Skip to main content

Network Security

Network security protects the paths that systems, users, devices, services, and data use to communicate. Modern network defense is not only about firewalls. It also includes identity, device posture, SaaS logs, cloud traffic, developer workstations, DNS telemetry, and incident response visibility. The goal is simple: control what can talk to what, detect suspicious behavior quickly, and limit the blast radius when one device, credential, or vendor is compromised.

The OSI Model and Security

The OSI model helps map attacks and controls to layers of communication.
LayerNameSecurity concernExample attack
7ApplicationWeb apps, APIs, SaaS, identity flowsSQL injection, XSS, OAuth abuse
6PresentationEncoding, encryption, serializationTLS downgrade, unsafe deserialization
5SessionSession state and authenticationSession hijacking, stolen cookies
4TransportPorts, protocols, flow behaviorSYN flood, port scanning
3NetworkRouting and IP-level trustIP spoofing, BGP hijacking
2Data LinkLocal network trustARP spoofing, MAC flooding
1PhysicalHardware and accessCable tapping, rogue devices

Firewalls and Traffic Filtering

A firewall monitors and controls traffic based on rules. Firewalls are still important, but they are only one layer of modern defense.

Firewall Evolution

TypeCapabilities
Packet filterFilters by source, destination, port, and protocol
Stateful firewallTracks connection state and allows expected return traffic
Application proxyUnderstands application protocols and can filter content
Next-generation firewallAdds application awareness, IPS, TLS inspection, user identity, and threat intelligence
Cloud security group / network ACLControls traffic in cloud networks and workloads

Firewall Rule Best Practices

  • Default deny: Block by default and explicitly allow what is needed.
  • Least privilege: Allow only required ports, protocols, sources, and destinations.
  • Logging: Log denied traffic and sensitive allowed flows.
  • Documentation: Every rule should have an owner and business purpose.
  • Review: Remove stale rules, temporary exceptions, and broad ranges.

Network Segmentation

A flat network allows one compromised device to reach too much. Segmentation limits what an attacker can access after initial compromise.

Segmentation Strategies

  • VLANs: Separate guest Wi-Fi, employee devices, servers, IoT, labs, and admin systems.
  • Subnetting: Divide IP ranges into controlled zones.
  • DMZ: Place public-facing services away from internal systems.
  • Micro-segmentation: Enforce workload-level policies in data centers, containers, and cloud.
  • Identity-aware access: Use user identity and device posture, not only IP address.
Ask this question for every zone: if one device here is compromised, what can it reach next? The answer should be “only what it must reach.”

Developer Workstations as Network Targets

Recent supply chain attacks show that developer machines are high-value network assets. They often hold source code, cloud credentials, package publishing rights, SSH keys, and CI/CD access.

Controls for Developer Endpoints

  • Place developer devices in monitored network segments.
  • Require device posture checks before source control, package registry, and cloud access.
  • Restrict long-lived personal access tokens.
  • Alert on unusual mass repository cloning.
  • Alert when IDEs or extensions spawn unexpected shells, interpreters, archive tools, or credential utilities.
  • Monitor outbound connections to rare domains or suspicious GitHub API usage.
  • Separate production secrets from local development.
Do not treat developer laptops as ordinary office endpoints. A single compromised developer workstation can become a source code, cloud, and package supply chain incident.

Intrusion Detection and Prevention

SystemBehaviorPlacement
IDSMonitors traffic and generates alertsSPAN port, network TAP, cloud traffic mirror
IPSSits inline and can block trafficBetween network zones or at egress points
NDRAnalyzes network behavior over timeCore network, cloud, or endpoint telemetry

Detection Methods

  • Signature-based: Finds known attack patterns.
  • Anomaly-based: Alerts on deviations from baseline behavior.
  • Behavioral: Detects sequences that suggest intrusion, lateral movement, or data exfiltration.
  • Threat intelligence enriched: Correlates activity with known malicious infrastructure, packages, hashes, or domains.

DNS Security

DNS is often under-monitored, which makes it useful for attackers.

