I get a lot of customers who are looking for vulnerability assessments of specific systems or specific application. Rarely do people ask for assessments of their overall system architecture. Most assume that since they have a firewall they are covered. Unfortunately it isn't usually as easy as that.

 First of all, what makes a good security architecture? I believe that it needs to take into account, at least, these things:

• Appropriate use of security zones
• Segregation of components
• The technologies in use
• Monitoring requirements
• Available infrastructure components
• Use requirements
• Communication
• Ease of securing each zone
• Performance
• Availability
• Manageability

Of course there are a large number of other considerations involved that aren't security related, but this gives us a starting point. I'll focus on a couple of these for this discussion. 

One of the easiest ways to determine an appropriate layout of your architecture is to do a security zone analysis. Take each type of information that is involved in your systems and then categorize and group them based on their security requirements. An easy example of this is the military use of designations such as secret and top secret to define what information can be housed in the same zone. In this case, each designation would require its own zone. 

The other thing to take into account when determining what systems will be in a particular zone are the communications requirements. Some things that should be considered during this are:

• Minimizing the number of ports that are required to communicate through the firewall.
• Minimizing the use of insecure protocols between zones wherever possible.
• What are the potential attack vectors on your system?
• How will the system be managed?

As well as these considerations, there are also industry best practices for architecture such as defence-in-depth (Good NSA Defence-in-Depth primer ) that will help you determine the appropriate strategy.

 When you are procuring vulnerability assessment services you should give serious consideration to having your overall architecture assessed. Usually this assessment task is quick and cheap but it can be very helpful in evaluating your security posture and pointing out potential issues.