Efective cooperation between Ukraine and the European Union in the field of cybersecurity, particularly through the interaction of the State Service of Special Communications and Information Protection of Ukraine, the National Cybersecurity Coordination Center, and the EU Agency for Cybersecurity (ENISA), serves as a foundation for developing Ukraine-EU cyber dialogues. These eforts are specifically focused on comprehensive counteraction to cyber threats and ensuring a high level of cyber resilience and protection [ 1, 2 ]. A crucial aspect is the implementation of the EU NIS 2 Directive [ 3 ], which applies to critical infrastructure companies and systems in sectors such as energy, transport, digital infrastructure, ICT service management, environmental protection, healthcare, and space. Compliance with the DSTU ISO/IEC 27001:2023 standard (Information Security, Cybersecurity, and Privacy Protection – Information Security Management Systems – Requirements, ISO/IEC 27001:2022, IDT) introduces a structured approach to cybersecurity. This helps Ukrainian companies operating in the EU market meet the NIS 2 requirements regarding incident notification, corporate security policies, business continuity planning, responsible partnership selection, multi-factor authentication, and cybersecurity training. The progressive trends of the international cyberspace serve as a foundation for developing Ukraine-EU cyber dialogues aimed at creating a universal cybersecurity platform. This platform is designed to counter threats in the context of hybrid warfare, establish mechanisms for security implementation, and integrate cutting-edge security technologies, including new approaches to securing local corporate networks.

In the study [ 4 ], a comprehensive security system for information networks is considered as one of the levels of information technologies based on the "object–threat–protection" concept. Within the framework of comprehensive corporate network security, study [ 5 ] examines network security mechanisms and corresponding tools. Article [ 6 ] analyzes known threats and vulnerabilities in information networks, methods of counteracting them, and proposes efective approaches to ensuring the security of information and telecommunication networks using eficient vulnerability detection methods. The enhancement of information protection systems in computer networks has been further developed through the application of network firewalls such as "Fortigate" and "Cisco ASA" [ 7 ]. Network security trends based on the OSI model have been explored in various works. Study [ 8 ] investigates major attacks on the data link layer of computer networks and methods to neutralize them using Cisco network equipment tools. Research in [ 9, 10 ] examines threats to computer networks at the physical, data link, network, transport, and application layers, analyzing protection methods and technologies. Study [ 11 ] provides a brief analysis of the use of machine learning methods and neural network technologies for anomaly detection in corporate networks. Based on this analysis, a neural network-based method utilizing LSTM and FFN architectures is proposed, along with an algorithmic and software implementation for detecting software and technical impacts on critical infrastructure systems in the context of cyber warfare. A comprehensive approach to the optimal selection of enterprise network security systems, based on an objective comparison of various criteria and their impact on overall security levels and protection reliability, is presented in [ 12 ]. The authors of [ 13 ] describe the most common Internet attack methods and other threats in modern computer networks, as well as highlight contemporary Internet security technologies and network intrusion detection systems. In the field of incident management and information security risk management, the work [ 14 ] examines an approach to developing a management system that ensures the necessary control measures to prevent common cyber threats in various infrastructure segments.

