Network Security Best Practices
Robust network security best practices are more important than ever to protect against today’s increasingly sophisticated cyber threats. This article explores a range of network and security best practices and technologies you need to fortify your network against unauthorized access and data breaches.
Types of network devices and security solutions
Before diving into enterprise network security best practices, let’s review the common types of network devices and security solutions that organizations can take advantage of:
- Bridges were once used to connect two or more hosts or network segments. They are outdated and no longer used.
- Hubs were once used to connect local area network (LAN) devices. Because they have no built-in intelligence, hubs are seldom used in modern network setups.
- A network switch is the default network appliance connecting computers, servers, printers and other devices in a LAN. It uses MAC addresses to manage and forward data to specific devices. Unlike a hub, a switch can intelligently direct traffic to reduce network congestion and improve network performance.
- A network router directs data packets between different networks to facilitate internet connectivity and internal network communication. Routers use IP addresses to determine the most efficient path for data packet transmission across networks. They can also provide security features like access control lists to restrict network access.
- A gateway serves as an intermediary for devices on separate networks, enabling them to communicate even if they are using different communication protocols.
- A firewall segregates one network from another. Firewalls are available in hardware and software form and can be integrated into devices like routers or servers. The classic example of a firewall is a dedicated appliance that serves as a barrier between the internal network and the outside world.
- A network access control (NAC) system assesses whether devices trying to access the network meet defined security standards (such as up-to-date antivirus software, system updates and specific configuration settings) and then grants or denies access.
- A web filter restricts access to internet content based on predefined criteria. For instance, this type of security solution can block access to malicious or inappropriate websites as defined by an organization’s policies.
- A proxy server acts as an intermediary between a user's device and the internet. Proxy servers can mask the user's IP address as well as filter web requests to block access to malicious sites or content.
- An email filter (spam filter) helps prevent unwanted emails from reaching the user's inbox altogether or delivers the email but removes potentially malicious hyperlinks and attachments. Simple filters use organizational policies or vendor-specified patterns to detect spam; advanced filters employ heuristic methods to spot suspicious patterns or word frequency.
- DDoS mitigation tools are designed to identify distributed denial of service (DDoS) attacks in their early stages, absorb the associated surge in traffic and help pinpoint the attack's origin.
- Load balancers contribute to network security by evenly distributing network traffic across multiple servers. For instance, they can help prevent any single server from becoming overloaded during a DDoS attack.
For more background information, review the OSI model for network systems in Appendix A.
Enterprise Network Security Best Practices
With those basics in mind, let’s explore known network security best practices that can help your organization improve its security posture to block attacks, as well as best practices for promptly detecting and responding to threats in progress.
Network security best practices for threat prevention
Segregate your network.
One of the core best practices for network security, network segmentation involves dividing a network into logical or functional zones. This can be achieved through physical means like routers and switches, or virtually by using VLANs. The objective is to contain a security breach in a single zone and thereby limit disruption and damage. Segmentation also enables IT teams to apply different security controls and monitoring to each zone.
In particular, organizations can set up a demilitarized zone (DMZ) to serve as a buffer between its internal network and the internet or other untrusted networks. The DMZ hosts external-facing services like web application servers; if these services are compromised, an attacker does not have direct access to the internal network.
An extreme form of segmentation is the air gap, where systems (such as servers with backups or other sensitive information) are entirely disconnected from the network.
Place your security devices correctly.
How you position your security devices affects how much protection they deliver. Effective positioning of firewalls is especially important. Ideally, a firewall should be situated at each network zone junction to serve as a barrier between different segments. Modern firewalls often come with integrated features like intrusion detection and prevention systems, DDoS mitigation, and web filtering, making them highly suitable for perimeter defense.
Web application firewalls (WAFs) are best placed in zones where applications are hosted, such as the DMZ. This placement helps protect web applications from threats like SQL injection and cross-site scripting. Load balancers that manage application traffic or DNS servers should also be located within the DMZ to optimize traffic flow and improve security.
Physically secure network equipment.
Another secure network infrastructure best practice is to tightly control access to network infrastructure. Only authorized personnel should have access to such as wiring closets, main distribution frames (MDFs), intermediate distribution frames (IDFs), servers, and especially data centers. Authentication should be required to enter any critical area.
In addition, organizations should prohibit the use of USB sticks and external drives to prevent insiders from removing sensitive data.
Use network address translation.
Network address translation (NAT) translates all private addresses of an organization into a single public IP address for external communications. Without NAT, the world would have run out of IPv4 addresses long ago. But the benefit of NAT for network security is that it masks the internal network's structure from outsiders, adding a layer of privacy and security.
Use personal firewalls.
Personal firewalls are software-based firewalls that reside on each computer or server. While they are frequently integrated into the operating system, they can also be installed as third-party applications. Like conventional firewalls, they restrict incoming and outgoing traffic to protect the device.
Configuring personal firewalls can initially be time-intensive due to the variety of applications and services running on a device. However, forgoing this step for convenience can leave devices vulnerable to malware and hacking. Always enable personal firewalls to ensure each device's security within the broader network.
