Network Security in 2022: Threats, Tools, and Best Practices
What Is Network Security?
Network security, a specialized field within cybersecurity, encompasses the policies, procedures, and technologies organizations use to protect their networks and any network assets or traffic. Regardless of industry or size, all organizations must prepare against threats like data loss, unauthorized access, and network-based attacks.
Network security is crucial for protecting business-critical infrastructure and assets, minimizing the attack surface, and preventing advanced attacks. Network security solutions use a layered approach to protect networks internally and externally. Vulnerabilities are present in many areas, including end-point devices, users, applications, and data paths.
In recent years, organizations and networks have changed. The modern IT environment is distributed, with the growth of the cloud, edge computing, and the internet of things (IoT). The massive transition to remote work has also created new security challenges. In the 2020s, network security must go beyond the traditional network perimeter, to adopt a zero trust security approach.
What Are Common Network Security Threats?
There are several ways a network may be compromised, including:
- Unauthorized access—unauthorized users who gain network access can view sensitive data, manipulate systems, and move laterally to connected networks and devices. Malicious actors might exfiltrate confidential information or damage business operations.
- Insider threats—contractors and employees with legitimate access may unintentionally expose information or compromise network security. In some cases, malicious insiders might intentionally misuse their access privileges for nefarious purposes.
- DDoS attack—attackers use distributed denial-of-service (DDoS) to block or slow down services to legitimate users. DDoS attacks involve flooding a network or server with traffic to overwhelm the system and prevent it from functioning properly.
- Known vulnerabilities—hackers often exploit known vulnerabilities to infiltrate a network and carry out malicious actions.
- Malware—attackers often infect networks using various vectors such as compromised user devices or inadequately secured websites. Common types of malware include:
- Ransomware to encrypt or destroy data
- Worms that replicate quickly throughout the network
- Spyware to track network user actions
Network Security Layers
Effective network security must address several layers of protection:
Organizations implement technical security controls to manage the devices and data in their network. Technical security aims to prevent unauthorized access and malicious behavior affecting enterprise systems and data in transit and at rest.
Organizations implement physical security controls to prevent unauthorized individuals from physically accessing their network infrastructure or connected devices.In addition to routers and firewalls, many companies protect their assets with physical locks and implement access control measures such as biometric authentication and ID verification.
Administrative security refers to the policies governing user behavior and maintaining regulatory compliance. This layer includes user authentication processes, privilege management, role assignment, and infrastructural modifications.
What Is a Network Security Policy?
Network security policies define the processes controlling access to a computer network and establish enforcement measures. A network security policy should also outline the network security architecture, defining the implementation of security measures throughout the network.
Organizations describe their security controls in a network security policy. These controls aim to identify and prevent risky and malicious behavior inside the organization (i.e., insider threats) while blocking unauthorized users from infiltrating the network.
When creating a network security policy, it is important to understand what services and data are present in the network, who can access them, what protective measures already exist, and the potential impact of exposure. An effective policy prioritizes critical information, leverages existing controls (i.e., firewalls), and supports network segmentation to provide an added layer of security.
Security policies should establish a hierarchy of access privileges, with each user restricted to the necessary resources. In addition to incorporating these controls into their written policies, organizations must also implement them in their IT infrastructure, including network control and firewall configurations.
Effective security policies should address the following elements:
- The type and purpose of data
- The intended audience
- Security awareness
- User behavior
- User privileges and responsibilities
- Access controls
- Other IT security objectives.
Automating network security policies in a modern IT environment
In the past, network security policies were manually configured using network administration tools, and were largely static. This was appropriate for a traditional, on-premise IT environment where changes were few and far between. However, in a modern network environment, encompassing on-premise data centers and multiple public clouds, there is a need for a central, automated mechanism to apply security policies.
New technologies, oriented around the zero trust security paradigm, are helping network administration and security teams centrally define security policies, and apply them across hybrid environments. Zero trust access systems can identify users, devices, and other entities, and apply complex security rules to determine what they should be allowed to access and in what context.
