What are You Doing to Make it More Difficult for Hackers to Access Your Data?
— Joe Baker, Senior Network Engineer | AfidenceIT

Consider This When You Start Your Network Design

A great number of factors need to be considered when designing a secure, efficient, and scalable network.  While individual network demands will vary greatly between networks, it is important to think through your network design. Here are eleven design tips that will make your network secure, efficient, and scalable.


A firewall acts as a traffic cop for networks.  It can allow or deny communication based on a number of parameters.  Most people see firewalls as a perimeter-only device. This use isn’t the only way to implement a firewall.  If your company has the capability, it is a good idea to secure any important information with a firewall.  Securing a database that holds credit card information or putting the HR and finance departments behind a firewall are all good ways to protect a company’s intellectual property and other sensitive data.


VLAN (Virtual Local Area Network) is the logical separation of network devices while utilizing the same physical infrastructure. A VLAN is a good idea for many reasons. Typically paired with a proper subnetting scheme, proper VLAN assignment can reduce network overhead, improve security, and ease administration.  A good implementation of VLAN would be to have device management on its own network.  This approach would give greater control over which users can access your network devices.


A subnet is another way to separate a network logically.  Subnets commonly correlate with physical network locations, but they don’t have to when designed properly with VLANs.  Properly subnetting a network can ease administration and network overhead.  A coherent subnet scheme will easily identify sites, departments, and special secure areas as separate subnets.  Following a clear assignment convention will make it easy for an administrator to identify subnets and their assignments.  Depending on the size of your company and security requirements, it is a good idea to have HR and finance departments on separate networks.  This way you can have better control of those machines with sensitive data.

Subnetting isn’t only for security. It can allow you to reduce network overhead across your organization by containing network traffic to required areas only when used with proper VLAN design.  When designed around future growth, properly subnetting your network can provide enormous scalability.


A DMZ (demilitarized zone) is a segment of the network that users can access from the Internet.  This design allows external users to access a service such as a website or an email without accessing the internal network. A DMZ can add security to your network by taking the systems that need to be accessed by external resources and segmenting them.  While the public can access the DMZ’s resources, they are not able to access your internal network, where you have implemented a stricter security policy.

5.Quality of Service

Quality of Service, shortened to QoS, goes along with a proper subnetting and VLAN design.  This feature of routers and switches will give priority to one VLAN over another.  Priority is important when designing a VoIP (Voice over IP) network.  If your voice network has a latency of over 150ms, you may experience dropped calls and other in-call anomalies.  QoS will make sure that when the network is at high utilization, the voice traffic will receive priority over data.  After all, it doesn’t matter if a webpage takes another half second to load, but a phone call can’t handle that delay.


Designing your network in a tiered design will allow you to scale the hardware requirements, build in redundancy, and ensure your network operates at optimal speeds.  Cisco recommends a 3 tier design consisting of core, distribution, and access layers.  Fundamentally, the quickest route to any destination is a direct path.  The hierarchical design scales this principle to enterprise levels, allowing data to traverse the network in the shortest path possible while still providing efficiency.  Most expensive and feature-rich switches will be in the core and distribution layers. Less expensive switches can be used for the access layer, where end users connect to the network.

7.Spanning Tree

Spanning tree is a loop avoidance protocol that allows a network to have multiple connections to points without creating problems.  When designing a hierarchical network, you need to take control of your spanning tree settings on your network.  The default settings will work, but most likely won’t be the most effective or efficient solution.  Best practices suggest the root of your spanning tree implementation should be in the core layer of the network.

If your network isn’t clearly tiered, the root switch should be at least the one closest to the Internet or the servers (whichever gets the most traffic).

8.Port Channel

Port channel is also known as Ether channel, NIC teaming, or link aggregation. Port channel bundles multiple network cables into a single link.  This process does two things for you.  First, it increases the speed of the link between two devices on the network.  If you channel two, 1Gbps ports together, you effectively have one, 2Gbps connection. Second, it provides redundancy.  This configuration doesn’t require all configured ports to be active.  So, if a port fails, or you have a bad cable, the connection doesn’t drop, you simply have a lower speed.  While this is a degraded state, it is still active and operational.


Today, wireless access is very popular because it alleviates costly wiring.  However, it is inherently very insecure.  Modern wireless has become more secure, but broadcasting your data through the air in every direction still has major security concerns.  The most secure way to implement a wireless solution is to allow Internet only access to wireless users.  This method would require employees to use a VPN to connect back into work if using wireless.  The employees are using an encrypted tunnel to transmit sensitive information.

And remember that you are still responsible for the activity on the network.  It is vital to set up web filters and firewalls to make sure that your network isn’t being used for nefarious activities.

10.Port Security

Most small and medium business switches have a feature called port security.  This feature only allows a particular computer or multiple computers to use that port on the switch.  If the switch notices a violation, the switch can disable the port, shutting off network access.  While this feature is implemented in typically only very secure environments, it is still a good idea to consider.  This method isn’t always feasible for small businesses or organizations that have shared workspace.

11.Physical Security

Physical security doesn’t fall into the logical network design, but if you are fortunate enough to help design a workspace or office layout, it is very important.  Companies need to set physical security for all network hardware and mobile devices.  Only employees who need to access the hardware should have access to it.  Proximity cards, keyed locks, fingerprint readers, PIN pads, retina scanners are all examples of physical security technologies.  While the level of security and the amount of money available to secure the network will vary greatly, this is an area that needs attention.

Physical access to devices can give an intruder sensitive information about encryption schemes, network layout, IP addressing and even usernames and passwords.  All of these make a more advanced attack on your network much easier at a later date.

What are You Doing to Make it More Difficult for Hackers to Access Your Data?

Designing the network that works well for your company can be challenging. However, by following best practices and planning around security and efficiency, the design of the network can fall into place almost effortlessly.  Implementing any of these suggestions will add another layer of security to your network.

What are you doing to make it more difficult for hackers to access your data?

Joe Baker

Senior Network Engineer | AfidenceIT