Use whitelisting when feasible.
Application whitelisting is the practice of creating a list of approved software and allowing only those applications to run. This strategy can significantly reduce risk; for instance, it can prevent malware delivered by phishing attacks or malicious websites from executing.
However, whitelisting is not always practical, since the list must be kept updated with all applications that anyone in the organization has a legitimate reason to run.
Use a web proxy server to manage internet access.
By authenticating and monitoring outbound connections, a web proxy server helps ensure that only web traffic initiated by legitimate users is allowed. For example, this helps prevent malware inside the network from communicating with the attacker’s command and control server.
Enforce least privilege.
Focusing solely on external cyber threats can overlook the equally critical aspect of insider threats. It’s vital to restrict each user's access rights to what is essential for their roles; this reduces the damage a user can do accidentally or deliberately, and the power an attacker would gain by compromising the account. In addition, implement strong authentication measures to render stolen credentials useless.
Require VPNs for remote access.
A virtual private network (VPN) establishes a secure and private network connection over a public network infrastructure. It enables remote users to connect to the network as though they were locally connected. VPNs can also be used to securely link LANs across the internet using a secure tunnel that encrypts all data in transit. VPNs require either specialized hardware or VPN software installed on servers and workstations.
Network security best practices for threat detection and response
Baseline network protocols and monitor usage.
Establish the baseline usage of different protocols on your wired and wireless networks. To create an accurate baseline, data should be gathered from a variety of sources including routers, switches, firewalls, wireless access points, network sniffers and dedicated data collectors. Then monitor for deviations from these baselines, which can be indicative of data tunneling, malicious software transmitting data to unauthorized destinations, and other threats.
Use honeypots and honeynets.
A honeypot is a decoy system designed to look like a real network asset, and a honeynet is a network of honeypots that simulates a larger, more complex network environment. They are designed to lure adversaries into interacting with them, both to divert malicious actors from true assets and to enable security teams to study attack techniques and gather other intelligence for effective threat management.
Use intrusion detection and prevention systems.
It is vital to monitor and log activity across the network and analyze it to spot unusual logins, suspicious computer events and other anomalies. An intrusion detection system (IDS) monitors network data flows for potentially malicious activity and alerts administrators about anomalies. An intrusion prevention system (IPS) also monitors network traffic for threats; however, in addition to alerting administrators, it can automatically take action to block or mitigate threats.
These tools can be a valuable part of your network security strategy. For example, by comparing current activity to an established baseline, they could spot a spike in network activity that could indicate a ransomware or SQL injection attack. They can also use attack signatures — characteristic features common to a specific attack or pattern of attacks — to spot attacks that don’t generate activity that violates your organization’s baseline.
Automate response to attacks when appropriate.
Many modern security tools can be configured to respond automatically to known threats. For example, these systems can:
- Block IP address — An IPS or firewall can block the IP address from which the attack originated. This option is very effective against phishing and denial-of-service attacks. However, some attackers spoof the source IP address during attacks, so the wrong address will be blocked.
- Terminate connections — Routers and firewalls can be configured to disrupt the connections that an intruder maintains with the compromised system by targeting RESET TCP packets at the attacker.
- Acquire additional information — Tools can also collect valuable information that help determine such the point of initial access, which accounts were compromised, how the intruders moved across the network and what data was compromised.
Bonus best practice
A final network security best practice applies across both threat prevention and detection & response.
Use multiple vendors.
Using solutions from different vendors bolsters cyber resilience by reducing the risk associated with a single point of failure — if a solution from one vendor is compromised, the presence of solutions from other vendors helps maintain the defensive shield. This approach also enables greater adaptability in response to evolving threats and security requirements. More broadly, it can lead to competitive pricing and drive innovation, as vendors strive to offer the most advanced and cost-effective solutions.
Conclusion
By adhering to the network security best practices detailed here, your organization can reduce the risk of costly business disruptions and security incidents, as well as ensure compliance with today’s strict legislative mandates.
Appendix A: The OSI Model
The OSI (Open Systems Interconnection) model is an established framework for network systems. It comprises seven layers, from physical hardware to application-level interactions:
Layer | Function | Network Device Types | Protocols or Standards |
---|---|---|---|
7: Application | Provides services such as email, file transfers and file servers | HTTP, FTP, TFTP, DNS, SMTP, SFTP, SNMP, RLogin, BootP, MIME | |
6: Presentation | Provides encryption, code conversion and data formatting | MPEG, JPEG, TIFF | |
5: Session | Negotiates and establishes a connection with another computer | Gateways | SQL, X- Window, ASP, DNA, SCP, NFS, RPC |
4: Transport | Supports end-to-end delivery of data | Gateway | TCP, UDP, SPX |
3: Network | Performs packet routing | Router | IP, OSPF, ICMP, RIP, ARP, RARP |
2: Data link | Provides error checking and transfer of message frames | Switch | Ethernet, Token Ring, 802.11 |
1: Physical | Physically interfaces with transmission medium and sends data over the network | Hub | EIA RS-232, EIA RS-449, IEEE, 802 |