====== 4.1 Security Architecture ======

Overview of [[.:business:sicherheit:start|PQ security components]].

===== System Overview =====

<code>
                    Internet / Intranet
                           |
                    [Firewall :443]
                           |
+--------------------------------------------------+
|                   PROXY (:443)                   |
|  - TLS 1.3 Termination                           |
|  - Client Certificate Verification               |
|  - Routing Decision                              |
+--------------------------------------------------+
            |                          |
    [Named Pipe]                  [TCP :8443]
            |                          |
+---------------------+    +---------------------+
|   Data Gateway      |    |        IIS          |
|   (API Endpoint)    |    |   (other services)  |
+---------------------+    +---------------------+
</code>

===== Components =====

^ Component ^ Function ^ Documentation ^
| Proxy | TLS termination, routing | [[.:administrator:sicherheit:proxy-konfiguration|Proxy Configuration]] |
| Named Pipe | Secure local communication | [[.:administrator:sicherheit:named-pipes|Named Pipes]] |
| Gateway | API processing | [[.:administrator:konfiguration:start|Configuration]] |
| IIS | Fallback for other requests | [[.:administrator:sicherheit:iis-umleitung|IIS Redirection]] |
| Trust Server | Certificate validation | [[.:administrator:sicherheit:trust-server|Trust Server]] |

===== Zero Trust Principles =====

  * Never trust implicitly
  * Always verify
  * Minimal privileges
  * Segmentation

===== Regulatory Background =====

  * [[.:business:sicherheit:eu-regulierung|EU NIS2 and DORA]]
  * [[.:business:sicherheit:nist-standards|NIST FIPS 203/204/205]]
  * [[.:business:sicherheit:kritische-infrastruktur|Critical Infrastructure Requirements]]