In the realm of network security based on the Zero Trust model (CISA, Cybersecurity and Infrastructure Security Agency), several key approaches have been proposed: A targeted trafic segmentation method that enables analysis of interactions between applications, users, and corporate network infrastructure, enhancing the detection of complex threats [15]; The "never trust, always verify" concept, which requires users to confirm their credentials for every access request, whether inside or outside the company’s network perimeter [16]. Efective security segments for computer systems and networks include comprehensive protection of hardware and software, secure data exchange, and data storage security through access control technologies, data encryption, and network isolation [17]. A notable area of interest is the design of secure network architecture for manufacturing companies. Study [18] explores the application of efective security technologies, such as firewalls and IDS, to enhance system resilience. Modern network security trends encompass methods for detecting distributed network attacks, software-defined networking (SDN), and machine learning techniques [ 19, 20]. In the field of intrusion detection systems (IDS), a new approach based on a long short-term memory neural network (p-LSTM) has been developed, reducing false alerts and improving detection reliability [21]. Security approaches for LAN and WAN networks continue to evolve. Research has examined VPN application scenarios in corporate WAN networks [22] and proposed the use of rfiewalls, obfuscation technologies, and port forwarding to establish a robust security policy [23]. A novel risk assessment (RS) approach has emerged, based on risk weighting in accordance with NIST CSF and ISA/IEC 62443 standards. This approach modifies RS by introducing new risk metrics—risk, risk reduction, risk prioritization, and risk reduction prioritization—to formulate a specialized probability model for assessing risks in broadband WAN networks used in operational technology infrastructure [24]. A relevant segment in the development of secure intellectualization of society’s infrastructure is the systemic security model of the Internet of Things (IoT) architecture. In this model, security technologies are deployed according to the levels of the OSI network model—physical, transport, and application—considering the impact of potential threats [25, 26]. The efective principles embedded in the organization of pseudo-random sequence generator structures [27], namely, the additive Fibonacci generator (AFG) and its modified version (MAFG) with prime number moduli—ensure their eficient hardware implementation while meeting all statistical characteristic requirements. These generators can be utilized in cryptographic information protection devices, including ensuring the security of a local corporate network [28]. The monograph [29] presents a methodology for analyzing the quality of the validation mechanism for identified vulnerabilities in a corporate network, enhancing the efectiveness of security analysis. The eficiency of conservative information security systems and their integration into corporate environments has been thoroughly analyzed in [30], ofering a multicriterial approach to system assessment. Furthermore, the design of secure services for authentication, authorization, and accounting has been addressed in [31], emphasizing the importance of identity management and controlled access within Zero Trust frameworks.

The reviewed methods and network security tools serve as the foundation for developing LCN security approaches, which are currently relevant in the context of ensuring the secure intelligentization of various societal domains.

Based on the conducted analysis, the objectives of this study are as follows: 1) Propose a multi-layered security approach for local corporate networks (LCN) based on the OSI reference model and the "defensein-depth" model; 2) Develop a comprehensive LCN security system within the framework of the "threats – security technologies" concept; 3) Implement a software solution for cryptographic data protection at the transport layer of the OSI model using the AES-256 symmetric block encryption algorithm in Python. The goal of this article is to establish a security methodology for local corporate networks, leveraging a multi-layered approach and a comprehensive security system. Based on this methodology, a software implementation of the AES-256 encryption algorithm will be developed for OpenVPN and TLS technology, serving as an efective mechanism for information protection and ensuring a high level of data security at the transport layer.

The comprehensive security system for a local corporate network in a specific subject area is built based on the OSI and "Defense in Depth" models. It is deployed within the framework of the "Threats – Security Technologies" concept.

1. The OSI model: Physical.

In this case the possible threats are random (electromagnetic interference, damage to cables or connections, failure in the power supply) and targeted (physical intrusion attempts to gain access to equipment, attacks on cables and infrastructure, temperature attacks).

Security technologies with elements of “defense-in-depth” (hardware) include physical hardware intrusion detection mechanisms, use of secure cables and connectors, and use of controlled access to server and communication rooms 2. The OSI model: Data link.

In this case the possible threats are random (noise or interference that may lead to false perception of bits, influence of internal electrical noise band, interference in the wireless channel) and targeted (poisoning the ARP cache, DHCP attacks (DHCP Spoofing), MAC address flooding).

Security technologies with elements of “defense-in-depth” include hardware (control access to the switch ports, IEEE 802.1X Authentication (A mechanism that requires authentication of devices connecting to the network before gaining access), MAC Address Filtering: Restricts devices from connecting to the network based on their MAC address) and software(Software-Based Access Control (Using programs to configure access control policies and assign rights to interact with network ports), Dynamic ARP Inspection Software (Use programs to detect and block invalid ARP responses and prevent ARP attacks), Port Security Software (Port security policies on switches to restrict access to the network)) tools.

