Networks connect devices to each other so that users can access assets such as applications, data, or even other networks such as the internet. Network security protects and monitors the links and the communications within the network using a combination of hardware, software, and enforced policies.
Networks and network security comes in a wide range of complexity to fit the wide range of needs. People looking to secure a small office or home office (SOHO) environment do not need the same tools and techniques of a small or medium sized business (SMB), let alone an enterprise with thousands of devices and dozens, if not hundreds of networks.
This article will briefly outline the types of security needed to secure a network. Then, with that context in hand, we’ll outline minimum, better, and enterprise-class security solutions for each type of security and related solutions outside of network security that may also be needed.
Overall Network Security Best Practices
- Bad Users: unauthorized users (hackers, misconfigured applications, etc.) that intentionally or unintentionally connect to the network
- Bad Devices: unauthorized devices or devices in a compromised state that intentionally or unintentionally threaten the integrity or performance of the network
- Malicious Traffic: network traffic with the purpose to disrupt operations or steal data
- Malicious Intentions: authorized users or devices connected to the network with the intent to disrupt operations or steal data, typically characterized as Insider Threat
- Poor Maintenance: Network components intentionally or unintentionally left vulnerable because of missing updates or obsolete technology
- Operations Disruption: Intentional attacks, unintentional misconfigurations, and other potential situations that threaten the operational uptime or throughput of the network
Each of these categories can be addressed by technical controls which use hardware, software, or configurations to authorize, authenticate, facilitate, protect, and monitor networking traffic. We will group these technical controls into:
- User Access Controls
- Asset Discovery Controls
- Traffic Monitoring Controls
- Resilience, Maintenance & Testing Controls
These tools rely heavily on the effective determination of administrative controls that define and determine the policies that will be implemented through the technical controls. Policies typically will be written documents that detail the requirements that will be enforced, such as password complexity. These policies also provide benchmarks against which the technical tool performance will be monitored, measured, and reported against for key performance indicators (KPIs) and compliance.
The tools also depend upon physical controls that should also be implemented against malicious physical access to destroy or compromise networking equipment such as routers, cables, switches, firewalls, and other networking appliances. These physical controls do not rely upon IT technology and will be assumed to be in place.
All three aspects of network security seek to exclude unauthorized access to assets or communication. Better network security monitors for authorized, but inappropriate activities or unusual behavior that may indicate compromise, malware activity, or insider threat.
Auditing network and user activity logs should be used to verify successful implementation of network security policies and controls. Penetration testing and vulnerability scanning should be used to test proper implementation and configuration.
User Access Controls
To protect against unauthorized users, network security needs to implement effective access control. At its core, access control requires networks to regulate the users that can connect to the network (directly or remotely) and determine which network resources a specific user can access.
Minimum User Access Controls
Active Directory: The smallest organizations might only worry about device access, otherwise known as the login credentials (username/password). As an organization grows, formalized and centralized control using Active Directory (AD) or an equivalent lightweight Directory Access Protocol (LDAP) tool will save time and enable faster response for change requests.
Virtual Private Network (VPN): For remote access, remote desktop protocol (RDP) no longer can be considered safe. Instead, organizations should use a virtual private network (VPN) solution. Onsite appliances can be expensive and difficult to deploy and maintain for the smallest organizations. Instead, many turn to VPN-as-a-Service providers, sometimes called Enterprise VPN solutions, which provide VPN solutions on a monthly and per-user basis.
Better User Access Controls
As organizations grow, managing users will become time consuming and the potential loss of a breach will increase. Better network security access controls can improve security and decrease cost and risk.
Access Management Tools: Improved user management with more detailed and automated access controls can be achieved using Identity & Access Management or Privileged Access Management. Some tools will even integrate with HR software to enable simultaneous and automated IT on-boarding provisioning and off-boarding cutoff of IT access. These more sophisticated tools save time for management and can make it easier to create granular distinction between users and the assets they might need to access.
