Security & Risks
Chapter 6 — Security architecture layers, physical security, electrical safety, risk evaluation, and emergency plans
6.1 Security Architecture
The boundary security architecture is organized into five defense layers, each with distinct goals, threat surfaces, and control strategies. This layered model ensures that no single control failure results in a complete security breach, and that each layer provides both independent protection and supporting context for the layers above and below it. The threat landscape diagram below illustrates the eight primary attack vectors that the boundary security system must address.
Figure 6.1: Cybersecurity Threat Landscape — Eight primary attack vectors (DDoS, APT, ransomware, insider threat, data exfiltration, zero-day, supply chain, phishing) targeting the protected enterprise network, with defense layers: DDoS scrubbing, NGFW/IPS, ZTNA/WAF, and SIEM/SOAR
| Layer | Name | Primary Goal | Key Threat Surface | Primary Controls |
|---|---|---|---|---|
| Layer 1 | Physical / OOB | Prevent physical tampering; restrict admin paths | Data center access, console ports, hardware | Locked racks, access control, CCTV, OOB network |
| Layer 2 | Network Segmentation | Contain lateral movement between zones | Inter-zone routing, VLAN misconfigurations | VRF/VPC, DMZ tiers, default deny inter-zone |
| Layer 3 | Enforcement | Block unauthorized traffic and exploits | Internet-exposed services, remote access, partner links | NGFW, WAF, ZTNA, strong authentication, deny-by-default |
| Layer 4 | Detection | Identify threats that bypass enforcement | Encrypted traffic, DNS, management planes, cloud endpoints | NDR/IDS, SIEM correlation, threat intelligence |
| Layer 5 | Response | Contain and remediate confirmed incidents | Compromised accounts, lateral movement, data exfiltration | SOAR playbooks, emergency controls, forensics readiness |
6.2 Physical Security
Physical security protects boundary devices from theft, sabotage, and unauthorized access. Because boundary devices control all network traffic, physical access to these devices is equivalent to administrative access to the entire network. Physical security controls must be implemented, documented, and periodically tested as rigorously as logical security controls.
- Locked racks with access logs: All boundary device racks must be locked with electronic locks that log every access event with timestamp and identity. Access rights must be reviewed quarterly and revoked immediately upon role change.
- CCTV coverage with retention: Camera coverage must include all rack rows, entry/exit points, and cable management areas. Footage must be retained for a minimum of 90 days and reviewed after any physical security incident.
- Tamper seals on edge devices: Serialized tamper-evident seals must be applied to all boundary device chassis screws and port covers. Seal numbers must be logged and verified during each maintenance visit.
- Port blockers on unused ports: All unused physical ports (Ethernet, USB, console) must be blocked with keyed port blockers to prevent unauthorized device connection.
- Environmental alarms integrated to NOC/SOC: Temperature, humidity, and smoke sensors must be integrated to the NOC/SOC alerting system with defined response procedures for each alarm type.
Physical Security Acceptance Criteria
- Verify access rights list against current authorized personnel roster.
- Test door forced-open alarm: confirm alert reaches NOC within 30 seconds.
- Validate CCTV angle coverage: confirm no blind spots in rack rows.
- Inspect tamper seals: confirm all seals are intact and serial numbers match log.
6.3 Electrical Safety
Electrical safety protects boundary devices from power-related failures including overvoltage, overcurrent, short circuits, ground faults, and overtemperature conditions. Power failures are among the most common causes of boundary device outages, and many power-related failures are preventable through proper design and periodic testing.
