Network Security in 2023: Threats, Tools, and Best Practices
What Is Network Security?
Network security, a specialized field within cybersecurity, encompasses the policies, procedures, and technologies organizations use to protect their networks and any network assets or traffic. Regardless of industry or size, all organizations must prepare against threats like data loss, unauthorized access, and network-based attacks.
Network security is crucial for protecting business-critical infrastructure and assets, minimizing the attack surface, and preventing advanced attacks. Network security solutions use a layered approach to protect networks internally and externally. Vulnerabilities are present in many areas, including end-point devices, users, applications, and data paths.
In recent years, organizations and networks have changed. The modern IT environment is distributed, with the growth of the cloud, edge computing, and the internet of things (IoT). The massive transition to remote work has also created new security challenges. In the 2020s, network security must go beyond the traditional network perimeter, to adopt a zero trust security approach.
In this article:
- What Is Network Security?
- Common Network Security Threats
- Network Security Layers
- What Is a Network Security Policy?
- Network Security Technologies and Solutions
- Secure Network Connectivity
- Network Segmentation and Access Control
- Network Security Best Practices
Common Network Security Threats
Cyberattacks are attacks by a cybercriminal targeting one or multiple computer networks or machines. Cyber attacks can perform malicious actions such as disabling computers, stealing data, or using infected computers as a pivot to launch further attacks. Attackers use various methods to execute cyberattacks, including social engineering techniques like phishing, brute force techniques, denial of service (DoS), and injecting malware or ransomware.
This online scamming technique attempts to obtain sensitive data like credit card details and credentials. A phishing attack uses fraudulent email messages designed to appear legitimate by impersonating a reputable banking institution, website, or personal contact. It tricks the user into clicking on a malicious URL or replying to the email by sending financial and credential information.
A security misconfiguration is any incorrect or insecure configuration of security controls that puts the system at risk. Poor management practices such as inadequate documentation of configuration changes, reliance on defaults, and technical issues affecting endpoint components can lead to misconfiguration.
Configuration errors can occur for various reasons—a modern network infrastructure is complex and constantly changing. Organizations often overlook important security settings, such as default configurations for network devices.
Securing endpoint configurations once is not enough—organizations must periodically audit configurations and security controls to identify drift. Misconfigurations often result from adding new devices to the network or modifying and patching systems.
Learn more in the detailed guide to security misconfiguration
DoS attacks prevent legitimate users from accessing data or services on a target website. They occur when a malicious attacker overloads the website with junk traffic.
Distributed denial-of-service (DDoS) attacks are similar to DoS but are more difficult to overcome. Attackers launch a DDoS attack from multiple computers distributed worldwide in a network of infected machines.
Learn more in the detailed guide to DDoS
Malware is short for malicious software. Attackers usually use it to take control of the target system, exfiltrate sensitive data, or install unwanted programs on the target device without the victim’s knowledge. Malware can spread spyware, worms, and Trojan horses via pop-up advertisements, compromised files, fraudulent websites, or phishing emails.
Ransomware is a form of malware that cybercriminals use to lock the target device and demand a ransom in exchange for unlocking it. It spreads via malicious apps and phishing emails, preventing users from launching apps or encrypting files—in some cases, it completely disables the device.
Learn more in the detailed guide to Ransomware Data Recovery
Rogue Security Software
Malware tricks users into believing that their security measures are outdated or that a virus has infected their computer. It prompts the user to install a security feature or update security settings, often demanding payment for the tool or download. When users try to remove the suspected virus, they unwittingly install real malware on their device.
- Read our guide to network security threats
- Read the blog The impact of cyber attacks on financial markets
Network Security Layers
Effective network security must address several layers of protection:
Organizations implement technical security controls to manage the devices and data in their network. Technical security aims to prevent unauthorized access and malicious behavior affecting enterprise systems and data in transit and at rest.
