Network Security: The Basics

Connecting a network to the internet is a major risk. Allowing traffic to flow in and out of the network directly in from the internet without any manual intervention makes automated security systems vital. The speed of data transfers over the network is important, too, so you might be criticized for implementing any boundary controls that slow down or block traffic.

IT users don’t expect anything to go wrong and fundholders prioritize speed, efficiency, cost, and service availability over security measures. However, a hacker attack that destroys your company’s data can be catastrophic. The legal and financial consequences of a data loss event can destroy a company. So, security measures need to be built into the IT system from day one.

The aims of network security

Network security can only be successfully implemented if it protects the company from cyber-attacks while allowing legitimate traffic to flow at an acceptable speed. This aim is distilled into an acronym, called the CIA triad.

It denotes:

• Confidentiality
• Integrity
• Availability

The meanings of each of these three attributes are explained below.

Confidentiality

Confidentiality explains that data is held in a system so it can be used for specific purposes. Access to data shouldn’t be completely banned but it should be controlled. Key issues to data confidentiality revolve around levels of access rights. Several groups of accounts should be created and each group should be allocated access to specific sets of data. Control over usernames and passwords is another issue that needs to be addressed. This should prevent users from being tricked into disclosing their access credentials.

One other concern when enforcing data confidentiality is how that data is used. A user with rights to access data should only be allowed to use it through specific applications and for specific purposes.

Restricting direct access to data makes guided data usage easier to manage. Removing the capability to write files to other storage media from desktop computers enables system managers to ensure that confidentiality has been maintained. Scanning outgoing emails to spot unauthorized data disclosure is another task that is needed in order to ensure data confidentiality.

Ensuring data confidentiality requires clear security policies that need to be communicated to the user community. Users should also be educated so that they can detect phishing attempts that could fool them into revealing their access credentials to outsiders.

Integrity

Network managers are familiar with the term “system integrity.” It means that the
network is free from environmental interference and that there are no unauthorized connections. In security circles, the term “integrity” has a very similar meaning except it relates more specifically to “data integrity.” Therefore, it means that there can be no tampering with any data in the system either intentionally or accidentally. Integrity requires that all data is backed up and can be restored should it be accidentally deleted or if unauthorized access is discovered.

Integrity requires that all actions performed on the network and on attached devices are logged. Logging all events is a very important part of network security and the integrity of those log records is paramount if they are to provide meaningful support. Thus, all log files need to be protected against tampering and themselves need to be backed up.

Traditional system integrity checks are also required to ensure that data integrity is enforced. These extend to controls on the settings of network devices, which should be configured to minimize the potential for undetected intrusion. Intruders frequently change device settings to weaken network security. Device configuration management is needed to restore standard settings should a device’s configuration be changed unexpectedly.

Availability

In network services, “availability” applies to a number of different scenarios. The term reminds us that authorized users are entitled to expect the timely delivery of data across the network and that the network should be constantly operational during business hours.

In network security, there are a number of other factors to consider when ensuring availability. Some security systems can be configured so tightly that they incorrectly identify legitimate activity as suspicious. This is called “false-positive reporting.” It is a particular problem in security systems that automatically implement activity shutdown procedures. These actions could include suspending a user account, dropping connections, blocking communications from a specific IP address, or banning access to ranges of IP addresses. False-positive reporting can create havoc in a business, making it impossible for staff to do their job and locking out potential buyers at an e-commerce site.

Other security concerns that study availability include the prevention of system access denial to the general public in actions such as a DDoS attack. In this case, the network manager needs to put in place a contract with a DDoS mitigation service to absorb excessive connection requests and keep web servers available to forge connections requested by legitimate users.

System access points

Access to an IT system facilitates service delivery to users and gives an entry point to hackers and viruses. There are two access points for malware:

• Endpoint peripheral devices
• The Internet

Viruses need human assistance in order to get onto endpoints through portable media, such as USB sticks or DVDs. Hacker access is also facilitated by programs that open outgoing connections over the Internet, thus evading firewall blocks on incoming connection requests.

The Internet access point for both intruders and malware is an obvious channel. However, this route can also be made a great deal easier by human error. Legitimate system users can be tricked into disclosing passwords or downloading Trojans attached to emails.

Although a single desktop computer can provide a hacker with a mine of valuable resources and offer a virus an environment to wreak havoc, access to ALL endpoints on a network and servers as well is a much more rewarding goal. That aim can only be achieved by getting access to the corporate network.

So, Internet-facing controls are not the only priorities for network security; network administrators also need to examine traffic emanating from endpoints. By extension, endpoint security and peripheral device controls are part of network security responsibilities.

Traffic monitoring

You can monitor network traffic for years without realizing that there has been a security breach. In an Advanced Persistent Threat (APT), outsiders get access to your system and even manage to acquire root privileges. With that level of access, they can manipulate activity reporting procedures, such as access logs, to erase any signs of their presence. They can mine for cryptocurrencies and sell off all of the data they stole from your company without you realizing it.

