Every other security page assumes you can keep it out. This one assumes you could not — because for somebody, eventually, that is what happens. The design question becomes narrower and much more useful: when one machine is taken, does the company lose that machine or lose everything? Production, office and backup separated into zones; a backup path that cannot be walked from an office PC, with an offline copy behind it; gateway and endpoint detection reporting to one place; logs that survive long enough to reconstruct the timeline.
Not hypotheticals — this is the order in which a bad week actually unfolds:
Two questions decide the size of the invoice — how far can it move, and can it reach your backups. The architecture answers both structurally, not with hope:
Architecture drawn by AtlasCommTech following carrier-grade network-security design practice. Diagram labels are kept in English for engineering clarity.
How this differs from our Enterprise Internet Edge Security solution — read this first. That page is about keeping things out: the firewall at your gateway, zones facing the internet, intrusion prevention, flood control. It is a real layer and it stops a great deal of what is thrown at you every day. This page starts one step later, from a less comfortable assumption: it got in. Somebody clicked, or a password was reused, or a contractor's laptop arrived already infected. Prevention is a probability, not a guarantee, and a design that only prevents has no answer for the day the probability lands. So the questions here are different ones — how far can it move once it is inside, can it reach the machine holding your backups, how many days before anyone notices, and can you rebuild without negotiating with a criminal. Most companies need both pages. Neither one covers the other, and we will not imply otherwise.
Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks, where isolation between planes is not a feature request — it is the reason a fault in one place does not become an outage everywhere. That is the same reflex a segmentation design needs, applied to a factory or an office instead of a backbone.
The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.
Six controls, all of them answering one question: after the click, what is still standing?
Segmentation is sized by what you must keep separate, not by user count — here is how the tiers differ:
| Scale tier | Typical organisation | What the design includes |
|---|---|---|
| Small business | Single office · clinic · workshop · small trading company | The minimum that actually changes the outcome, and no theatre on top: office and backup separated at the existing gateway, backup targets unreachable from any desk, one offline copy with a written rotation, endpoint protection on every machine, and logs kept somewhere other than the server being backed up. Small does not mean unprotected — it means fewer zones, honestly drawn. |
| Mid-size company | Factory · hotel group · hospital department · distributor | Full three-zone design with a segmentation gateway between production and office, backup zone reachable one-way from the backup system only, gateway inspection with sandboxing, endpoint agents feeding one console, retained logs on a dedicated store, and a written recovery procedure that has been tested rather than filed. |
| Multi-site | Plant group · chain · multi-campus institution | Segmentation per site plus containment between sites — so a compromised branch does not become a corporate event. Central detection and log platform, a backup design with one copy off-site and one offline, per-site recovery targets agreed in writing, and a policy structure that survives the person who wrote it leaving. |
The solution is built from these product categories — the brand is chosen with you at design stage. Exact models depend on your zone count, throughput between zones, retention rules and destination country — so we spec models after your requirements list, not before.
| Role | What it does |
|---|---|
| Segmentation gateways / next-gen firewalls | Sit between zones and enforce default-deny with a short, readable rule set. Sized by the traffic that legitimately crosses zones — which is usually far less than people assume, and that is what makes the tier affordable. |
| Core & access switches with segmentation capability | Carry the zones and enforce the separation at the physical and VLAN layer. The drawing is only real if the switch configuration matches it — that is where segmentation projects usually quietly fail. |
| Gateway inspection & sandboxing | Detonates unknown attachments and files in isolation before they reach a desktop, and blocks callbacks to known command-and-control destinations. Catches a great deal; catches neither everything nor the insider. |
| Endpoint agents (detection & response) | The layer that sees what the network cannot: process behaviour, mass encryption, credential theft. Necessary, not sufficient — it runs on the machine the attacker is trying to own, and we say so. |
| Backup infrastructure & offline media | The isolated repository, plus removable media or tape for the copy that lives off the network. Frequently the least glamorous line in the budget and always the one that decides whether you rebuild or negotiate. |
| Log & detection platform | Collects from gateways, switches and endpoints, keeps the record for your retention period, and gives the timeline someone will need at 3 a.m. Kept off the systems it is watching — a log store inside the blast radius is not a log store. |
Send us your requirements list — what must stay separate, what your recovery target is, how long logs must live, how many sites — and the model list follows. That order keeps the design honest.
An engineer replies with a zone drawing, a backup and log design and the equipment-category list — including the parts you should buy from someone else. Send us your requirements list; the model list follows.