Common design mistakes to avoid in your security architecture? A guide for network designers, technical architects and security architects responsible for designing secure systems within organisations.

1. Security Anti-Patterns
Common design mistakes to avoid in your security architecture
A guide for network designers, technical architects and security
architects responsible for designing secure systems within
organisations.
FF
da Francesco Faenzi

2. Agenda
1
Introduction
Common patterns to avoid in system designs and why they're
problematic.
2 Anti-pattern 1
'Browse-up' for administration - when administration is performed from
less trusted devices.
3
Anti-pattern 2
Management bypass - when layered defences can be short-cut via the
management plane.
4 Anti-pattern 3
Back-to-back firewalls - implementing the same controls with two
firewalls in series.
5
Anti-pattern 4
Building an 'on-prem' solution in the cloud - replicating traditional
infrastructure in cloud environments.
6 Anti-pattern 5
Uncontrolled third party access - allowing unfettered remote access
without constraints or monitoring.
7
Anti-pattern 6
The un-patchable system - when systems cannot be patched due to
24/7 operational requirements.

3. Security Anti-patterns
Common mistakes to avoid in security architecture
A practical guide for network designers, technical architects, and
security architects responsible for designing secure systems within
organizations.
We will explore the most common patterns to avoid and why they can
compromise the security of your systems.

4. Anti-pattern 1: 'Browse-up' for Administration
The Problem
Administration performed from devices less trusted than the system being administered.
Why It's Bad
Compromised credentials or session hijacking can give attackers control of your system.
Better Approach: 'Browse-down'
Use trusted devices for administration. Perform riskier activities in separate processing contexts.

5. Anti-pattern 2: Management Bypass
The Problem
Layered defences in network data
plane can be short-cut via the
management plane.
1
How to Identify
Management interfaces from
different layers connected to a single
switch without corresponding layers.
2
Better Approach
Build similar layered defences into
management planes as you have in
data planes.
3

6. Anti-pattern 3: Back-to-back
Firewalls
The Problem
Same controls implemented by two firewalls in series, often from different
manufacturers.
Why It's Bad
Adds cost, complexity, and maintenance overheads for little benefit.
Better Approach
One well-maintained, well-configured firewall is better than two poorly maintained ones.
Exception
Contract enforcement point between two entities connecting to each other.

7. Anti-pattern 4: 'On-prem'
Solution in the Cloud
The Problem
Building the same solution
in the cloud that you would
have built on-premises.
How to Identify
Database engines, file
stores, and security
appliances installed on
compute instances.
Better Approach
Use higher-order functions and Platform-as-a-Service offerings to
reduce infrastructure management.

8. Anti-pattern 5: Uncontrolled
Third Party Access
The Problem
Third parties have unfettered remote access without constraints or
monitoring.
How to Identify
Look for 'umbilical cords' out of network diagrams to third parties.
Better Approach
Choose third parties carefully, constrain access with least
privilege, and maintain audit trails.

9. Anti-pattern 6: The Un-patchable System
1
Design for Maintenance
Patch in phases without disrupting operations
2
Redundancy
Systems remain operational during maintenance
3
Representative Test Systems
Build confidence in patching process
4
Regular Patching Schedule
Apply updates little and often

10. Security Anti-Patterns: Key
Takeaways
Avoid these common pitfalls to improve your security posture.
1 Layered Defences
Implement security in
layers. Don't rely on a
single control.
2 Regular Maintenance
Patch systems frequently.
Design for maintainability.
3 Least Privilege
Limit access for both humans and third-party systems.