In the world of cybersecurity, legal compliance is much more than just filling out a checklist. For companies operating in Turkey, at the top of these compliance steps is Law No. 5651, which makes it mandatory to store internet access records signed with a time stamp. However, many businesses fall into the mistake of seeing 5651 compliance as just "buying a log software" or "enabling logging on the firewall." In reality, a legally valid and cyber-attack-resilient logging infrastructure must be built on a properly designed network architecture.
Structural deficiencies and misconfigurations in the network architecture lead to collected logs being incomplete, incorrect, or legally invalid. The rejection of logs presented to judicial authorities during a cyber incident can leave company managers under direct legal liability. In this article, we will discuss in technical detail the 7 critical mistakes most commonly made when designing a 5651 compliant network architecture and how to correct them.
1. Lack of or Incomplete Network Segmentation (VLAN)
One of the biggest mistakes made when designing network architecture is running all company traffic on a single flat network. When company employees, accounting servers, guest Wi-Fi users, and IoT devices are on the same IP block and the same VLAN, cybersecurity risks increase exponentially.
- The Issue for 5651: In a network without segmentation, it is extremely easy for a guest user or an attacker to access other devices on the local network. Furthermore, it becomes impossible to distinguish which user group the IPs distributed from the DHCP server belong to and to apply special logging policies to them.
- Correct Approach: Corporate networks must be divided into logical sections (VLANs). Separate network segments should be created, such as Employees (VLAN 10), Servers (VLAN 20), Guests (VLAN 30), and IP Phones (VLAN 40). Traffic between these segments must be routed through firewall devices, and separate logging rules must be defined for each segment. To bring your network to a secure and segmented structure, you can get support from our VLAN Design and Configuration Service solutions.
2. Neglecting NAT/PAT Port Logs (Port-Source NAT)
Many IT managers think that logging only "destination IP" and "source IP" information over the firewall is sufficient. However, in modern internet infrastructure, hundreds of devices within the company connect to the external world through a single public IP address. This process is called PAT (Port Address Translation).
- The Issue for 5651: When a cybercrime is committed, judicial authorities only provide you with your public IP address and the "source port" information at which the crime was committed. If you do not keep NAT logs (especially port-based) showing which internal IP went out to the internet using which public IP and source port in your network architecture, you cannot detect which device within the company committed the crime. This situation creates direct legal liability under Law No. 5651.
- Correct Approach: NAT logging rules showing IP-port matching must be fully configured on your firewall and logging systems. The source port, destination port, source IP, and destination IP of each internet outbound request must be recorded with a time stamp.
3. Lack of Time Synchronization (NTP)
In order for logs collected from different network devices (firewall, switch, DHCP server, Active Directory, etc.) to be correlated meaningfully, the clocks of all devices must be exactly the same.
- The Issue for 5651: Even a few seconds of difference between the clocks of devices in the network architecture disrupts log integrity. For example, if the time an IP is distributed on the DHCP server does not match the time that IP goes out to the internet on the firewall, the logs lose their evidence status in court. In addition, the accuracy of logs signed with a time stamp is called into question.
- Correct Approach: All active devices in the network architecture (backbone switches, firewalls, log servers, domain controllers) must be pointed to a common and reliable local or global NTP (Network Time Protocol) server. It must be guaranteed that all systems work synchronized with nanosecond precision.
4. DHCP Lease Time and MAC Matching Mistakes
The DHCP server dynamically distributes IP addresses to devices connecting to the network. The duration of this distribution (Lease Time) directly affects network architecture performance and logging accuracy.
- The Issue for 5651: Keeping the DHCP lease time too short and not logging it causes an IP address to change hands dozens of times during the day. If your logging system does not capture and record DHCP IP distribution logs (DHCP ACK/REQUEST) instantly, you cannot find which physical device (MAC address) the IP involved in a cybercrime at a specific time belonged to at that moment.
- Correct Approach: DHCP lease times should be optimized according to the structure of the network (e.g., 8 days for corporate networks, 2-4 hours for guest networks). Most importantly, IP-MAC matching logs generated by the DHCP server must be transferred to the central log server instantly and stored in a way that they will never be lost.
5. Lack of Authentication in Guest Networks (Guest Wi-Fi)
Providing internet access on Wi-Fi networks offered by companies to their guests without password or with only a common WPA2 password is one of the most critical security and compliance vulnerabilities in network architecture.
- The Issue for 5651: On a network with a shared password, the real identities of people connecting to the internet (T.C. ID Number, SMS OTP, Passport Number, etc.) are not verified. When an illegal activity is carried out over this network, only the MAC address of a foreign device appears in the logs. Since MAC addresses can be easily changed, the real perpetrator cannot be detected, and legal liability remains directly with the company.
- Correct Approach: A Captive Portal (Welcome Page) architecture must be positioned in guest networks. Users must be verified via SMS verification code, T.C. ID verification, or integrated hotel management systems (PMS) before accessing the internet. These credentials must be automatically correlated with the NAT logs generated by the firewall.
6. Using Only UDP as Log Collection Protocol
Network devices usually send the logs they generate to the central log server over the Syslog protocol. The Syslog protocol can work over both UDP (User Datagram Protocol) and TCP (Transmission Control Protocol).
- The Issue for 5651: UDP is a protocol that works with a "send and forget" logic and has no packet delivery guarantee. When network traffic is very heavy or when there is an instantaneous interruption in the network, log packets sent over UDP can be lost. Incomplete logs violate the "integrity and completeness" principle of Law No. 5651 and eliminate legal validity.
