Network security basics are the critical elements of network or cyber security. They should be implemented within all networks including home, business, and internet. Effective network security requires protection of wired and wireless networks with firewalls, anti-malware software, intrusion detection systems, access control, and more.
Network security is a complex topic that involves many different technologies with configurations that are sometimes complicated.
The security issue to address is the separation between what is on the network and the endpoints or host systems that are attached to it. The technology for both the network and the endpoints includes access control and encryption, but on the network, there is also segmentation and perimeter security.
Network security is only part of the security equation, and it is usually considered to apply to the devices that protect the network itself. A firewall can be a standalone device that sits beside networking equipment such as routers or switches, or software within the same physical box that also routes and/or switches. On the network there are firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), virtual private network (VPN) appliances, data leak prevention (DLP) systems, etc.
The network exists to connect systems to each other. It is what enables you to browse Amazon or shop online at your local grocery store. But end systems must also be protected; that is called endpoint security. These devices include laptops, tablets, phones, but also the internet of things (IoT) devices.
IoT includes devices such as connected thermostats, cameras, refrigerators, front door locks, light bulbs, pool pumps, smart duvets, etc. These devices require security controls as well, but not all devices are sophisticated enough to contain something like a host-based firewall or anti-malware agent. If the endpoint is a light bulb, then it probably relies on network security for its protection.
The first place to start is with access control. Businesses commonly referred to this as identity and access management (IAM). Controlling access is not new. Humans have controlled access to buildings since the first lock was installed on a door over six thousand years ago. Access control is now performed on networks, computers, phones, applications, websites, and files.
Fundamentally, access control is broken down into IAAA:
Within IAAA, authentication might be the most important topic today. Passwords are still the most common authentication on most systems. They are typically not very secure, however, because they are easy to crack.
If a password is short enough, the hacker has little trouble figuring out what it is. Hackers use a password-guessing attack that entails brute force – trying all possible combinations. Or the attacker could use a password-cracking attack, which entails using a program to recreate passwords that hash to the same value.
There are three authentication types or factors in use today. They are:
The best choice is two-factor authentication (2FA), sometimes referred to as multi-factor authentication (MFA). We highly recommended it for your personal accounts such as Amazon or Facebook.
Applications such as the Google authenticator are free to use and a much better choice than receiving a text or short message service (SMS) message to your phone. The National Institute of Standards and Technology (NIST) recommends against SMS.
We also recommend 2FA for the office, but it is a decision at a policy or management level to require this or not. It depends on many factors such as the asset, its data classification, the risks, and the vulnerabilities.
Network segmentation improves security by controlling the flow of data between different networks. This is most commonly accomplished with virtual local area networks (VLANs). There are many variations on this theme, such as private virtual LAN (PVLAN), virtual extensible LAN (VXLAN), and so on. A VLAN exists at the data link layer – layer 2 of the open system interconnect (OSI) model. Most network administrators map an internet protocol (IP) subnet to a VLAN.
Routers enable traffic to pass between VLANS according to the configuration. If you want control, router configuration is critical.
Another option found within the cloud is called a virtual private cloud (VPC). Traffic control to and from the VPC is also controlled by configurations.
Understanding the business requirements for the workload is essential to configure and control access to or from VLANs and VPCs.
Perimeter security is based on the logic that there is a defined edge between an internal/trusted network and an external/untrusted network. This is traditional network design that dates to when the network and data center were confined within a single building. In this configuration, a router connects the internal and external networks. Basic configuration of an access control list (ACL) within the router controls the traffic that can pass through.
You can add security at the perimeter with firewalls, IDS, and IPS. For more information on these, see the Network Security Measures page.
Encryption is essential to keep sensitive data and communications away from prying eyes. Encryption protects files on your computer’s hard drive, a banking session, data stored in the cloud, sensitive emails, and a long list of other applications. Cryptography also provides verification of data integrity and authentication of the data’s source.
Encryption falls into two basic types of cryptography: symmetric and asymmetric.
A third topic is hashing. Even though it is not encryption, it needs to be included at this point in security discussions. Hashing runs an algorithm against a message that calculates a resultant answer, called the hash, that is based on the bits of that message. Bits can be data, voice, or video. Hashing does not change the value of the data in any way. In contrast, encryption alters the data to an unreadable state.
Hashing proves that the bits of the message have not changed. It ensures the data has integrity and that it is in its original format. Only hashing protects data from accidental changes.
If the hash is encrypted with an asymmetric private key, it proves that a hacker has not maliciously tampered with the data. Malicious changes cannot occur unless the private key is compromised.
If the key has not been compromised, then you know that the person who has the private key must be the person who calculated the hash. That key could be a symmetric key, which is sometimes referred to as a private key, or the asymmetric private key.
It is difficult to protect data, voice or video transmitted over a wireless network. Wireless transmissions are intended to emit a signal, and this makes it easier for a hacker within range to capture the transmission. There are encryption standards for wireless, but most have been broken in one way or another.
Encryption standards include WEP, WPA, WPA2, and now WPA3.
Network security is complex. It is an unending battle of wits against the hackers. See the Network Security Measures page for more information.
It is always a great idea to pursue security certifications. Either the CompTIA Security+ certification or the System Security Certified Practitioner ((ISC)2® SSCP) certification is a great starting point. A more advanced manager-level certification, with a bit of technical knowledge thrown in, is the Certified Information System Security Professional ((ISC)2® CISSP) certification. You can also take vendor-specific exams such as the cloud-based exams for AWS, GCP, or Azure.