System Components
Chapter 1 — Boundary architecture, component inventory, and responsibility matrix
1.1 System Architecture
The boundary security system architecture defines the complete set of components, their interconnections, data flows, and control flows required to enforce perimeter protection across all boundary types. The architecture is organized around a central enforcement core — the NGFW HA pair — which connects to upstream internet-facing components, downstream internal zones, and lateral management and detection systems. This layered design ensures that no traffic can bypass enforcement, and that all security events are captured and correlated.
The architecture distinguishes three critical planes: the data plane (traffic forwarding and enforcement), the control plane (routing, policy distribution, and SOAR-driven enforcement actions), and the management/admin plane (OOB access, configuration, and audit). Strict separation of these planes is essential to prevent management exposure from compromising enforcement integrity, and to ensure that administrative access remains available even during data-plane incidents.
Key data and control flows include: north-south traffic traversing Internet → DDoS scrubbing → edge routers → NGFW → DMZ/WAF → internal services; east-west traffic controlled by inter-VRF firewalling or distributed firewall policies in cloud environments; control plane flows from SIEM/SOAR consuming logs and pushing enforcement actions such as temporary deny rules and threat intel feeds; and admin plane flows through OOB networks, jump hosts, RBAC, and MFA.
Figure 1.1: Component-Level Boundary Architecture — Data flows, control flows, and deployment boundaries across all boundary types
Deployment Boundaries
| Category | Components | Rationale |
|---|---|---|
| Core (Mandatory) | Edge routers, NGFW/IPS, DMZ switching, WAF/API gateway for exposed apps, centralized logging (SIEM), time sync (NTP) | Required for baseline boundary enforcement, visibility, and audit compliance |
| Optional (Recommended) | Dedicated NDR sensors, DNS security, email/web gateways, EASM, deception honeypots for DMZ | Significantly improves detection coverage and reduces blind spots |
| Supporting (Infrastructure) | UPS/power, rack/cabling, OOB management, CMDB, ticketing/change system | Ensures operational resilience and change governance |
1.2 Components and Functions
Each boundary component fulfills a specific set of responsibilities within the overall architecture. Understanding the inputs, outputs, key performance indicators, and typical mismatch risks for each component is essential for accurate sizing, integration planning, and acceptance testing. The component inventory diagram below shows the full set of boundary components and their dependency relationships.
Figure 1.2: Boundary Component Inventory — All boundary components with dependency relationships and color-coded categories
Component Responsibility Matrix
| Component | Primary Responsibility | Key Inputs | Key Outputs | Key KPIs | Typical Mismatch Risk |
|---|---|---|---|---|---|
| Edge Router (pair) | ISP/BGP, routing, basic ACL | ISP circuits, BGP routes | Forwarding, route tables | Convergence < 30s, packet loss < 0.1% | Single-homed ISP; poor route filtering |
| NGFW (HA) | L3–L7 policy, NAT, IPS, app control | Flows, identity tags, threat feeds | Allow/deny, logs, session states | TPS, CPS, SSL TPS, latency | Undersized SSL inspection → bypass or outage |
| WAF/API Gateway | HTTP protection, API auth, rate limit | HTTP/S traffic, certs | Block/allow, headers, logs | Req/s, false positive rate | No positive model; API shadow endpoints |
| DDoS Protection | Volumetric/Layer7 mitigation | Netflow, BGP diversion | Clean traffic | Mitigation time, clean bandwidth | No runbook; diversion not tested |
| ZTNA/VPN | Remote/3rd-party access | IdP, device posture | Encrypted tunnel, access logs | Concurrent users, auth success rate | Split tunnel misconfig, stale certs |
| DNS Security | Block malicious domains, DNS logging | DNS queries | Response, logs | Block efficacy, latency | Bypass via hardcoded DNS |
| NDR/IDS | Detect anomalies, lateral movement | Mirror/TAP traffic | Alerts, metadata | Detection coverage, MTTA | SPAN oversubscription → packet drops |
| SIEM | Central logging, correlation, alerting | Logs from all sources | Alerts, dashboards, reports | EPS capacity, search latency | EPS cap → silent log loss |
| SOAR | Automated response orchestration | SIEM alerts, threat intel | Enforcement actions, tickets | Playbook success rate, MTTR | No approval gates → false-positive outages |
| Config/Backup Manager | Version control, backup, drift detection | Device configs | Backups, diff reports | Backup success rate, drift alerts | No backups → unrecoverable misconfig |
| Certificate Manager/PKI | TLS cert lifecycle, CA management | CSRs, renewal requests | Issued certs, expiry alerts | Cert expiry coverage, renewal lead time | Expired certs → TLS failures, bypass |
| Ticketing/ITSM | Change control, incident tracking | Change requests, incidents | Approved changes, audit trail | Change success rate, SLA compliance | No change control → unauthorized changes |