Types of Network Security Solutions
Firewalls are a mechanism for controlling inbound and outbound network traffic. Network administrators can configure firewalls with rules that determine what types of traffic to allow or deny. A firewall is typically deployed at the network edge and establishes a network perimeter, which attackers must overcome to access resources inside the network.
Traditional firewalls perform stateful inspection, operating at layers 3 and 4 of the OSI network model. This means they can inspect the source and destination IP of data packets, and the port and protocol they use, to determine whether to allow or block them.
Modern network protection relies on next generation firewalls (NGFW), operate at layer 7 of the network model (the application layer), adding the ability to perform deep packet inspection (DPI). NGFWs can block packets based on the application they are intended for, thus detecting and blocking malicious application traffic.
Learn more about:
Network segmentation is a mechanism that creates isolation between different parts of a network. A basic form of segmentation is the division of a network into subnets, where traffic is allowed within a subnet but restricted between subnets. Modern networks use microsegmentation, which can establish a fine-grained perimeter around specific protected resources.
Network segmentation can significantly improve network security by preventing lateral movement once attackers penetrate the network. It also reduces the risk of malicious insiders or compromised accounts, because even if a user has access to the network, they are restricted to part of the network and cannot access all sensitive resources.
Intrusion Prevention Systems (IPS)
IPS is an active security solution that is deployed on the network edge, and is able to detect and block attacks as they happen. An IPS can identify brute force attacks, Denial of Service (DoS) attacks, and exploits of known vulnerabilities. It can identify these malicious traffic patterns and block it before it reaches sensitive assets inside the network.
Learn more about:
Data Loss Prevention (DLP)
DLP is a security solution that detects and prevents valuable data from being deleted, tampered with, or transferred outside an organization’s network.
Sensitive data is often the most valuable asset on a network for attackers. There are multiple ways insider and outsider threats can exfiltrate data—including transferring files, downloading and saving them to removable media, printing them, or sending them via email or messaging tools. DLP can identify each of these methods and block them to prevent data loss and leakage.
Network Access Control (NAC)
NAC is a company-wide network administration platform aimed at controlling which devices can or cannot connect to the network. It identifies devices based on physical (MAC) addresses, or using advanced credentials like certificates, and allows IP address allocation and connectivity into the corporate network only for approved devices.
NAC can be an effective security mechanism in a closed IT environment with managed devices accessing a network from a physical office location. However, in a modern IT environment, with the advent of bring your own device (BYOD), remote access, and migration of applications to the cloud, NAC cannot provide a complete access control solution.
Remote Access VPN
Virtual private networks (VPN) provide access to a network for remote users—for example, users accessing a corporate network from their home or from a mobile device. It requires deploying a VPN server in the network, and installing VPN clients on devices that need to access the network. VPN uses a secure, encrypted communication channel to prevent man in the middle (MitM) attacks.
The major problem with VPN is that, once users are authenticated, they are implicitly trusted within the network. This poses several security challenges:
- VPNs typically provide access to the entire network. They do not have granular access controls and do not integrate with network segmentation solutions. This allows any attacker who compromises user credentials to potentially access everything on the network.
- VPNs typically use password-based authentication which can be easily compromised by attackers.
- VPNs cannot verify user devices, so if a device is infected with malware, it can spread to the network through the VPN connection.
- VPNs cannot be used to secure access to systems outside the organization’s control, such as SaaS applications.
With the transition to a remote workforce, VPN is widely considered to be insufficient to secure a corporate network, leading to the advent of new solutions like ZTNA.
- Read our guide to VPN remote access
Zero Trust Network Access (ZTNA)
In a zero trust security model, which is increasingly adopted by many industries, standard bodies and governments, a user should only have the privileges they need to perform their job, and every access attempt should be verified. Nothing on the network is implicitly trusted.
A zero trust network access (ZTNA) solution, unlike VPN, creates micro-perimeters that allow granular access to applications and data. When a user connects via ZTNA, the solution verifies their identity using multi-factor authentication, checks if they are authorized to access the system, and takes into account the full security context including:
- What system the user requested to access
- What actions or data the user requested
- The current time
- The user’s location
- Health of the user’s device
- Device identity (for example, is it a managed device or not)
Any connection request can be allowed or denied based on rules defined by the administrators. This ensures that users only receive access to systems when and where they need it, and without exposing sensitive systems to excessive risks.
