What is the castle-and-moat network security model?

'Castle-and-moat' refers to a network security model in which everyone inside the network is trusted by default.

Learning Objectives

After reading this article you will be able to:

  • Define 'castle-and-moat' in a network security context
  • Describe how castle-and-moat networks manage access and defend the network perimeter
  • Contrast castle-and-moat with Zero Trust security

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is the castle-and-moat network model?

"Castle-and-moat" is a network security model in which no one outside the network is able to access data on the inside, but everyone inside the network can. Imagine an organization's network as a castle and the network perimeter as a moat. Once the drawbridge is lowered and someone crosses it, they have free rein inside the castle grounds. Similarly, once a user connects to a network in this model, they are able to access all the applications and data within that network.

Organizations that use this model dedicate a lot of resources to defending their network perimeter, just as a castle might place the most guards near the drawbridge. They deploy firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and other security products that block most external attacks — but are not as effective at stopping internal attacks, insider threats, and data breaches.

"Castle-and-moat" is not necessarily a deliberately chosen strategy. The term came into use to contrast traditional network architecture with Zero Trust architecture.

What are the problems with the castle-and-moat approach?

Today, the castle-and-moat approach is becoming outdated. For most companies, data is spread across multiple cloud vendors, rather than remaining behind an on-premise network perimeter. To further the analogy: it does not make sense to put all one's resources into defending the castle if the queen and her court are scattered around the countryside.

Some organizations today continue to keep their data in on-premise networks, and others route all Internet-bound traffic through the central corporate network in order to control access to cloud vendors. But these uses of the castle-and-moat model still have inherent security flaws.

The biggest security flaw is that if an attacker gains access to the network — if they cross the "moat" — they can also access any data and systems within. They can breach the network by stealing user credentials, exploiting a security vulnerability, introducing a malware infection, or carrying out a social engineering attack, among other methods. Firewalls and other intrusion prevention tools may stop some of these attacks, but if one gets through, the cost is high.

How does the castle-and-moat model differ from Zero Trust security?

Zero Trust security is a philosophy for how and when users are allowed to access systems and data. Unlike the castle-and-moat model, Zero Trust security assumes that security risks are present both inside and outside the network. Nothing inside the network is trusted by default — hence the name "Zero Trust."

Zero Trust security requires strict verification for every user and device on the network before granting them access to data and applications.

How is access control managed in a castle-and-moat model?

One way organizations control access when using the castle-and-moat model is virtual private networks, or VPNs. VPNs set up an encrypted connection between connected users — often working remotely — and a VPN server. For certain levels of access, a user has to connect to at least one VPN. Once connected, they can access the resources they need.

Since different users within the same company often require different access privileges, IT teams set up multiple VPNs. Each VPN can be thought of as its own "castle," providing a different level of access.

There are a few drawbacks to such an approach:

  • Vulnerability to attack: A VPN acts as a single point of failure for the applications and data it protects. It only takes one compromised account or device for an attacker to cross the proverbial moat and gain access to VPN-protected data.
  • Slower performance: VPNs encrypt all traffic, which can add a slight amount of latency to the network, depending on the type of encryption used (compare IPsec vs. SSL). For remote employees, a VPN routes all traffic through the VPN server, which could be far away from the employee, slowing network traffic down further.
  • Scalability: If VPN usage exceeds the VPN server's capacity to handle traffic, the server has to be upgraded — a labor-intensive process.
  • Maintenance: VPNs require a lot of time and resources to maintain. IT teams must install the right VPN client on every remote employee's computer, ensure employees are keeping that software up to date, and upgrade or replace VPN hardware regularly.

How does access control work in a Zero Trust architecture?

There are a few basic principles that underlie a Zero Trust architecture:

These principles are broken down further in What is a Zero Trust network?

Moving from castle-and-moat to Zero Trust: 'SASE'

Aware of the shortcomings of the castle-and-moat model, many organizations are adopting a Zero Trust architecture. While initially such a move was fairly complex, today many vendors offer streamlined Zero Trust solutions that can be turned on quickly. Cloudflare Zero Trust is one such network security solution.

But rather than adopting a separate access management solution, many organizations want Zero Trust security built into the network, not just layered on top of it. Gartner, a global research and advisory firm, has termed this trend "secure access service edge" (SASE). Cloudflare One is an example of a network with Zero Trust security built in.