| Risk | Control Measure | Acceptance Test |
|---|---|---|
| Power failure / outage | Dual PSU to dual PDUs; UPS-backed circuits on separate breakers | UPS transfer test: verify < 10ms transfer time |
| Overvoltage / surge | Surge protection devices (SPDs) at entry points; proper grounding | SPD inspection; ground resistance test ≤ 4 ohms |
| Overcurrent / overload | Breaker utilization ≤ 80%; cable gauge compliance per load | Breaker mapping; verify utilization under full load |
| Overtemperature | Periodic IR thermography on all power connections and breakers | Thermal scan baseline; compare at 6-month intervals |
| Ground fault | Copper grounding bar with labeled bonds to all racks | Ground resistance measurements per rack |
6.4 Network Communication Security
Network communication security encompasses the controls applied to all traffic flowing through and between boundary devices. These controls address access control, isolation, encryption, hardening, update management, logging, and alerting. The following table documents common misconfigurations and their remediation actions, which represent the most frequent sources of security incidents in boundary security deployments.
| Control Category | Key Measures | Common Misconfiguration | Remediation |
|---|---|---|---|
| Access Control | Identity-based and app-based rules; deny unknown traffic | Any-any rules in firewall policy | Enforce policy linting + rule expiry dates |
| Isolation | VRF/VPC, DMZ tiers, management plane separation | Management UI exposed on production interface | Move management to OOB + IP allowlist + MFA |
| Encryption | IPsec for site-to-site links; TLS 1.2+ for admin and logging | Admin access over unencrypted HTTP/Telnet | Disable HTTP/Telnet; enforce HTTPS/SSH only |
| Hardening | Disable unused services; restrict management; secure SNMP v3; rotate credentials | Cloud security group "0.0.0.0/0" on admin ports | Continuous posture scanning + auto-remediation |
| Updates | Staged firmware and signature updates with tested rollback procedure | Signatures not updated; firmware months behind | Automated signature updates; quarterly firmware review |
| DNS Egress | Enforce resolver policy; block outbound 53/853 except approved resolvers | Missing DNS egress control; DNS tunneling possible | Block outbound DNS except to approved resolvers; enable DNS security |
6.5 Risk Identification & Evaluation
The risk register below documents the six primary risk categories for boundary security deployments, with likelihood and impact scores on a 1–5 scale. Risk level is calculated as the product of likelihood and impact, with scores above 12 classified as Critical, 8–12 as High, 4–8 as Medium, and below 4 as Low. All High and Critical risks require documented controls and quarterly review.
| Risk Category | Example | Likelihood (1–5) | Impact (1–5) | Risk Level | Recommended Control |
|---|---|---|---|---|---|
| Technical | Asymmetric routing bypass | 3 | 4 | High (12) | Design routing symmetry + regular path tests |
| Operational | Unauthorized rule change | 2 | 5 | High (10) | Separation of duties + approvals + audit trail |
| Environmental | Power instability | 3 | 4 | High (12) | UPS + dual feed + continuous monitoring |
| Legal/Compliance | Log retention insufficient | 2 | 5 | High (10) | Retention tiers + immutable storage + audit |
| Supply Chain | Firmware backdoor risk | 2 | 5 | High (10) | SBOM + firmware signing + vendor vetting |
| Security | Credential compromise | 4 | 5 | Critical (20) | MFA + PAM + behavioral detection + response |
6.6 Risk Response & Emergency Plans
Emergency Plan 1: Internet Egress Compromise Containment
Monitor: Alert on anomalous firewall rule changes; detect outbound traffic spikes; correlate threat intelligence hits against firewall logs.
Respond: Apply emergency blocklist via SOAR; disable compromised accounts; isolate affected network segments pending investigation.
Recover: Restore configurations from verified backup; rotate all credentials and certificates; conduct post-incident review within 72 hours.
Drill: Quarterly tabletop exercise + annual live simulation with measured RTO.
Emergency Plan 2: DDoS Availability Incident
Respond: Enable upstream scrubbing via NOC runbook; restrict public endpoints to essential services only; communicate status to stakeholders per incident communication plan.
Recover: Staged rollback of scrubbing once attack subsides; validate capacity and latency; update runbook with lessons learned.
Emergency Plan 3: Cloud Exposure Misconfiguration
Respond: Auto-close public ports via CSPM remediation; rotate exposed API keys and credentials; verify that access logs capture any exploitation attempts.
Recover: Apply drift fix via IaC; strengthen CI checks to prevent recurrence; audit all cloud access for the affected period.