Network security is a set of practices and technologies that protect confidentiality, integrity, and accessibility of enterprise infrastructure, by preventing intrusion and propagation of cyber threats. Increasingly network security focuses on preventing insider threats, as well as intrusion by outside attackers. A network security architecture consists of security processes supported by tools, which can help protect the network fabric and applications running on it from network attacks.
Effective network security uses a defense in depth approach, with multiple automated defenses, each enforcing a set of security policies defined by the organization. In addition, network security requires human security teams who review alerts from security tools, respond to security incidents, and proactively test network security to identify security vulnerabilities and threats.
In this article:
Cybersecurity is the practice of defending computer systems and data from unauthorized access and damage. Cybersecurity processes and tools protect an organization from a variety of threats including automated attacks, targeted attacks by external attackers, and insider threats.
Network security is a subset of cybersecurity which focuses on protecting corporate networks. Network security includes processes and technologies that can monitor network traffic, identify threats, and take action to mitigate them. Common threats include malware, zero-day attacks, denial of service (DoS), advanced persistent threats (APT), and security misconfigurations.
Malicious software (malware) is designed to perform a specific malicious function. Cybercriminals use malware to steal sensitive information, block access to files, make a system inoperable, and generally disrupt operations.
Each type of malware works differently. For example, ransomware encrypts files and displays a ransom note demanding payment in exchange for a decryption key. Trojans deploy malware by impersonating legitimate software and spyware covertly gathers information about a target.
Learn more in our detailed guide to malware detection
A phishing attack tricks its targets by impersonating a reputable entity or real person. Cybercriminals typically send out emails containing malicious attachments or links. Users clicking on these links download malware that performs various malicious activities. For example, some malware can extract account information or login credentials.
Phishing attacks can also attempt to trick users into inputting their sensitive information into a legitimate-looking form. This attack is not restricted to emails and may also be deployed via SMS or phone calls.
A Distributed Denial of Service (DDoS) attack employs several compromised computer systems to attack a specific target. The goal is to cause a denial of service that drops network resources like servers or websites.
A DDoS involves flooding a target system with numerous connection requests, malformed packets, or incoming messages to force it to slow down or crash until it shuts down and denies service to legitimate systems or users.
An APT is a targeted cyberattack orchestrated over a long time. It involves gaining covert access to a specific network maintaining access for as long as needed to achieve the attack’s objective.
Cybercriminals use many resources to carry out APT attacks, which is why they usually choose high-value targets, such as large corporations or nation-states. The typical objective of an APT attack is stealing sensitive information.
A common tactic of APTs is to penetrate the network and gradually attempt privilege escalation and lateral movement to expand their reach. This way, an APT can initially compromise a poorly defended resource such as an employee workstation, and gain control over sensitive systems and data.
Learn more in our detailed guide to Advanced Persistent Threat (APT) attacks
A drive-by download is the unintentional download of malicious code. It does not involve clicking on anything, opening malicious files, or pressing download. This attack infects a computer or mobile device without any action performed by the user.
A drive-by download attack exploits security flaws in operating systems, web browsers, or applications. These vulnerabilities typically occur due to a lack of updates or unsuccessful updates.
A DNS attack involves exploiting vulnerabilities in the domain name system (DNS). There are numerous types of DNS attacks that exploit the communication between client and server. For example, cybercriminals can log in to the website of a DNS provider using stolen credentials and redirect DNS records elsewhere.
A network security architecture should address various areas, including physical security, authentication, access controls, and accountability. All security measures must work together to prevent unauthorized users from entering the network and exposing, modifying, or damaging its contents.
Network security relies on six main functions:
Establishing and enforcing a security policy lets organizations identify malicious behavior and manage security risks. Technological requirements and threats should inform the security policy. Effective policy enforcement requires clear policy provisions and the ability to detect policy violations. Any behavior that doesn’t conform to the policy triggers an alert, and the security team may respond.
Securing a network requires strong visibility across all users, assets, and communications. It is a best practice to embed monitoring and analytics tools into the network architecture to provide visibility into the following elements:
Adding context to security events helps provide actionable insights to inform response decisions. Contextualizing events depends on established knowledge of the network. For example, if systems that do not usually communicate with each other suddenly start to, or if several systems try to communicate simultaneously, it may indicate botnet traffic or a malware attack. Context relies on visibility and analysis.
Segmenting a network helps mitigate the impact of a breach in one part of the network, restricting its access to the rest of the network. Traditional segmentation approaches use a combination of firewalls, Virtual Local Area Networks (VLANs), and Access Control Lists (ACLs). These techniques help contain attacks and reduce damage, but implementing them can be complex and expensive.
It is important to determine an entity’s level of trust when granting access permissions. Various mechanisms can verify the identity of the user or entity requesting permission. There are two main ways to establish trust for network security:
Large corporate networks have many users who might not know each other personally. Organizations can use public-key cryptography to establish trust with multiple users – the organization serves as the trust guarantor.