Cloud Access Management: Even smaller organizations now use cloud resources, but most internal network controls do not extend to resources hosted outside of the network, such as Office 365, Google Docs, other software-as-a-service (SaaS) solutions, and even segregated branch office networks. Cloud-based cloud access security brokers (CASB) and secure browser applications can provide consolidated solutions to protect users for both cloud and local networks.
Enterprise User Access Controls
The largest organizations use a variety of cloud resources and need centralized management over multiple offices, many of them international under different compliance regulations. Additionally, enterprises must control a wider variety of users such as branch office employees, contractors, corporate customers, and even applications.
Application Access: A retail website can make more requests than human users on any resource. API calls on related applications (shopping carts, databases, etc.) or direct connections with assets (storage containers, load balancing servers, web application firewalls, etc.) need to be managed both at the application level as well as the network level.
Improved Cloud Access Management: Cloud-based resources such as secure web gateways, desktop-as-a-service (DaaS), Azure Active Directory, and similar solutions control user access and management at scale. These solutions also allow for centralized control over a geographically dispersed workforce and collection of assets.
Related Technologies for User Access Controls
Network security only concerns itself with users as they apply to network access. Although beyond the scope of the network, effective network security relies upon the effective authentication of the user elsewhere in the security stack.
AD Security: Robust and secure Active Directory plays a critical role for most organizations to control user access. While not directly related to network security, Active Directory security tools can be installed on servers to protect AD against malicious and negligent activities.
Improved Passwords: Organizations seeking improved security will typically increase password strength requirements to add complexity or more frequent password rotation. Password managers aid users in meeting more stringent requirements, and can enable centralized control as well. Enterprises may also adopt single-sign-on (SSO) technologies to streamline access to cloud resources.
Two-Factor Authentication (2FA): In today’s ransomware-riddled environment, two-factor authentication should also be considered a minimum requirement for all forms of remote access. SMS is not considered an optimal solution, but can often be the most convenient and simple to deploy. For improved security using mobile phones, free authentication apps are available from Google, Microsoft, and others.
Multi-factor Authentication (MFA): Growing organizations face increased breach risk as the potential damages from stolen credentials increase with company size and reputation. To reduce this risk many adopt multi-factor authentication to provide improved security over 2FA, especially when applications or tokens replace vulnerable SMS text as a factor. Biometric and passwordless solutions can be more expensive, but difficult-to-spoof solutions.
Asset Discovery Controls
Unauthorized devices can intercept or redirect network traffic through attacks such as connecting unauthorized computers to the network, deploying packet sniffers to intercept network traffic, or delivering a phishing link to a man-in-the-middle attack to steal login credentials and data. Similarly, spoofed domain name system (DNS) and IP addresses can redirect users from legitimate connections to dangerous and malicious websites.
In addition to malicious devices, networks need to detect potentially dangerous devices that may be introduced through misunderstandings or negligence. For example, a laptop missing critical security updates, a jail-broken tablet, or a wi-fi enabled refrigerator connected in the break room without permission.
Minimum Asset Discovery Controls
The smallest organizations often rely upon looking around the room to secure their environment. However, many SOHOs rely on wi-fi routers and may need to check if their neighbors have joined their network.
Periodic Asset Survey: To protect against unauthorized or compromised devices, organizations at minimum must perform periodic inventories of devices connected to the network. The smallest organizations can perform this through a visual inspection and a review of the media access control (MAC) addresses connected to the network.
Better Asset Discovery Controls
Larger organizations need to deploy more sophisticated resources to detect and block rogue devices from more diverse and sizable networks.
Block or Quarantine Devices: Network access control (NAC) solutions test for outdated or vulnerable software on endpoints and redirect devices to quarantine until remediated. Unauthorized devices may be blocked or quarantined. Some NAC capabilities can be achieved by adding MAC address filtering or whitelists to firewalls and servers, but whitelists can be time-consuming to maintain.
Continuous Asset Scans: IT Asset Management (ITAM) tools can scan for devices connected to the network and send alerts or block unregistered devices. Organizations need to verify the types of assets that will be detected. Some applications, cloud infrastructure, networking equipment, or Internet of Things (IoT) devices may require more sophisticated ITAM or additional tools to detect them.