3. The OSI model: Network.

Random threats are IP address leakage due to configuration errors or insuficient security, routing table overflow due to a large number of requests, faulty network cards or ports. Targeted threats are IP address spoofing, man-in-the-middle attack, packet snifing, Denial of Service (DoS) or Distributed Denial of Service (DDoS), TCP hijacking (session hijacking).

Security technologies with elements of “defense-in-depth” include hardware (Network Firewalls (Specialized hardware for filtering network trafic based on predefined security rules to block unwanted connections and protect against external threats), IPS (Intrusion Prevention Systems) (The use of hardware accelerators to efectively detect and block intrusions at the network trafic level), use of switches and routers that support various encryption protocols, VPNs, authentication and other security features) and software(Firewall systems (Software for configuring packet filtering rules at the network level to control access and block unwanted connections), IPS (Intrusion Prevention System) and IDS

To implement the proposed comprehensive security system for local corporate networks, we utilize elements of the OSI reference model and the "defense-in-depth" model within the space of efective security tools. These include the OpenVPN protocol, transport layer security (TLS) technology, and the AES-256 symmetric block encryption algorithm, collectively ensuring a high level of information confidentiality, data exchange speed, and connection security.

Among well-known VPN protocols (OpenVPN, WireGuard, IKEv2/IPSec, L2TP/IPSec, PPTP), which manage the creation and encryption of VPN connections, OpenVPN stands out as a universal solution. It is compatible with all platforms and eficiently leverages AES-256, providing a high level of cryptographic resilience when transmitting confidential data within corporate networks.

TLS technology ensures security at the transport layer of the OSI model within a local corporate network by providing user authentication, data confidentiality, and transmission integrity. The advantages of using the AES-256 symmetric block encryption algorithm include: 1) High speed – the algorithm operates eficiently on both hardware and software levels; 2) Reliable security – its structure is resistant to many types of attacks, making it one of the most secure encryption algorithms; 3) Flexibility – support for diferent key lengths allows for adjustable security levels based on specific needs. The encryption algorithm is efectively used for: secure exchange of confidential data in corporate networks, secure data storage, cryptographic data protection in cloud environments and on mobile devices.

For the software implementation of data protection at the transport layer of the OSI model in a local corporate network, the Python programming language was used. It features a clear syntax, a large number of standard and third-party libraries. All of this makes the language universal.

The developed program is a specialized proxy server that can handle the most sensitive data, providing an additional layer of encryption on top of standard TLS protection. In addition to SSL, the proxy server uses AES-256 to ensure an extra level of security for confidential data such as passwords, logins, keys, tokens, etc.

The program’s logic is as follows: the client connects to the proxy server via a standard TLS connection. The proxy then determines whether additional encryption is required for a specific request. If needed, the data is encrypted using AES-256 with a unique session key. The encrypted data is then transmitted through the TLS tunnel to the target server. On the server side, a similar proxy decrypts the data before passing it to the final application.

The main structure of the program code includes the following elements: 1. Importing necessary modules: socket – for network operations (creating a server socket). threading – for handling multiple connections simultaneously. ssl – for establishing a secure connection via TLS. json – for processing JSON data. logging – for event logging. base64 – for encoding/decoding data. os – for generating random keys. cryptography.hazmat – for implementing AES-256 encryption.

2. Server parameters: PROXY_HOST = ’127.0.0.1’ PROXY_PORT = 8443 TARGET_HOST = ’127.0.0.1 TARGET_PORT = 8444

The proxy server listens for connections on 127.0.0.1:8443 and forwards trafic to 127.0.0.1:8444 (acting as an intermediary between the client and the server).

