loss prevention service.

  • Web proxy

A web proxy service should provide bidirectional filtering for both HTTP and HTTPS protocols based on URL and/or IP address, including filtering for links to URLs, IP addresses and active code that may be embedded in webpages. Content and keyword filtering should also be employed as part of a web proxy service. Access to external web-based email -- a favorite route for exfiltration of intellectual property -- can be monitored or blocked.

Antivirus, antimalware and spam blocking

If not provided elsewhere, as part of a proxy server for instance, then virus and malware scanning and spam blocking must be provided within the secure gateway. While it is possible to perform virus scanning and spam blocking on individual hosts and desktop computers, identifying these threats as close to the border as possible before they enter the trusted network is a best practice.

Network traffic analysis

Computer network traffic analysis is based upon collecting and analyzing IP flow(s) to determine the characteristics of network communication that is taking place. Cisco's NetFlow or the Internet Engineering Task Force's IPFIX protocol is used for analyzing IP flows.

IP flow information is extremely useful for understanding network behavior:

• Source address allows the understanding of who is originating the traffic;

• Destination address tells who is receiving the traffic;

• Ports characterize the application utilizing the traffic;

• Class of service examines the priority of the traffic;

• The device interface tells how traffic is being utilized by the network device

• Tallied packets and bytes show the amount of traffic between any point on the network;

• Operating system identification or identifying rogue operating systems;

• Identifying network traffic from common applications;

• Identifying network traffic from unwanted applications; and

• Monitor bandwidth utilization and identify unexpected or excessive bandwidth utilization.

Using this information, it is possible to baseline normal network behavior and then identify unexpected or unwanted behavior, including malicious behavior. For instance, if a user begins to transfer large amounts of data via email to a location outside of the enterprise, it would be possible to detect that behavior with network traffic analysis.

Stay tuned for the next article in this series, which will discuss risk management as a cybersecurity readiness objective.

Next Steps

Read more on crafting the right enterprise security architecture

Find out how to properly manage network security alerts

Discover the best ways to build a strong information security culture

This was last published in October 2016

Dig Deeper on IPv6 security and network protocols security