Disable Unneeded Features: Any unused access port in a firewall, unneeded remote access (storage, printer, routers, etc.), and similar features will often be unwatched. Hackers will seek to find and exploit these opportunities. Better to simply disable them if they are unneeded. For this reason, organizations should also disable Universal Plug and Play (UPnP) capabilities once setup is complete because hackers have found ways to use the automation features to load malware.
Enterprise Asset Discovery Controls
Enterprise environments extend far beyond a single office and include a wider variety of physical and virtual assets. Virtual environments (virtual servers, routers, containers, etc.) hosted in the cloud or in local data centers cannot be visually inspected and must be monitored using software.
IoT devices such as security cameras, temperature sensors, or heat monitors will be added to networks and often possess security flaws. Operating technology (OT), also known as the industrial internet of things (IIoT), uses smart pumps, conveyor belts, motors, and manufacturing equipment — and the operations teams that install the devices may not always inform the network security team about them.
Tight Asset Access Management: Although too restrictive and tedious to enforce across all devices, for the most valuable assets an organization can limit device and application access very tightly. Whitelists or allow lists can be created of specific assets, users, or applications allowed to make connections. For critical resources. MAC address filtering can block devices from even attempting to make connections. For further security, implement further controls (equivalent to MFA) to only permit specific access profiles (specific user, device, time of operation, geofencing, etc.).
Wireless Scanners: Use wireless scanners to detect unexpected wi-fi and cellular (4G, 5G, etc.) connections to IoT, OT, and rogue wi-fi routers. Some connections may be outside of the supervised networks and cannot be detected through asset discovery. Unsecured wireless connections must be identified, and then blocked or protected by network security. Short-range wireless connections such as bluetooth, infrared, or ultra-wideband (UWB) should also be disabled unless specifically used and monitored.
Zero Trust Network Access (ZTNA): ZTNA assumes that communication within the network may be compromised and requires continuous verification of user, device, and access levels. ZTNA is newer, less defined technology, but in many cases can extend outside of the local network to protect cloud-based and remote users and assets.
Related Asset Discovery Controls
Some solutions need to be applied outside of network security, but directly reinforce the network security goals to control assets making connections to the network.
Enterprise Mobile Management (EMM) or Mobile Device Management (MDM): Restrict applications and connections with portable (laptops, etc.) and mobile (phones, tablets, etc.) devices. These management applications can also check the status of the device for jailbreaking, obsolete OS, or malware, and require remediation before connecting with the network.
Traffic Monitoring Controls
Authorized combinations of users, devices, and assets can still result in malicious traffic from malware or a hacker compromising a system. Yet malicious traffic can also be accidental or an indicator of insider threat activity.
Minimum Traffic Monitoring Controls
The smallest organizations can often deploy built-in security included in their equipment to control traffic inside and into the network.
Integrated Firewall Activation: At a minimum, a SOHO environment needs to turn on the integrated firewall in the wi-fi and internet routers. Likewise the local personal computer firewalls should be deployed and, if possible, further restricted for extra protection.
Better Traffic Monitoring Controls
Larger organizations will need more formal and centralized protection against malicious network traffic and monitoring for both operational and security threats in the local network and data centers.
Network Edge Control: Organizations need to deploy modern firewall technologies such as Next-Generation Firewalls (NGFWs) and Unified Threat Management (UTM). For smaller organizations that cannot afford appliances, or organizations that also want to protect cloud assets, Firewall-as-a-Service (FWaaS) tools host scalable firewalls on the cloud for global reach and control. These solutions will monitor traffic between the network and the internet for malicious URLs, known-malware, and unauthorized access.