Organizations implement physical security controls to prevent unauthorized individuals from physically accessing their network infrastructure or connected devices.In addition to routers and firewalls, many companies protect their assets with physical locks and implement access control measures such as biometric authentication and ID verification.
Administrative security refers to the policies governing user behavior and maintaining regulatory compliance. This layer includes user authentication processes, privilege management, role assignment, and infrastructural modifications.
What Is a Network Security Policy?
Network security policies define the processes controlling access to a computer network and establish enforcement measures. A network security policy should also outline the network security architecture, defining the implementation of security measures throughout the network.
Organizations describe their security controls in a network security policy. These controls aim to identify and prevent risky and malicious behavior inside the organization (i.e., insider threats) while blocking unauthorized users from infiltrating the network.
When creating a network security policy, it is important to understand what services and data are present in the network, who can access them, what protective measures already exist, and the potential impact of exposure. An effective policy prioritizes critical information, leverages existing controls (i.e., firewalls), and supports network segmentation to provide an added layer of security.
Security policies should establish a hierarchy of access privileges, with each user restricted to the necessary resources. In addition to incorporating these controls into their written policies, organizations must also implement them in their IT infrastructure, including network control and firewall configurations.
Effective security policies should address the following elements:
- The type and purpose of data
- The intended audience
- Security awareness
- User behavior
- User privileges and responsibilities
- Access controls
- Other IT security objectives.
Automating network security policies in a modern IT environment
In the past, network security policies were manually configured using network administration tools, and were largely static. This was appropriate for a traditional, on-premise IT environment where changes were few and far between. However, in a modern network environment, encompassing on-premise data centers and multiple public clouds, there is a need for a central, automated mechanism to apply security policies.
New technologies, oriented around the zero trust security paradigm, are helping network administration and security teams centrally define security policies, and apply them across hybrid environments. Zero trust access systems can identify users, devices, and other entities, and apply complex security rules to determine what they should be allowed to access and in what context.
IT Compliance Policies for Networks
The increasing number and severity of cybersecurity threats targeting network resources have prompted industry bodies and governments to establish standards and regulations governing IT security practices. All organizations within a relevant industry must adhere to these standards and implement policies to ensure compliance.
Network security compliance is a major priority for admins, given the high costs and legal consequences of noncompliance.
IT compliance policies allow organizations to ensure the correct implementation of IT security practices based on established industry standards. The right compliance approach helps companies manage their compliance requirements to protect sensitive data and minimize operational risks.
Learn more in the detailed guide to IT compliance
Network Security Technologies and Solutions
Firewalls are a mechanism for controlling inbound and outbound network traffic. Network administrators can configure firewalls with rules that determine what types of traffic to allow or deny. A firewall is typically deployed at the network edge and establishes a network perimeter, which attackers must overcome to access resources inside the network.
Traditional firewalls perform stateful inspection, operating at layers 3 and 4 of the OSI network model. This means they can inspect the source and destination IP of data packets, and the port and protocol they use, to determine whether to allow or block them.
Modern network protection relies on next generation firewalls (NGFW), operating at layer 7 of the network model (the application layer), adding the ability to perform deep packet inspection (DPI). NGFWs can block packets based on the application they are intended for, thus detecting and blocking malicious application traffic.
Learn more in our detailed guides about:
Intrusion Prevention Systems (IPS)
IPS is an active security solution that is deployed on the network edge, and is able to detect and block attacks as they happen. An IPS can identify brute force attacks, Denial of Service (DoS) attacks, and exploits of known vulnerabilities. It can identify these malicious traffic patterns and block it before it reaches sensitive assets inside the network.
Learn more in the detailed guide to intrusion prevention systems
Data Loss Prevention (DLP)
DLP is a security solution that detects and prevents valuable data from being deleted, tampered with, or transferred outside an organization’s network.
Sensitive data is often the most valuable asset on a network for attackers. There are multiple ways insider and outsider threats can exfiltrate data—including transferring files, downloading and saving them to removable media, printing them, or sending them via email or messaging tools. DLP can identify each of these methods and block them to prevent data loss and leakage.
