Network security is a set of technologies that protects the usability and integrity of a company’s infrastructure by preventing the entry or proliferation within a network of a wide variety of potential threats.
A network security architecture is composed of tools that protect the network itself and the applications that run over it. Effective network security strategies employ multiple lines of defense that are scalable and automated. Each defensive layer enforces a set of security policies determined by the administrator.
In today’s hyper-connected world, network security presents a greater challenge as more business applications move to private and public clouds. Moreover, the applications themselves now tend to be virtualized and distributed across many locations, some of which are outside the physical control of IT security teams. With the number of attacks on companies climbing ever higher, protecting network traffic and infrastructure is critical.
Network security is key to an organization’s ability to deliver products and services to customers and employees. From online stores to enterprise applications to remote desktops, protecting apps and data on the network is essential to advancing the business, to say nothing of protecting an organization’s reputation. In addition, effective network security can improve network performance by eliminating downtime due to successful attacks.
The elements of a complete, multilayered security architecture that implements network security across an organization fall into two general categories: access control and threat control.
Network security starts with access control. If bad actors gain access to a network, they can surveil traffic and map infrastructure. Once they have mapped infrastructure and applications, they can launch a DDoS attack or insert malware. Access control restricts the movement of bad actors throughout the network.
Even with access control in place, problems can arise. For instance, a bad actor may compromise an employee’s credentials to gain entry. Thus the need for threat control, which operates on traffic that is already permitted. Threat control prevents the actions of bad actors from doing damage within the network.
Threat control technologies begin with the firewall and load balancer. These devices protect the network from DoS/DDoS attacks. Next, IDS/IPS counters known attacks traveling through the network. Finally, unknown malware objects traveling through the network are captured with sandbox technologies, while anomalies in network traffic that may be symptoms of a threat are caught with NTA/NDR.
A multi-layered approach to network security implements controls at numerous points within a network to provide comprehensive access control and threat control.
- Firewall : A firewall establishes a barrier between the trusted and the untrusted areas of a network. Thus, a firewall performs access control and macro-segmentation based on IP subnets. The same firewall may also perform more granular segmentation, known as micro-segmentation.
- Load Balancer : A load balancer distributes load based on metrics. By implementing specific mitigation techniques, a load balancer can go beyond traditional load balancing to provide the capability to absorb certain attacks, such as a volumetric DDoS attack.
- IDS/IPS : The classic IDS/IPS is deployed behind a firewall and provides protocol analysis and signature matching on various parts of a data packet. Protocol analysis is a compliance check against the publicly declared specification of the protocol. Signature matching prevents known attacks such as an SQL injection.
- Sandbox : A sandbox is similar to an IDS/IPS, except that it does not rely on signatures. A sandbox can emulate an end-system environment and determine if a malware object is trying, for example, to execute port scans.
- NTA/NDR : NTA/NDR looks directly at traffic (or traffic records such as NetFlow) and uses machine learning algorithms and statistical techniques to evaluate anomalies and determine if a threat is present. First, NTA/NDR tries to determine a baseline. With a baseline in place, it identifies anomalies such as traffic spikes or intermittent communication.