DNS-Based Threats

  • DNS tunneling: Data hidden inside DNS queries.
  • DNS spoofing or poisoning: False responses redirect users.
  • Domain generation algorithms: Malware generates many possible command-and-control domains.
  • Newly registered domains: Attackers use fresh domains for phishing and malware delivery.

DNS Defenses

  • Use protective DNS filtering.
  • Log DNS queries centrally.
  • Alert on high-volume queries, long random-looking domains, unusual TXT queries, and rare domains from sensitive hosts.
  • Block direct DNS egress except through approved resolvers.
  • Use DNSSEC where supported.

Zero Trust Architecture

Traditional perimeter security assumes that internal networks are trusted. That model breaks down with cloud, SaaS, remote work, BYOD, and vendor integrations. Zero Trust means: never grant access based only on network location.

Zero Trust Principles

  1. Verify explicitly: Evaluate identity, device health, location, risk, and resource sensitivity.
  2. Use least privilege: Grant minimum access for minimum time.
  3. Assume breach: Segment systems and monitor as if compromise is possible.

Zero Trust Components

  • Identity provider with SSO and MFA
  • Device posture checks
  • Conditional access policies
  • Privileged access management
  • Micro-segmentation
  • Central logging and analytics
  • Continuous access review

SaaS and Cloud Telemetry

Modern attacks often happen through SaaS and cloud control planes rather than classic network paths.

Logs to Collect

SourceUseful signals
Identity providerLogin anomalies, impossible travel, MFA failures, OAuth grants
Source controlRepository clones, token use, branch protection bypass, secret scanning alerts
Cloud providerIAM changes, new access keys, unusual API calls, data exports
SaaS appsAdmin role changes, bulk exports, suspicious sharing, app integrations
CI/CDSecret access, workflow changes, deployment activity, new runners
EndpointProcess tree, file access, script execution, network connections

Detection Questions

  • Is this user accessing more data than usual?
  • Did this token appear from a new device, region, or automation path?
  • Did a normal tool spawn an abnormal child process?
  • Did an extension or package update trigger outbound traffic?
  • Did a vendor incident coincide with internal alerts?

Security Operations Center

A SOC is a team or function responsible for monitoring, triage, investigation, and response.

SIEM

A SIEM collects and correlates logs from systems such as firewalls, endpoints, cloud platforms, identity providers, source control, and SaaS applications. SIEM workflow:
  1. Collect logs from relevant sources.
  2. Normalize fields so events can be searched consistently.
  3. Correlate related activity into detections.
  4. Alert analysts when behavior crosses risk thresholds.
  5. Investigate the timeline and scope.
  6. Respond by containing accounts, devices, tokens, or network paths.
Popular SIEM platforms include Splunk, Microsoft Sentinel, Elastic Security, IBM QRadar, and Sumo Logic.

VPNs and ZTNA

VPNs encrypt traffic between a device and a private network. They are useful, but traditional VPNs often grant broad network access once connected.
ApproachBest useRisk
Remote access VPNConnecting users to private networksCan expose too much internal network access
Site-to-site VPNConnecting offices or cloud networksMisconfiguration can bridge large environments
ZTNAGranting access to specific apps based on identity and postureRequires mature identity and device management
ZTNA is often safer for remote work because users get access to specific applications, not an entire network.

Practical Lab Ideas

  1. Build a small segmented lab with a user subnet, server subnet, and admin subnet.
  2. Configure a default-deny firewall rule set and only allow needed traffic.
  3. Collect DNS logs and identify normal versus suspicious domains.
  4. Simulate a stolen token by using an API key from an unexpected host, then write an alert.
  5. Review source control audit logs for clone volume, token creation, and branch protection changes.

Key Takeaways

  1. Segmentation limits blast radius.
  2. Developer endpoints are high-value network assets.
  3. DNS, SaaS, cloud, and identity logs are security telemetry.
  4. Zero Trust replaces location-based trust with continuous verification.
  5. ZTNA is often safer than broad VPN access.
  6. If you cannot see the activity, you cannot reliably defend it.