Security Information and Event Management (SIEM)
SIEM solutions are a central data repository that can ingest data from security tools and IT systems across the enterprise, including firewalls, IPS, NAC, and modern zero trust systems. SIEM gives security teams visibility into activity within a corporate network. It can also correlate security events to identify anomalies that require further investigation.
SIEM generates alerts that security teams use to identify and investigate security incidents. It provides access to forensic data, detailed information about network traffic, and threats data obtained from threat intelligence feeds, which security analysts can use to triage and respond to a security incident.
Modern SIEM solutions include or integrate with security orchestration, automation, and response (SOAR) systems that enable automated response to security incidents using predefined playbooks. This can allow faster responses to security incidents and reduce the burden on network security teams.
Learn more in the detailed guide to SIEM
Distributed denial-of-service (DDoS) attacks are malicious attempts to make online services unavailable to users, typically by temporarily disrupting the services of the host server. Establishing defenses against DDoS requires more than mitigation measures—organizations must use robust, proactive solutions.
DDoS attacks are growing in magnitude, and attackers are using new and sophisticated methods, including faking application layer traffic. Therefore, many DDoS providers have updated their DDoS prevention offerings to protect businesses from larger, more intelligent, and varied DDoS attacks and botnet deployments.
Learn more in the detailed guide to DDoS protection
Most organizations generate large volumes of log data across multiple networks, applications, users, and systems, requiring a structured process for managing and monitoring the disparate data in log files. Log management is the ongoing process of collecting and centrally storing, analyzing, filtering, and sharing data to provide actionable information to support troubleshooting, improve performance, and monitor security events.
Organizations need an integrated solution for collecting, storing, and organizing data to triage large amounts of log data quickly and easily. By implementing a complete management solution with intelligent features and an intuitive UI, businesses can gain a comprehensive view of their IT environment to identify and resolve issues quickly.
Learn more in the detailed guide to event logs.
Secure Web Gateway (SWG)
An SWG is a checkpoint that regulates traffic to the Internet. It inspects layer 7 network traffic and secures web traffic, including blocking malicious applications and websites, or content that does not meet the organization’s security policies. It enables URL filtering, application control, inspection of encrypted traffic delivered over HTTPS, and malware protection for files delivered over the web.
Secure Network Connectivity
Network Access Control (NAC)
NAC is a company-wide network administration platform aimed at controlling which devices can or cannot connect to the network. It identifies devices based on physical (MAC) addresses, or using advanced credentials like certificates, and allows IP address allocation and connectivity into the corporate network only for approved devices.
NAC can be an effective security mechanism in a closed IT environment with managed devices accessing a network from a physical office location. However, in a modern IT environment, with the advent of bring your own device (BYOD), remote access, and migration of applications to the cloud, NAC cannot provide a complete access control solution.
Remote Access VPN
Virtual private networks (VPN) provide access to a network for remote users—for example, users accessing a corporate network from their home or from a mobile device. It requires deploying a VPN server in the network, and installing VPN clients on devices that need to access the network. VPN uses a secure, encrypted communication channel to prevent man in the middle (MitM) attacks.
The major problem with VPN is that, once users are authenticated, they are implicitly trusted within the network. This poses several security challenges:
- VPNs typically provide access to the entire network. They do not have granular access controls and do not integrate with network segmentation solutions. This allows any attacker who compromises user credentials to potentially access everything on the network.
- VPNs typically use password-based authentication which can be easily compromised by attackers.
- VPNs cannot verify user devices, so if a device is infected with malware, it can spread to the network through the VPN connection.
- VPNs cannot be used to secure access to systems outside the organization’s control, such as SaaS applications.
With the transition to a remote workforce, VPN is widely considered to be insufficient to secure a corporate network, leading to the advent of new solutions like ZTNA.
