You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Defence in depth is the foundational strategy of network security architecture. It requires deploying multiple, overlapping layers of security controls so that if one layer fails, others continue to protect the network. No single control is expected to be perfect — the strength lies in the combination.
Defence in depth is borrowed from military strategy where multiple defensive lines slow and attrit an advancing enemy. In network security, each layer adds friction for the attacker:
Attacker
│
▼
┌─────────────────────────────┐
│ Layer 1: Perimeter │ ← Firewall, IPS, DDoS mitigation
│ ┌───────────────────────┐ │
│ │ Layer 2: Network │ │ ← Segmentation, VLANs, ACLs
│ │ ┌─────────────────┐ │ │
│ │ │ Layer 3: Host │ │ │ ← Endpoint protection, hardening
│ │ │ ┌─────────────┐ │ │ │
│ │ │ │ Layer 4: App │ │ │ │ ← WAF, input validation, patching
│ │ │ │ ┌─────────┐ │ │ │ │
│ │ │ │ │ Layer 5 │ │ │ │ │ ← Encryption, DLP, access control
│ │ │ │ │ DATA │ │ │ │ │
│ │ │ │ └─────────┘ │ │ │ │
│ │ │ └─────────────┘ │ │ │
│ │ └─────────────────┘ │ │
│ └───────────────────────┘ │
└─────────────────────────────┘
| Layer | Description | Controls |
|---|---|---|
| Physical | Physical access to buildings, rooms, and hardware | Locks, CCTV, badges, mantraps |
| Perimeter | The boundary between the external world and the network | Firewalls, IPS, DDoS protection, proxies |
| Network | Internal network structure and segmentation | VLANs, ACLs, micro-segmentation, NDR |
| Host | Individual servers, workstations, and devices | Antivirus, EDR, host firewalls, hardening |
| Application | Software running on the network | WAFs, secure coding, patching, input validation |
| Data | The information that the network exists to protect | Encryption, DLP, access controls, classification |
| Human | The people who use and manage the network | Security awareness training, phishing simulations, policies |
Relying on a single control creates a single point of failure:
| Scenario | Single Control | What Goes Wrong |
|---|---|---|
| Firewall only | Perimeter firewall | Attacker bypasses via phishing — no internal controls |
| Antivirus only | Endpoint AV | Zero-day malware evades signatures — no network detection |
| VPN only | Encrypted tunnel | Compromised credentials grant full access — no segmentation |
| Encryption only | Data encryption | Insider with decryption keys exfiltrates data — no DLP |
Layer 1 Layer 2 Layer 3 Layer 4
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ │ │ O │ │ │ │ │
│ O │ │ │ │ │ │ O │
│ │ │ │ │ O │ │ │
│ │ │ O │ │ │ │ │
└─────────┘ └─────────┘ └─────────┘ └─────────┘
Each layer has holes (vulnerabilities) — but the holes rarely
align across all layers. An attacker must find a path through
ALL layers simultaneously.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.