3. Initializing SSL certificates to establish a secure TLS connection: CERT_FILE = ’server.crt’ KEY_FILE = ’server.key’ 4. List of sensitive data patterns that trigger additional encryption by the proxy server: SENSITIVE_PATTERNS = [’password’, ’token’, ’credit’, ’ssn’, ’secret’, ’account’, ’personal’, ’confidential’] 5. Sensitive data encryption:

The proxy server encrypts/decrypts data using AES-256 in CBC mode and exchanges the key between the parties. The following functions are used: def__init__(self): Generates a random key. def encrypt(self, data): Encrypts sensitive data. def decrypt(self, data): Decrypts data. def get_key(self), def set_key(self, key): Handles key exchange between parties. 6. Classifying sensitive data in functions: def__init__(self, patterns=None) - Detects sensitive data based on keywords and patterns. If suspicious keywords are found, the data is considered sensitive and encrypted before transmission and def is_sensitive(self, data) - Checks JSON data. If the input data is JSON, the server parses it into a flat dictionary and verifies all keys and values against patterns from self.patterns. If JSON parsing fails, the proxy server processes the data as plain text.

7. Main server that establishes a connection between two network points and intercepts data: def start(self): Launches the proxy server and connects the client.

def handle_client(self, client_socket, client_address): Connects to the target server and creates two threads for data transmission.

def transfer_data(self, source, destination, direction, is_request): Handles data transmission and detects sensitive information.

To demonstrate the program’s functionality, a test environment was also created. It includes a client that sends various test data and a target server that receives data transmitted through the proxy server. The client sends both plain text and potentially sensitive data. In the proxy server logs, we can observe information about detecting sensitive data and applying additional AES-256 encryption. Meanwhile, in the target server logs, we can see the received data. For clarity, encrypted sensitive data is marked with the prefix "SECURE:".

As shown in Figure 3, four test connections were made, transmitting diferent types of data. During the first and third connections, regular data was sent, while in the second and fourth connections, typical confidential information was transmitted, such as a login, password, and a secret message. Upon detecting sensitive data, the proxy server logs the event and applies additional encryption: client -> server: Sensitive data DETECTED, applying additional encryption; client -> server: Data encrypted by AES-256.

In Figure 4, we can see the data sent by the client and what was received by the target server. During the first and third connections, the data was received in the same form as it was sent. During the second and fourth connections, the target server received the data in an encrypted format, marked with the "SECURE:" prefix. For example: sent data - {"username": "user123", "message": "Sensitive data", "password": "very_secret_password"}; received data - SECURE: dwdncuTZQhwCemt8EkZVjyX5ih8A2R1pQdKZ3ndfXEMjRXfSS4JE3NØf+SiiEgNrQ171nEKR/B1YBZ+qAqhcQt.

The proposed methodology for ensuring information confidentiality in local corporate networks, which: 1) is presented as a multi-level approach based on the OSI reference model and the "defense-in-depth" model; 2) is deployed as a comprehensive security system within the "threat – security technologies" concept, addressing both random and targeted threats; 3) is practically implemented in the information protection mechanism at the transport layer of the OSI model using the AES-256 algorithm in Python, the OpenVPN protocol, and TLS technology, enabling a high level of cybersecurity resilience and protection.

The authors have not employed any Generative AI tools. security threats, in: Lecture Notes in Electrical Engineering, Springer International Publishing, Cham, 2021, pp. 257–271. doi:10.1007/978-3-030-92435-5_15. [15] M. Tolkachov, et al., Development of a method for protecting information resources in a corporate network by segmenting trafic, Eastern-European Journal of Enterprise Technologies (2024) 63–78. doi:10.15587/1729-4061.2024.313158. [16] R. Habash, M. Ibrahem, Zero trust security model for enterprise networks, Iraqi Journal of

Information and Communication Technology 6 (2023) 68–77. doi:10.31987/ijict.6.2.223. [17] G.-L. Zhang, Analysing computer system security and computer network security, Engineering

