Designing a Secure Network Architecture and Performing Risk Assessment

Many organizations operate with flat networks or poorly structured segmentation, which increases the risk of lateral movement once an attacker gains access. This project was designed to address that problem by building a more secure and structured network model.

The objective was to design a network for a fictional company that supports business operations while also reducing risk through proper segmentation, controlled access, and visibility into traffic between systems.

Instead of focusing only on diagram creation, this project also includes risk assessment, control justification, and explanation of how each decision improves the overall security posture.

I approached this project by thinking through how an organization’s systems should be separated based on function and risk. This led to designing multiple network segments rather than placing everything on a single network.

The architecture includes internal systems, external-facing services, and protected zones, all separated using VLANs and controlled communication paths. Firewall rules are used to restrict traffic between these segments based on necessity.

Each design decision was made with a specific goal: reduce attack surface, limit unnecessary access, and make it more difficult for an attacker to move freely within the network.

The network is divided into multiple segments, including internal user systems, servers, and a demilitarized zone (DMZ) for externally-facing services. This separation helps control how traffic flows between systems and reduces exposure.

The DMZ is designed to host public-facing services while isolating them from critical internal systems. If a service in the DMZ is compromised, segmentation helps prevent direct access to sensitive internal resources.

Firewall rules enforce strict communication paths between segments, allowing only necessary traffic while blocking unnecessary or risky connections. This reduces the ability for unauthorized movement across the network.

This design follows core security principles such as least privilege, segmentation, and controlled access, all of which contribute to a stronger and more resilient network.

A key part of this project was identifying potential risks within the network and evaluating how they could impact the organization. This included risks such as unauthorized access, lateral movement, exposed services, and misconfigured permissions.

Each identified risk was analyzed and paired with recommended controls. These controls included segmentation, firewall rules, restricted access, and improved monitoring.

The goal was not just to list risks, but to understand how they connect to real systems and how design decisions can reduce their impact.

This project demonstrates the ability to think beyond individual systems and understand how an entire network should be structured to reduce risk. It shows how design decisions affect security outcomes.

It also highlights the importance of planning and architecture in cybersecurity. Many security issues originate from poor design, and this project focuses on addressing those issues at the foundation level.

Combined with hands-on lab work, this project shows both sides of security: building secure systems and detecting issues within them.