On-Premises Office Network Security Appliances#

A walkthrough of the security appliances found in a typical corporate office, ordered from the outermost to innermost layer.

[Internet]
    ↓
[① Firewall]                     ← External/internal boundary, L3/L4 filtering
    ↓
[② IDS/IPS]                      ← Intrusion detection/prevention
    ↓
[③ VPN Gateway]                  ← Encrypted tunnel for remote access
    ↓
[④ WAF]                          ← Web Application Firewall (L7)
    ↓
[⑤ NAC]                          ← Network Access Control (endpoint authentication)
    ↓
[Internal Network / Servers]

① Firewall#

ItemDescription
RoleFilter inbound/outbound traffic, allow/deny by IP/port
PositionBoundary between internet and internal network
ExamplesFortinet FortiGate, Palo Alto, Cisco ASA, Juniper SRX
Cloud equivalentSecurity Group + NACL

Next-generation firewalls (NGFW) inspect up to L7, including application identification, user identification, and SSL decryption.

② IDS/IPS (Intrusion Detection/Prevention System)#

ItemDescription
IDSIntrusion detection — alerts on anomalous traffic (monitoring)
IPSIntrusion prevention — automatically blocks anomalous traffic (inline)
ExamplesSnort, Suricata (open source), Palo Alto Threat Prevention
Cloud equivalentAWS GuardDuty (detection), AWS WAF + Shield (blocking)

IDS uses mirroring (passive monitoring); IPS is inline (active blocking). Modern NGFWs increasingly integrate IPS functionality.

③ VPN Gateway#

ItemDescription
RoleEncrypted tunnel access from external into the internal network
TypesSite-to-Site (office ↔ cloud), Client VPN (remote → office)
ExamplesOpenVPN, WireGuard, Cisco AnyConnect, FortiClient
Cloud equivalentAWS Site-to-Site VPN, AWS Client VPN, Tailscale

④ WAF (Web Application Firewall)#

ItemDescription
RoleInspect HTTP requests — block L7 attacks such as SQLi, XSS, CSRF
PositionIn front of web servers
ExamplesModSecurity (open source), F5 BIG-IP, Imperva
Cloud equivalentAWS WAF, CloudFront + WAF, Istio EnvoyFilter WAF

⑤ NAC (Network Access Control)#

ItemDescription
RoleAuthenticate and verify endpoints before network access (antivirus, OS patch status, etc.)
ExamplesCisco ISE, Genian NAC, ForeScout
Cloud equivalentIAM Identity Center (SSO), conditional access policies

On-Prem vs Cloud Security Comparison#

FunctionOn-Prem ApplianceAWS Cloud
Network firewallFortiGate, Palo AltoSecurity Group + NACL
IDS/IPSSnort, SuricataGuardDuty + Shield
VPNOpenVPN, WireGuardSite-to-Site VPN, Client VPN
WAFModSecurity, F5AWS WAF
NACCisco ISE, GenianIAM Identity Center
DDoS protectionDedicated appliance (Arbor etc.)Shield Standard/Advanced
SSL certificatesManual purchase/renewalACM (free, auto-renewal)
Logging/auditSIEM (Splunk, ELK)CloudTrail + CloudWatch
Access controlLDAP/AD + RADIUSIAM + SSO

On-Premises → Cloud Connectivity Options#

1. Site-to-Site VPN#

Connect the office firewall to an AWS VPC via an IPSec tunnel.

[Office]                                [AWS]
FortiGate ─── IPSec tunnel ──── AWS VPN Gateway
  10.10.0.0/16                          10.0.0.0/16
    ↓                                      ↓
Internal servers/PCs                   EKS, RDS, etc.
ItemDescription
BandwidthUp to 1.25 Gbps per tunnel
EncryptionIPSec (IKEv2)
Cost~$36/month per VPN connection
Redundancy2 tunnels (Active/Standby)
Best forSmall to mid-size, fast setup

2. AWS Direct Connect#

A dedicated physical connection. More stable and faster than VPN.

[Office] ── Dedicated line ── [Direct Connect Location] ── [AWS VPC]
ItemDescription
Bandwidth1 Gbps ~ 100 Gbps
LatencyLower and more consistent than VPN
CostPort fee + data transfer fee (expensive)
Best forLarge-scale, latency-sensitive or stability-critical workloads

3. Client VPN (Individual Access)#

Developers connecting to AWS VPC resources from home or remote locations.

[Developer PC] ── OpenVPN/WireGuard ── [AWS Client VPN Endpoint] ── [VPC internal]

In the PlayBall project, Tailscale/WireGuard was used to connect to the home server (Dev cluster).

Hybrid Architecture Security Checklist#

Network#

  • Site-to-Site VPN or Direct Connect configured
  • VPN tunnel redundancy (Active/Standby)
  • Routing tables configured between office and AWS
  • Office firewall allows only AWS CIDR ranges

Access Control#

  • AWS IAM Identity Center (SSO) configured
  • Office AD/LDAP integrated with SSO
  • MFA enforced
  • Per-environment permission separation (DevOps/Developer/ReadOnly)

Monitoring#

  • VPN connection status monitoring (CloudWatch)
  • Office firewall logs forwarded to SIEM
  • AWS CloudTrail audit logging enabled
  • GuardDuty threat detection enabled

Data Protection#

  • Encryption in transit (VPN/TLS)
  • Encryption at rest (EBS/RDS/S3 encryption)
  • Credential management (Secrets Manager, no static keys)