Monitor Network Traffic: During an attack, network traffic may contain known indicators of compromise or known malicious file signatures. Firewalls will detect some of this traffic, but only if the traffic is routed through the capacity-limited firewall. Separate intrusion detection systems (IDS), intrusion prevention systems (IPS), network detection and response (NDR), extended detection and response (XDR), and similar systems can inspect the packets. Malicious, malformed, or suspicious packets between devices can be detected, blocked, or quarantined.
Network Segmentation: Growing organizations need to allow different types of access, but should not allow everyone to access everything in the network. Network segmentation can create networks for guests, quarantined networks for insecure devices, and even separate networks for vulnerable IoT, OT, and known obsolete technology. Segmentation can also control traffic loads to help improve network throughput and packet loss rates.
Enterprise Traffic Monitoring Controls
Enterprise-scale networks require the most robust and expansive tools to centralize operations and security monitoring of traffic between remote workers, multiple offices, virtualized technology, IoT, OT, and cloud resources.
Assisted Monitoring: At the largest scales, alerts become overwhelming and often automation and artificial intelligence (AI) will be deployed to accelerate detection of anomalies. AI and machine learning (ML) algorithms can be found deployed in more advanced versions of firewalls, IDS/IPS, NDR, XDR, and many related technologies (EDR, email security, etc.).
Detect Insider Threats: Malicious and accidental insider threat activities can be detected using tools such as data loss prevention (DLP), user entity and behavior analytics (UEBA), or artificial intelligence-enhanced behavior analytics built into firewalls and IDS/IPS solutions. Deception technology using honeypots and similar subterfuge can trigger alerts of both hackers and authorized users that might be attempting to perform malicious actions.
Enterprise Network Protection: When protecting large, sprawling networks, organizations can consider Secure Access Service Edge (SASE) solutions designed to encompass multiple locations, local resources, and cloud resources.
Monitoring Teams: Network traffic itself may not be recognized as malicious, but monitoring by a security incident and event management (SIEM), security operations center (SOC), Managed Detection and Response (MDR), or similar monitoring team may detect unusual connections. These teams can also respond to alerts and remediate attacks that evade automated response.
Related Traffic Monitoring Controls
While network security monitors the main gateways and internal networks, some traffic occurs beyond the scope of most network security tools. Other technologies need to be deployed so that malicious traffic does not become authorized by assets connected to the network.
Email Security: Many attacks escape network security detection through malicious emails, such as phishing, business email compromise (BEC), and ransomware. Email security can be enhanced through email security tools, secure email gateways, or even low-cost protocols such as SPF, DKIM, and DMARC.
Secure Application Access: Trusted applications often will be allowed to communicate freely through the firewall and between related assets (servers, load balancers, databases, etc.). Web Application Firewalls (WAFs) can be installed in front of specific websites, web servers, and applications to add additional layers of security for applications for traffic between applications or with unsecured internet connections. Application security and API security should be deployed to prevent code vulnerabilities and other unauthorized access.
Secure Browsing Access: Connections between users and the internet often will be encrypted using HTTPS connections, making inspection difficult or operationally burdensome for firewalls and other monitoring. Additional protection may be deployed using browser security, DNS security, or secure browsers to protect endpoints from malicious websites.
Resilience, Maintenance & Testing Controls
No security will be foolproof. Vulnerabilities, misconfigurations, mistakes, and skilled attackers can create breaches in network and other security. Business disruption can similarly be caused by mistakes, misconfigurations, and errors. Resilience tools make the network resources less vulnerable to failure or help the network to recover quickly from damage or compromise.
Even the most robust security stack and most resilient network will fall apart without maintenance. Although less obvious, a fully maintained and updated network security system can still be vulnerable to misconfigurations. Organizations of all sizes need to test for proper installation and maintenance of network and other security systems.
Minimum Resilience, Maintenance and Testing Controls
SOHO organizations generally avoid spending money, but should invest some time to make changes to network systems.
Automate Updates: Local network routers, firewalls, and other equipment can be set to automatically download new updates so that the devices and the firmware do not become vulnerable. However, organizations should also be aware that power failures during updates or buggy updates may result in equipment failure.