- Correct Approach: In the transmission of critical logs (especially firewall NAT and DHCP logs), TCP, which offers packet delivery guarantee, or TLS (Secure Syslog), which provides encrypted and secure transmission, should be preferred. The log collection architecture should be designed as redundant to prevent packet loss.
7. Storing Logs Only on Local Disks (On Firewall)
Many small and medium-sized businesses prefer to store logs directly on the firewall device's own disk instead of setting up a separate log server.
- The Issue for 5651: Local disk capacities of firewall devices are limited. As log volume increases, the device starts writing over old logs. This makes it impossible to store logs for at least 2 years, which is legally mandatory. In addition, if the firewall device malfunctions or suffers a cyber attack, all legal logs can be permanently deleted.
- Correct Approach: Logs should not be kept on the firewall; they must be transferred to a central log server or SIEM (Security Information and Event Management) system located in a separate position in the network architecture. Data on the log server must be signed daily with a time stamp and stored in external backup units.
| Mistake Type | Cybersecurity Risk | 5651 Legal Risk | Correct Solution Method |
|---|---|---|---|
| Flat Network | Lateral movement of the attacker in the network | Inability to distinguish user groups | VLAN segmentation and firewall rules |
| Incomplete NAT/PAT Log | Inability to find the threat source in the internal network | Failure to detect the perpetrator because the source port does not match | IP-Port based source NAT logging |
| Lack of NTP Sync | Blockage of incident analysis and digital forensics processes | Rejection of logs in court due to time mismatch | Connecting all devices to a common NTP server |
| Wi-Fi Without Auth | Intrusion and data theft from outside | Inability to prove the identity of the person using the internet | Captive Portal (SMS, T.C. ID) integration |
What Should a Correct 5651 Network Architecture Look Like?
In order to establish a legally fully compliant and cyber-attack-resilient network architecture, the following components must work together:
- A Powerful Firewall: A next-generation firewall (NGFW) located at the center of the network, inspecting traffic between VLANs and capable of generating detailed NAT/PAT logs. You can get professional configuration support in this regard under our Network Security, Firewall and IPS/IDS Solutions services.
- Central Log and SIEM System: A platform that collects, correlates, and signs logs from the entire network with a time stamp. For detailed information, you can examine our SIEM and Security Event Management Integration solutions.
- Redundant Storage Infrastructure: Storage systems with RAID structure and disaster recovery scenarios considered, where signed logs will be safely stored for at least 2 years.
- Professional IT Consulting: To design your network architecture in accordance with both legal regulations (5651, KVKK) and international standards (ISO 27001), you can benefit from our Business and Management Consulting services.
You can also review our other guides that will strengthen your information security, cybersecurity, and legal compliance processes:
- For 5651 logging obligations and basic concepts: What is 5651 Logging, and for Whom is it Mandatory?
- For correct installation steps of SIEM and syslog architecture: SIEM, Syslog and 5651 Correct Architecture Installation
- For cryptographic protection of log integrity: Log Integrity in 5651 Compliance
- For log archiving and retention period management: Archiving and Retention Strategies in 5651 Projects
- For monitoring and analysis of cybersecurity events: ISO 27001 and Cybersecurity Incidents
- For compliance of network security and firewall policies with standards: ISO 27001 Network Security, Firewall and VPN
- To ensure KVKK compliance in IT infrastructure: IT Infrastructure for KVKK Compliance
- For security of personal data and network isolation: Network Isolation Under KVKK
- For log management in VMware virtualization environments: VMware Logging for ISO 27001
- To increase the security of VMware vSphere environments: ISO 27001 VMware vSphere Security
To make your business's network architecture fully compliant with Law No. 5651, configure VLAN segmentation correctly, and secure your legal responsibilities, you can contact us at any time with our expert engineer staff in Ankara.
Frequently Asked Questions
Why is source port information so important in 5651 logs?
Due to the insufficiency of IP addresses, many devices in the internal network connect to the external world via a single public IP (Public IP). When a cybercrime is committed, only this public IP and the source port number of the connection appear in the logs of the destination server. If source port logs are not kept in your network architecture, you cannot detect the internal device using that port at that hour, and you are legally considered to have failed to find the perpetrator.
Is buying just a firewall sufficient for 5651 compliance?
No, it is not sufficient. The firewall device can generate logs, but it cannot sign them with a legally mandatory time stamp and cannot store them for 2 years due to limited disk capacity. It is mandatory to transfer the logs generated by the firewall to a central log collection software or SIEM system with time stamp signing capability.
If VLAN segmentation is not done, are 5651 logs considered invalid?
Failure to perform VLAN segmentation does not directly invalidate the logs, but it increases cybersecurity risks and makes cyber incident analysis (forensics) extremely difficult. In a network without segmentation, since it is much easier to spoof a user's IP or sniff the traffic of other devices in the network, the reliability and accuracy of the logs may become controversial before judicial authorities.
Conclusion
Law No. 5651 compliance is not only a legal obligation, but also one of the most fundamental building blocks of corporate network security. Segmentation mistakes, NTP sync deficiencies, and incomplete NAT logging made when designing network architecture invite cyber attacks and invalidate your legal compliance processes. A network infrastructure that is correctly configured, has VLAN segmentation, captive portal integration completed, and is supported by a central SIEM system will be your company's safest shield in the digital world.

