Skip to content
TechnoGuru — Think Technology, Think TechnoGuru

05 / 09

Case file

04 · IT & Networking

Network Security.

Segmentation. Visibility. Recoverable backups.

Next-generation firewalls, segmentation, NAC, EDR, SIEM and backup — Fortinet, Palo Alto, Sophos, Check Point — designed to how breaches actually unfold, not how vendors describe them.

Network Security — representative visual (illustrative scene, not a project photograph)
Security posture: detection-only versus recovery-ready
Security posture: detection-only versus recovery-ready
AspectDetection-only stackRecovery-ready approach
Design assumptionKeep attackers outAssume a breach and plan recovery
BackupsOnline, rarely testedImmutable, offline, regularly rehearsed
ContainmentFlat networkSegmentation limits lateral movement

Educational comparison — not about any specific installer.

/ The discipline, in detail

How we approach network security.

Most network-security stacks fail not at detection but at recovery. We design with the assumption that the bad day will arrive and the question will be how quickly the organisation is back online. Segmentation that contains lateral movement, EDR on every endpoint that matters, immutable backups stored offline, and a runbook that names the human who picks up the phone at three in the morning. The firewall is necessary but not sufficient.

For an owner, the decision that matters is not which firewall but who is accountable on the worst day, and how fast the organisation is back. We scope the posture around real recovery-time tolerance — what must return within the hour, what can wait until morning, and who holds the offline backup and the runbook. Segmentation and endpoint detection limit how far an intrusion travels; immutable, regularly tested backups decide whether a bad day is an incident or a closure. We design to the compliance regime the sector actually answers to, and we rehearse the recovery rather than assume it.

On record

Every network security engagement is documented end-to-end — design, programming, commissioning, calibration — and handed over with the files our successors would need if we were never to return.

/ Segmentation

Boundaries by design

The same three-tier topology, read as a security document — where VLAN boundaries, firewall policy and management planes are drawn.

Three-tier network topologyA generic enterprise network topology showing a redundant core pair, a distribution layer of stacked switches, and an access layer fanning out to Wi-Fi access points, IP cameras, IP phones and POE-powered building-services endpoints. Brand-neutral pattern — actual project topologies vary with scale and brief.Network topology · three-tier referenceCoreRouting · L3 fabric · failoverDistributionStacked L3 · VLAN aggregation · QoSAccessPoE++ · edge · last-hopCoreRedundant pairDistribution AStacked switchesDistribution BStacked switchesAccess · Floor 1PoE++ · 1 GbEAccess · Floor 2PoE++ · 1 GbEAccess · Floor 3PoE++ · 1 GbEAccess · OutdoorHardened · SFP+EndpointsWi-Fi 6 / 6E / 7 APsIP cameras + NVRIP phones + UCCBMS / fire / accessBuilding servicesPattern only — actual VLAN structure, uplink count and security boundaries are project-specific.
Indicative three-tier enterprise topology — actual deployments vary by site, scale and security policy.

Diagrammatic view — a system planning illustration for design discussion, not a project drawing or live interface.

/ Sister services

The rest of it.

A serious brief usually crosses two or three of these. Read across the discipline — we deliver them as one contract.

/ Plan it right

Network Security — getting the brief right.

Common mistakes to avoid

  • Treating the firewall as the whole answer while the network stays flat — one compromised device should not be able to reach everything.
  • No written recovery objective — which systems must return within the hour and which can wait — so the design defends everything equally and nothing adequately.
  • Backups that are online, on the same network and never restore-tested — discovered on exactly the day they were bought for.
  • Leaving cameras, BMS controllers and access panels on the corporate network without segmentation — ELV devices are the least-patched things in the building.
  • No named owner for the incident runbook, so detection exists but the response at three in the morning is improvised.

What to share before a quotation

  • A picture of the current network — topology, firewall, switching and remote access as they stand.
  • The systems and data that matter most, and how long the organisation can tolerate losing each.
  • The compliance regime the sector answers to, if any.
  • The backup arrangement today — what is backed up, where it lives, and when a restore was last tested.
  • Who runs IT day to day — in-house team, external support, or a mix.

/ Frequently asked

Network Security — what buyers ask first.

MDR or SIEM in-house?

Under 500 employees, managed detection-and-response (MDR) is the right call — the talent cost of running a 24/7 SOC in-house rarely makes sense at that size. Above 500 employees, hybrid MDR-plus-internal-SOC begins to pay back.

What's the right firewall for a typical SMB?

FortiGate, Palo Alto Networks PA-series, or Cisco. For small branch sites, a cloud-managed Cisco appliance is excellent (simple, low ops overhead). For headquarters, FortiGate offers the best price-performance with strong threat intelligence. Palo Alto is the premium tier with the deepest application-aware controls.

What does zero-trust architecture mean in practice?

Every request is authenticated regardless of network location — there is no 'inside the firewall' implicitly trusted zone. Practical implementation: identity-driven access (single sign-on with MFA), device-posture checks before network admission, and micro-segmentation that contains lateral movement. We design to zero-trust principles for any new deployment in 2026.

How do we approach endpoint protection?

EDR or XDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) on every endpoint that matters. Anti-virus alone is no longer sufficient; behaviour-based detection catches modern malware that signature-based scanners miss. We deploy and integrate with the SIEM for centralised visibility.

What about backup and ransomware recovery?

Immutable, offline-capable backups stored on infrastructure that cannot be modified by a compromised primary network. Veeam, Rubrik or Cohesity to a Wasabi or backblaze cold-storage tier with documented recovery testing. The most important security investment many organisations have not yet made.

How often should we run penetration testing?

Annually at minimum; semi-annually for regulated and high-value organisations. We coordinate with independent penetration-test firms (we don't audit our own work) and the findings flow into a remediation plan with documented closure dates. This is part of the AMC programme for premium clients.

Which firewall brands does TechnoGuru work with?

We work with Fortinet, Sophos and Cisco firewalls, matched to the branch or headquarters role rather than fixed in advance. A small branch site and a headquarters call for different sizing and management models, so the platform follows the deployment. Final make and model are selected after the survey, endpoint count, bandwidth and security policy are reviewed.

How is a firewall sized for a site?

Sizing follows the throughput the site actually needs with inspection enabled, the concurrent-session and user counts, the internet links to be terminated, and the headroom for growth — not the headline number on a datasheet. We size against a survey of the endpoints, bandwidth and the security features to be run. We do not promise a specific inspected-throughput or capacity figure before the design is validated for the site.

How do you separate guest, staff and building-system traffic?

Segmentation is enforced through VLAN policy on the firewall and switching so guest, staff, voice, CCTV and building-system traffic stay isolated, with guest traffic on a captive portal and no path to internal systems. The policy is designed around the realistic access pattern and the client's security requirement rather than a generic template. It is agreed in writing and validated on site, and no security outcome is promised in the abstract.

· Begin

Begin a
network security
brief.

Tell us about the building, the timeline, and what success looks like a year after handover. We will reply within two working days with a written response, not a sales pitch.