Change Defaults: Routers and other equipment generally arrive with publicly-disclosed default settings and names. Hackers often use the public information to access systems retaining their defaults. SOHO owners should change the default router passwords to protect against unauthorized access. The U.S. Federal Trade Commission (FTC) provides broader recommendations to secure home Wi-Fi networks and other tips for SOHO and consumers.
Disable Obsolete Options: IT equipment ships with backwards compatibility, but this can be problematic because that includes support for obsolete and dangerous options. Insecure protocols and ports such as FTP or SMBv1 should be disabled throughout the ecosystem to prevent future exploits.
Better Resilience, Maintenance and Testing Controls
As organizations grow, visibility into the status of specific devices can become elusive and threaten network security and operations. Organizations need to adopt more formal, centralized control and testing to improve resilience and ensure maintained devices.
Backups: Although more commonly applied to endpoints and data, networks also benefit from periodic backups of settings and configurations. In the event of device failure, backups can reduce the risk of business disruption by accelerating recovery.
Change Management: Change control tracks changes associated with users and devices to ensure that all changes are authorized, approved, and reported. Change control tracking can also help security and operations teams to quickly analyze disruptions originating from changed network settings. Unexpected accidental or malicious changes to network systems will also be caught more quickly and more effectively.
Managed Maintenance: To prevent maintenance-related issues, organizations should implement regular patching and updating of devices. However, automated patching can create conflicts and operations disruptions in more complicated environments so organizations quickly adopt patch management tools and vulnerability management programs for formal rollout of updates, tracking of status, and internal reporting. Many services and tools may be limited in scope, so organizations need to verify if their network equipment will be supported.
Network Microsegmentation: With the rise of software defined perimeters (SDP), software defined wide-area-networks (SD-WAN), and zero trust network access (ZTNA), organizations further control access at a granular level to prevent internal threats. Not only can virtual networks expand the scope of a network to encompass cloud resources or resources in geographically dispersed locations, they can also create microsegmentation based on user groups (vendor, consultant, marketing department, etc.), access levels (basic user, admin, etc.), or even specific users, assets, or applications. If adequately defined by identity and access management tools, microsegmentation limits even stolen credentials in their ability to harm the network or reach unauthorized resources. Segmentation and microsegmentation enable a network to be more resilient to security failure by limiting attacker access.
Sensitive Device Access Encryption: As companies grow and become more professional, encryption should be used to protect at least key resources. Critical resources need additional protection. Operating systems, such as Windows, offer options to change settings and require encrypted connections to specific assets or throughout the network. Other settings should be changed to prevent the transmission or storage of plain-text passwords and to ensure storage of salted password hashes.
Vulnerability Scans and Testing: Security strategies need to be tested for resilience against attack or operational pressure. Traffic volume tests or vulnerability scans catch misconfigurations, unapplied or incorrectly applied encryption, sloppy encryption key management, weak passwords, missing authorization, and other common issues before hackers can exploit them.
Upgraded Network Capabilities: Some anti-Distributed Denial of Service (DDoS) software and other resilience capabilities will also be built into more advanced routers, firewalls, and other network equipment. Other security functions and operations reporting can also be found in more advanced devices. Although often more expensive, every growing organization reaches a point where the risk begins to outweigh the cost of the device, and the premium price is more than offset by the value of the benefits.
Enterprise Resilience, Maintenance and Testing Controls
The largest organizations face the largest operations disruption risks because downtime begins to come with enormous direct costs and business reputation damage.
End-to-End Encryption: The largest organizations need to deploy additional resources to protect against data theft. Although encryption tools can be deployed for specific assets, enterprise organizations will want to deploy end-to-end encryption solutions with centralized encryption key control, management, and reporting.
Hyperscale Architecture: Organizations can plan and prepare hyperscale architecture that combines security, storage, compute, and virtualization layers into a modular resource. As demands or threats scale, the hyperscale modules can be deployed or decommissioned automatically to address the changing needs. However, as with all automatically deployable cloud resources, deployments should also be monitored to ensure that costs will not be out of control.
