How do you design a secure network?

In today's cyber landscape of advanced malware and adversaries, focusing only on specific mechanisms or technologies is a recipe for failure. Moreover organizations breed a false sense of security when the IT team equates "security" with purchases of the latest intrusion detection systems or firewalls, but lack any real security by failing to design it into their systems, networks, and people. Perimeter security is a relic of the past. It's needed to maintain a very basic level of security (analogy: border & immigration), but does little to address many of the advanced attacks (analogy: special forces) now easily studied or purchased on the blackmarket (e.g. zero-day exploits). That being said, designing security into your networks and systems should follow two basic principles: 1) Separation of Duties: Just as it is applied in business and accounting to minimize risk, systems and network devices should have different roles in order to avoid creating a single point of failure. This principle encourages modularity to allow agile recovery in the case of one component or more being loss or compromised. Especially useful in disaster recovery management. A practical application is network segmentation. Wikipedia: http://en.wikipedia.org/wiki/Separation_of_duties 2) Principle of Least Privilege: Users and applications should be only allowed to access the bare minimum systems and networks they need in order to function. Therefore if an adversary successfully compromised a user/application, she would only have access to services used by that specific user/application. A simple example is how a data entry clerk should not have Administrator Privileges to the DBMS server even though he is feeding the database with input. Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege There's a whole lot of security issues to talk about e.g. secure programming, patch management, penetration testing, etc. But generally speaking, these two principles can help you get started in helping you design your network with the proper security mindset. I won't promote the implementation of these principles by a specific technology/brand because: a) I don't work for nor am I certified to give recommendations from a particular vendor b) it is unwise to design security into a network/system [soley] based on specific products offered on the market

Great question. I agree with Jonathan's point. If you're interested in this topic, I strongly encourage you to look up a Zero-trust model. Have a look at this blog post. http://spyders.ca/reduce-risk-by-adopting-a-zero-trust-modelapproach-to-security/ .   I also recommend watching the video from John Kindervag, Principal Analyst at Forrester Research. He defines the “Zero Trust” network architecture, the three key concepts, and the architecture elements that make up a Zero Trust network. Good luck.