- Read our guide to ZTNA
Secure Web Gateway (SWG)
An SWG is a checkpoint that regulates traffic to the Internet. It inspects layer 7 network traffic and secures web traffic, including blocking malicious applications and websites, or content that does not meet the organization’s security policies. It enables URL filtering, application control, inspection of encrypted traffic delivered over HTTPS, and malware protection for files delivered over the web.
Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE) is an enterprise networking category introduced by Gartner. It provides a unified, cloud-native networking service that converges SD-WAN and network security point solutions, including firewall as a service (FWaaS), cloud security access broker (CASB), secure web gateway (SWG), and zero trust network access (ZTNA).
SASE addresses the challenge of integrating multiple point solutions and managing security across separate silos, which was complex, costly, and made it difficult for network infrastructure to support agile development processes.
SASE provides an agile network environment that reduces time to market and enables organizations to respond to changing business conditions faster than ever before.
Security Information and Event Management (SIEM)
SIEM solutions are a central data repository that can ingest data from security tools and IT systems across the enterprise, including firewalls, IPS, NAC, and modern zero trust systems. SIEM gives security teams visibility into activity within a corporate network. It can also correlate security events to identify anomalies that require further investigation.
SIEM generates alerts that security teams use to identify and investigate security incidents. It provides access to forensic data, detailed information about network traffic, and threats data obtained from threat intelligence feeds, which security analysts can use to triage and respond to a security incident.
Modern SIEM solutions include or integrate with security orchestration, automation, and response (SOAR) systems that enable automated response to security incidents using predefined playbooks. This can allow faster responses to security incidents and reduce the burden on network security teams.
Network Security Best Practices
The following best practices can help you improve your organization’s network security.
Regularly Audit the Network and Security Controls
Regular audits are critical to network security. Audits allow security teams to understand network topology, resources currently running on the network, and the effectiveness of security controls. The main goals of a network security audit are to:
- Identify potential vulnerabilities and remediate them
- Find unused or unwanted processes and remove them
- Check whether firewalls are operational and configured correctly
- Check if other security tools are functioning correctly
- Diagnose health of network equipment, servers, connected devices, and applications
- Check the effectiveness of backups
Implement Network Segmentation and Zero Trust
Large, unpartitioned networks are complex to manage, and also raise security risks. Attackers who manage to penetrate the network, or insider threats, can easily move laterally to compromise sensitive systems. Breaking a network into smaller chunks and setting up trusted zones not only makes management easier, but also isolates sensitive data and resources in the event of a security incident.
Network segmentation is a foundation of the zero trust security model, which is being adopted by the US government, standards bodies, and some of the world’s largest organizations. A zero trust model denies access by default and verifies connections from all entities, whether they are inside or outside the network perimeter. Combined with network segmentation, this severely limits the ability of attackers to breach protected network segments.
Conduct Awareness Training for Users and Staff
Internal threats are a growing concern in network security. Most insider threats are not malicious individuals, but rather employees who do not follow security practices because they are careless or unaware. Employees are the easiest targets for attackers through social engineering techniques and phishing emails, and can also be an excellent defense, if they are trained in cybersecurity practices and motivated to prevent attacks.
By providing a cyber awareness training program, organizations can educate employees about cybersecurity fundamentals, the organization’s compliance obligations, and security policies such as the requirement for strong passwords. Employees who are aware and understand the consequences to the organization of a breach can become an active partner in network security efforts.
- Read our blog post on network security websites you can use in your education and training efforts
Backup Data and Test Recovery Procedures
Backing up sensitive data and mission critical servers is a critical part of network security, because it makes it possible to resume operations if a breach or catastrophe occurs. Backups, if implemented correctly, can also be an effective protection against ransomware. Organizations must have a comprehensive backup strategy and test regularly that it is possible to recover systems from backup and meet their recovery time objective (RTO) and recovery point objective (RPO).23913