Penetration Testing: Vulnerability scans might detect common weaknesses, but active penetration tests determine if vulnerabilities pose a true risk or may be mitigated by other controls. Penetration tests can also determine if the existing controls will sufficiently stop attackers. Penetration testing can be performed using tools, but results will be more accurate when external experts can be deployed.
Redundancy: Resilient architecture design and tools play a large role in preventing network disruptions. Resilient architecture using load balancing and redundancy can absorb initial volumetric DDoS attacks to give incident response a chance to mitigate the attack without business disruption. Redundancy can also enable parts of the network to failover to new assets and minimize operational and security disruption.
Threat Intelligence: Organizations can improve overall security by understanding the current environment of attacks, indicators of compromise, and sharing information on attackers and their methods. Threat feeds, threat intelligence platforms, and security orchestration, automation and response (SOAR) tools enable network tools to update and for security teams to be prepared with the latest information.
Related Resilience, Maintenance and Testing Controls
In addition to the network architecture, users and assets such as endpoints, servers, cloud resources, and applications need controls that address their resilience, maintenance, and testing.
Backups: Most organizations backup endpoint, server, cloud, and application data, but not all backup solutions are effective or resilient. For organizations without the resources to maintain multiple on-site and off-site backups, disaster recovery services can provide advanced protection and resilience. Backup is also a critically important ransomware defense that can be hard to get right.
Employee Training: Users remain one of the most prevalent sources of security breaches because everyone makes mistakes, and most employees cannot be security experts. Employee cybersecurity training courses help to provide fundamental instruction to enable employees to contribute to better security practices for the whole organization. Some penetration testing may also include social engineering that exposes specific training to be required, but organizations should be careful not to vilify employees that make mistakes to ensure that future mistakes will not be hidden.
Widespread Encryption: In addition to network communication, encryption can protect assets directly. Endpoints can be protected using full disk encryption, databases can be encrypted using settings, and critical files can be protected using file or folder encryption. Encryption and security principles should be adopted throughout the IT infrastructure.
Outsourced Network Security: Benefits and Cautions
For the smallest teams with the least experience, even meeting minimum standards can be difficult and frustrating because mistakes are so easy to make. Each mistake can disrupt operations or worse, not disrupt operations and simply leave the organization open to attack.
For many organizations, outsourcing can pick up the expertise on the fractional scale to make experienced installation and management affordable and effective. Even experienced network security teams will outsource some functions to save time or money.
However, organizations must keep in mind that even the most conscientious MSP or MSSP will always have the incentive to oversell the customer and will err on the side of caution and increased sales. More aggressive vendors might even intentionally oversell their clients. Organizations choosing to outsource must build a basic understanding so that they can judge when their risk reduction requirements have been met.
Bottom Line: Securing a Network is an Ongoing Process
Networks form a bridge between users and their computers on one side and the assets they need to reach on the other. Network security protects the bridge, but to ensure safety, each end of the bridge must also be protected by security for users, applications, data, and assets (endpoints, servers, containers, etc.).
Likewise, the bridge and its foundations must be maintained and constantly monitored to make sure everything is working properly and without error. Each component of a security strategy reinforces and protects the organization as a whole from the failure of any specific component.
However, networks, like bridges, only work well for a certain range of users, traffic, and assets. As the organization grows and shrinks, the network, and the security protecting it, will need to evolve to keep pace.
IT security teams need to not only maintain awareness of their current and future needs, they also must communicate those needs clearly to non-technical stakeholders to obtain budgets and other support. To learn more in detail about IT security or to provide plain-English references to coworkers, consider exploring other security articles such as:
- What is Network Security? Definition, Threats & Protections
- 10 Network Security Threats Everyone Should Know
- 34 Most Common Types of Network Security Protections
- Top 13 Cloud Security Best Practices
- Endpoint Security: It’s Way More Complicated than You Think
- Container Technology & Kubernetes Security
- Database Security: 7 Best Practices & Tips
- Application Security: Complete Definition, Types & Solutions