Related content: Read our guide to VPN remote access
Secure Access Service Edge (SASE) is an enterprise networking category introduced by Gartner. It provides a unified, cloud-native networking service that converges SD-WAN and network security point solutions, including firewall as a service (FWaaS), cloud security access broker (CASB), secure web gateway (SWG), and zero trust network access (ZTNA).
SASE addresses the challenge of integrating multiple point solutions and managing security across separate silos, which was complex, costly, and made it difficult for network infrastructure to support agile development processes.
SASE provides an agile network environment that reduces time to market and enables organizations to respond to changing business conditions faster than ever before.
Related content: Read our guide to Secure Access Service Edge
Cloud Network Security Solutions
Organizations must ensure a high level of security for their cloud computing infrastructure just as for their on-premises environments. A cloud network security solution is essential for protecting applications, data, and resources in cloud environments. It also helps secure traffic between an organization’s cloud deployments and its on-premises data center and intranet.
On-premises networks typically use a network security solution to prevent sophisticated attacks, control access to enterprise systems, segment the network into isolated zones, and enforce security rules. A cloud network security solution works in a similar way, providing advanced protection for cloud-based networks and infrastructure.
Learn more in the detailed guides to:
Multi-Protocol Label Switching (MPLS)
MPLS is a technique for routing traffic, useful for enterprise networks and carrier backbones that connect multiple branch offices and organizations. It provides real-time routing for quality services. It is reliable because it avoids complex routing table lookups, common in IP networks.
The main purpose of multi-protocol label switching is to enhance the network traffic’s reliability and performance, but it also provides several security benefits. MPLS does not use encrypted links, but it does separate them from the public Internet, creating a security layer similar to VPNs.
Learn more in the detailed guide to MPLS
Related content: Read our guide to Secure Web Gateways
Network Segmentation and Access Control
Network segmentation is a mechanism that creates isolation between different parts of a network. A basic form of segmentation is the division of a network into subnets, where traffic is allowed within a subnet but restricted between subnets. Modern networks use microsegmentation, which can establish a fine-grained perimeter around specific protected resources.
Network segmentation can significantly improve network security by preventing lateral movement once attackers penetrate the network. It also reduces the risk of malicious insiders or compromised accounts, because even if a user has access to the network, they are restricted to part of the network and cannot access all sensitive resources.
Microsegmentation is a networking technique that increases the internal security of an enterprise network by segmenting it into distinct zones. Network security architects can logically divide data centers into network segments based on individual workloads, defining the services and security controls required for each segment.
Microsegmentation allows IT teams to deploy a flexible security policy within the data center by virtualizing network controls rather than physically installing firewalls. Microsegmentation also helps protect individual virtual machines (VMs) in the enterprise network using policy-based security controls at the application level. Each workload has distinct security policies, securing each part of the network and limiting the impact of attacks.
Learn more in the detailed guide to microsegmentation
Zero Trust Network Access (ZTNA)
In a zero trust security model, which is increasingly adopted by many industries, standard bodies and governments, a user should only have the privileges they need to perform their job, and every access attempt should be verified. Nothing on the network is implicitly trusted.
A zero trust network access (ZTNA) solution, unlike VPN, creates micro-perimeters that allow granular access to applications and data. When a user connects via ZTNA, the solution verifies their identity using multi-factor authentication, checks if they are authorized to access the system, and takes into account the full security context including:
- What system the user requested to access
- What actions or data the user requested
- The current time
- The user’s location
- Health of the user’s device
- Device identity (for example, is it a managed device or not)
Any connection request can be allowed or denied based on rules defined by the administrators. This ensures that users only receive access to systems when and where they need it, and without exposing sensitive systems to excessive risks.
Related content: Read our guide to ZTNA
Role-Based Access Control (RBAC)
RBAC is an access control technique that restricts access within an enterprise network based on individual user and group roles. RBAC ensures that users have access to only the data and actions they need to perform their roles. No one can access information that is not relevant to an approved task.