Multi-factor authentication (MFA) tools require users to prove their identity using at least two types of proofs (i.e., a password and a token or OTP). IP addresses and digital certificates also help establish trust.
Resilience is essential for withstanding successful attacks – it is not enough to rely on preventive methods to secure the network. Proactively building resilience requires a network architecture that can anticipate a breach. Organizations make their networks resilient by deploying two high-availability devices protected by firewalls. If one device fails, the second can take over.
Another way to achieve resilience is to design a network infrastructure that withstands DDoS attacks, for example, increasing the server’s bandwidth. The larger bandwidth can buy time for the security team to mitigate the risks and counter the attack.
The following technologies are commonly used to secure enterprise networks.
Network firewalls were introduced over two decades ago and have become a central part of network security. Firewalls regulate traffic, preventing access to network servers from outside sources unless they are explicitly allowed. They perform packet inspection and filtering, checking the source and destination of every data packet and allowing or rejecting it according to predetermined rules.
A next-generation firewall (NGFW) builds on first-generation firewalls, providing deep packet inspection (DPI) capability that can allow it to enforce security policies at application, port, and protocol levels, not just at the IP level. NGFWs are application aware, meaning they can detect and block malicious applications in the network. They can also inspect encrypted communication over SSL and SSH
In addition, many NGFW solutions provide additional capabilities such as web content filtering, network address translation (NAT), virtual private networks (VPNs) and malware detection.
FWaaS vendors provide cloud-based network traffic inspection capabilities that enable organizations to augment or decommission on-premises network firewall appliances. It helps reduce the management burden on in-house security staff.
FWaaS vendors provide advanced network security features like next-generation firewall (NGFW) technology, intrusion prevention and detection, URL filtering, application-aware security policy enforcement, advanced malware prevention, and threat intelligence.
IPS is a network security solution that can be deployed either as a hardware device or a software program. It monitors the network for malicious activity and can immediately block and report malicious traffic. Because it is deployed inline, it must be powerful enough to scan network traffic without affecting performance. IPS is a component of many modern security solutions, including NGFW and unified threat management (UTM).
NAC is used to manage connections to a network by employees, customers, third parties, and guests, whether locally at the organization’s offices or remotely. NAC solutions can restrict access, operating according to policies that determine which users and devices have permissions to which resources on the corporate network.
NAC works by intercepting connection requests, then authenticating them against an identity and access management (IAM) system. Once a user is authenticated by IAM, the NAC system uses its policies to accept or deny the specific connection request. NAC can enable closer control over devices, resources, and roles, and establish location-based connection criteria. It can also help organizations enforce patch management and put in place controls required by specific compliance standards.
NSPM uses analytics and manual auditing to optimize network security rules and change management workflow according to real-life conditions. It tests rules, verifies compliance, and visualizes traffic behavior. NSPM solutions typically provide a visual map that shows devices and firewall rules in the network, helping administrators understand network paths and whether the restrictions applied are appropriate.
ZTA is a network security approach that assumes the network consists of too many entry points to allow complete protection and may already contain hostile threats. Instead, effective security architecture needs to protect its assets rather than block external threats.
ZTA is not a specific product – it is an architecture that organizations can set up to suit their security and business needs. It typically involves using a proxy to grant or deny access and permission to users according to their risk profile. The risk profile is informed by various contextual factors, including user device, application, time of day, location, and data sensitivity.
Microsegmentation technology helps prevent threat actors from moving laterally across the network. Here are the three categories of microsegmentation tools for network security:
SWG was initially a solution aimed at optimizing bandwidth, and has evolved into a system that protects users from malicious websites and content. Modern SWG solutions provide URL filtering, decryption and inspection of HTTPS traffic for malicious activity, data loss prevention, and anti-malware. Most SWGs also provide a limited form of a cloud access security broker (CASB).
SASE is a new solution category that combines several network security tools into one. SASE includes SWG, NGFW, zero trust network access (ZTNA), and software defined wide area networking (SD-WAN). It is a managed, scalable WAN service that provides connectivity between multiple geographical regions. It secures network traffic regardless of the physical location of the user or the company resource being accessed.
XDR is a new paradigm for threat detection and response, extending beyond the network to secure endpoints, email systems, and cloud resources. XDR is a proactive approach to threat detection. It combines data from multiple layers of the IT environment, applying advanced analytics to automatically construct an attack chain from multiple, seemingly isolated events.
XDR allows security teams to:
XDR promises to reduce the time to detection and response in a SOC, improve detection of sophisticated threats that can be missed by existing security technologies, and save time for security teams. This is critical given the global cybersecurity skills shortage and the proliferation of advanced threats on the modern network.
Cynet 360 is the world’s first Autonomous Breach Protection platform that natively integrates the endpoint, network and user attack prevention & detection of XDR with the automated investigation and remediation capabilities of SOAR, backed by a 24/7 world-class MDR service. End to end, fully automated breach protection is now within reach of any organization, regardless of security team size and skill level.
Cynet 360 can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.
Get a free trial of Cynet 360 and experience the world’s only integrated XDR, SOAR and MDR solution.