Technology Trends 2 (2024) 11–15. doi:10.37155/2972-483X-0204-3. [18] O. Hosam, R. Abousamra, M. Hassouna, R. Azzawi, Security analysis and planning for enterprise networks, in: Industry 4.0 Key Technological Advances and Design Principles in Engineering, Education, Business, and Social Applications, 1, 2024, pp. 69–100. doi:10.1201/9781003343332-5. [19] M. Lyu, H. Gharakheili, V. Sivaraman, A survey on enterprise network security: Asset behavioral monitoring and distributed attack detection, IEEE Access 12 (2024) 89363–89383. doi:10.48550/ arXiv.2306.16675. [20] J. Al-Azzeh, M. A. Hadidi, R. Odarchenko, S. Gnatyuk, Z. Shevchuk, Z. Hu, Analysis of selfsimilar trafic models in computer networks. international review on modelling and simulations, International Journal of Computer Network and Information Security 10 (2017) 328–336. doi:10. 15866/iremos.v10i5.12009. [21] M. Sudha, V. Mahesh Kumar Reddy, W. Deva Priya, S. Rafi, S. Subudhi, S. Jayachitra, Optimizing intrusion detection systems using parallel metric learning, Computers and Electrical Engineering 110 (2023) 76–91. doi:10.1016/j.compeleceng.2023.108869. [22] N. Bhagat, MPLS vs. IPsec VPN: Choosing the right network architecture for enterprise WAN, International Journal of Scientific Research in Engineering and Management 5 (2021). doi: 10. 55041/ijsrem11326. [23] A. Taslim, R. Uddin, N. Evan, R. Alam, Enterprise network: Security enhancement and policy management using next-generation firewall, in: Lecture Notes on Data Engineering and Communications Technologies, volume 66, 2021, pp. 753–769. doi:10.1007/978-981-16-0965-7_59. [24] V. Abergos, F. Medjek, A risk assessment analysis to enhance the security of OT WAN with

SD-WAN, Journal of Cybersecurity and Privacy 4 (2024) 910–937. doi:10.3390/jcp4040042. [25] V. Dudykevych, G. Mykytyn, T. Stosyk, P. Skladannyi, Platform for the security of cyber-physical systems and the iot in the intellectualization of society, in: CEUR Workshop Proceedings, volume 3654, 2024, pp. 449–457. [26] Y. Averyanova, et al., UAS cyber security hazards analysis and approach to qualitative assessment, in: S. Shukla, et al. (Eds.), Data Science and Security, volume 290 of Lecture Notes in Networks and Systems, Springer, Singapore, 2021, pp. 258–265. doi:10.1007/978-981-16-4486-3_28. [27] V. Maksymovych, et al., Generator of pseudorandom bit sequence with increased cryptographic security, Metallurgical and Mining Industry: scientific and technical journal (2014) 25–29. [28] V. Maksymovych, et al., Development of additive fibonacci generators with improved characteristics for cybersecurity needs, Applied Sciences (Basel) 12 (2022) 15–19. doi:10.3390/ app12031519. [29] S. Yevseiev, Y. Khokhlachova, S. Ostapov, O. Laptiev, O. Korol, S. Milevskyi, et al., Models of socio-cyber-physical systems security, PC Technology Center, Kharkiv, 2023. doi:10.15587/ 978-617-7319-72-5. [30] V. Dudykevych, et al., A multicriterial analysis of the eficiency of conservative information security systems, Eastern-European Journal of Enterprise Technologies (2019) 6–13. doi:10. 15587/1729-4061.2019.166349. [31] D. Shevchuk, et al., Designing secured services for authentication, authorization, and accounting of users, in: CEUR Workshop Proceedings, volume 3550, 2023, pp. 217–225. [32] C. Onyagu, O. Okonkwo, G. Akawuku, J. John, Enhancing security in Internet of Things (IoT) architecture through defense-in-depth mechanism: A comprehensive study, Newport International Journal of Engineering and Physical Sciences 4 (2024) 17–22.