An organization must restrict network access if it hires contractors, has many employees or allows third parties such as customers or suppliers to access its network. Access controls are especially important given the challenge of effectively monitoring complex networks. Businesses that rely on RBAC can better protect their sensitive applications and data.
Learn more in the detailed guide to RBAC
Attribute-Based Access Control (ABAC)
ABAC is an access control technique that authenticates and authorizes access based on user attributes instead of roles. An identity management system defines the attributes used to grant access to users. ABAC makes access decisions based on attributes of the user requesting access, the requested resource, the user’s intended action on the resource, and the context or environment of the access request.
The ABAC model builds on the RBAC but with a different focus—while RBAC covers a wide range of access rights, ABAC controls access rights at a more granular level.
Learn more in the detailed guide to ABAC
Single Sign-On (SSO)
SSO is an authentication approach that allows users to access multiple applications using the same login credentials, such as a username and password. SSO is useful for large organizations, small companies, and individuals to manage user sessions and credentials easily.
Simple web SSO services use an agent installed on the application server to retrieve user-specific authentication information from an SSO policy server. The agent authenticates users via a repository like an LDAP (Lightweight Directory Access Protocol) directory. The SSO service authenticates each end-user across all applications where the user has access permissions. After the first login, there are no password prompts for different applications within the same session.
Learn more in the detailed guide to SSO
OpenID Connect (OIDC)
OIDC is an open authentication protocol that adds an identity layer by profiling and extending OAuth 2.0. It allows the client to authenticate end-users using an authorization server. Organizations can implement OIDC on top of OAuth 2.0 to create a single authentication framework that secures all mobile native apps, browser applications, and APIs.
Learn more in the detailed guide to OIDC
Network Security Best Practices
The following best practices can help you improve your organization’s network security.
Regularly Audit the Network and Security Controls
Regular audits are critical to network security. Audits allow security teams to understand network topology, resources currently running on the network, and the effectiveness of security controls. The main goals of a network security audit are to:
- Identify potential vulnerabilities and remediate them
- Find unused or unwanted processes and remove them
- Check whether firewalls are operational and configured correctly
- Check if other security tools are functioning correctly
- Diagnose health of network equipment, servers, connected devices, and applications
- Check the effectiveness of backups
Implement Network Segmentation and Zero Trust
Large, unpartitioned networks are complex to manage, and also raise security risks. Attackers who manage to penetrate the network, or insider threats, can easily move laterally to compromise sensitive systems. Breaking a network into smaller chunks and setting up trusted zones not only makes management easier, but also isolates sensitive data and resources in the event of a security incident.
Network segmentation is a foundation of the zero trust security model, which is being adopted by the US government, standards bodies, and some of the world’s largest organizations. A zero trust model denies access by default and verifies connections from all entities, whether they are inside or outside the network perimeter. Combined with network segmentation, this severely limits the ability of attackers to breach protected network segments.
Conduct Awareness Training for Users and Staff
Internal threats are a growing concern in network security. Most insider threats are not malicious individuals, but rather employees who do not follow security practices because they are careless or unaware. Employees are the easiest targets for attackers through social engineering techniques and phishing emails, and can also be an excellent defense, if they are trained in cybersecurity practices and motivated to prevent attacks.
By providing a cyber awareness training program, organizations can educate employees about cybersecurity fundamentals, the organization’s compliance obligations, and security policies such as the requirement for strong passwords. Employees who are aware and understand the consequences to the organization of a breach can become an active partner in network security efforts.
Related content: Read our guide to network security websites you can use in your education and training efforts
Backup Data and Test Recovery Procedures
Backing up sensitive data and mission critical servers is a critical part of network security, because it makes it possible to resume operations if a breach or catastrophe occurs. Backups, if implemented correctly, can also be an effective protection against ransomware. Organizations must have a comprehensive backup strategy and test regularly that it is possible to recover systems from backup and meet their recovery time objective (RTO) and recovery point objective (RPO).