You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Defence in depth is the foundational strategy of network security architecture. It requires deploying multiple, overlapping layers of security controls so that if one layer fails, others continue to protect the network. No single control is expected to be perfect — the strength lies in the combination.
Defence in depth is borrowed from military strategy where multiple defensive lines slow and attrit an advancing enemy. In network security, each layer adds friction for the attacker:
graph TD
ATK["Attacker"] --> L1
subgraph L1["Layer 1: Perimeter (Firewall, IPS, DDoS mitigation)"]
subgraph L2["Layer 2: Network (Segmentation, VLANs, ACLs)"]
subgraph L3["Layer 3: Host (Endpoint protection, hardening)"]
subgraph L4["Layer 4: App (WAF, input validation, patching)"]
L5["Layer 5: DATA (Encryption, DLP, access control)"]
end
end
end
end
| Layer | Description | Controls |
|---|---|---|
| Physical | Physical access to buildings, rooms, and hardware | Locks, CCTV, badges, mantraps |
| Perimeter | The boundary between the external world and the network | Firewalls, IPS, DDoS protection, proxies |
| Network | Internal network structure and segmentation | VLANs, ACLs, micro-segmentation, NDR |
| Host | Individual servers, workstations, and devices | Antivirus, EDR, host firewalls, hardening |
| Application | Software running on the network | WAFs, secure coding, patching, input validation |
| Data | The information that the network exists to protect | Encryption, DLP, access controls, classification |
| Human | The people who use and manage the network | Security awareness training, phishing simulations, policies |
Relying on a single control creates a single point of failure:
| Scenario | Single Control | What Goes Wrong |
|---|---|---|
| Firewall only | Perimeter firewall | Attacker bypasses via phishing — no internal controls |
| Antivirus only | Endpoint AV | Zero-day malware evades signatures — no network detection |
| VPN only | Encrypted tunnel | Compromised credentials grant full access — no segmentation |
| Encryption only | Data encryption | Insider with decryption keys exfiltrates data — no DLP |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.