Many security breaches are undetectable through monitoring because they are conducted through legitimate channels. You won’t spot a hacker accessing files on your server because access is controlled by user authentication. All transactions, therefore, can only be conducted through genuine user accounts. However, just by watching traffic, you can’t tell if an outsider has managed to get hold of the username and password of one of your company’s authorized staff.

Firmware, operating systems, and software regularly needs to be updated. Many of these patches are issued to close down a recently discovered exploit. However, this process is a weakness that can itself be exploited by hackers to slip their own code into a system.

Although patch management systems centralize the installation of patches, Trojan software that creates backdoors for intruders can be well hidden and most systems administrators don’t know what signs to look for to tell whether a patch has been compromised or is entirely fake. While patches for operating systems are commonly managed, firmware updates for network devices and peripherals, such as printers, security cameras, or smart devices are usually conducted directly by the devices themselves.

Self-updating IoT devices have become hosts for backdoors and controlling operations that make them part of a botnet. Zombie devices in a botnet won’t attack your own network – that could be too easily traced – they are used to attack other systems all over the world, blocking off access to websites on demand.

While firewalls provide automated traffic monitoring services, they are still easy to trick. They won’t spot the activities of intruders already in the system with a hijacked user account and they won’t spot attacks that combine a series of apparently legitimate actions to create a damaging event or data loss event.

Network security weaknesses

The services of firewalls and anti-virus kits worked well for the early decades of IT. However, traditional methods of protection no longer work. As a result, the producers of AV systems had to completely overhaul the operating strategies of their packages or face total obsolescence.

Some elements of a legacy AV service are still present. These include threat databases. However, such measures have become adapted so that even the format of their contents would be unrecognizable to the technicians that produced the first AV systems. Threats are no longer the names of programs or specific strings of code. They now extend to traffic patterns, activities on specific ports, or a sequence of actions performed within a time window to indicate suspicious activity.

Cybersecurity systems have evolved and include a large number of completely new strategies. The central tenet of the current mindset in the cybersecurity sector is that no protection system is infallible. The main pursuit in the industry is how to catch activities that manage to slip past a firewall or operate without detection by anti-virus systems.

The truth is that no single software package is able to offer guaranteed protection against every single type of attack that is currently known to the industry. It certainly can’t protect your IT system from every new attack vendor that hackers will come up with in the future.

The challenge for Cybersecurity solutions providers is how to admit that no security system is perfect without losing all credibility. Another problem is that there is no merit in a partial security system because anyone that pays for partial protection is just as vulnerable to attack as those who don’t bother buying any security software at all.

Data security standards

Data protection standards, such a PCI-DSS, HIPAA, and GDPR all accept the impossibility of total security. That’s why those standards include procedures to follow in the event of a data breach. They don’t ostracize businesses that got hit by an attack that no security software could have prevented. Instead, they emphasize the duties of targeted companies over-reporting on those data loss events.

It is better that the people associated with the stolen data are informed of the disclosure so that they can take action to protect themselves. So, data standards stress the need to log all actions and use logfile managers to examine events for suspicious activities. Those log files need to be stored so that they can be accessed easily by external auditors and they need to be archived for long-term recall.

Much of the development of data protection over the last decade relates to operating procedures that businesses need to follow rather than protection software that needs to be installed.

Business continuity

Network security needs to guarantee availability and that includes procedures for disaster recovery. Backup and restore systems should be put in place to repair accidental damage and path redundancy should be planned in order to account for unexpected surges in traffic and possible equipment failure.

Business continuity involves planning for the unexpected and includes backing up your plans as well as backing up your data. Network security extends to working practices that will ensure that you can get your team working to restore the network in the event of environmental disaster, malicious damage, or network device malfunction.

Network security systems

The network is one element in three-zone security architecture. This protection system needs to cover endpoints and Internet activity as well as network security. In many cases, security solutions for the network need to be unified with security services put in place for business internet usage, endpoint, and server protection. While some security strategies operate across all three of these IT systems, others focus on protecting just one.

Endpoint protection

As security breaches on endpoints can ripple out across the network, protection for all devices connected to the network must be regarded as a network security task.

The two traditional tools for endpoint protection are anti-virus systems and firewalls. While firewalls continue to be relevant in much the same format that they always took, AV systems have evolved considerably. Look for products labeled as “next-generation AV” or “endpoint detection and response” (EDR).

Recognizing the importance of each endpoint’s security to total system protection, some AV producers have created a networked solution that coordinates protection services resident on each device. These systems include a central console that allows a systems administrator to spot a security problem on one endpoint that could easily spread to all other connected devices.

Mobile devices and IoT devices are not usually counted as “endpoints” and neither are servers. While some endpoint protection systems are produced in versions that can be installed on servers, mobile device protection is usually sourced from separate software packages.

There are some endpoint protection systems that are capable of offering security for all types of connected devices. These are termed Unified Endpoint Management (UEM) systems. UEMs include device performance monitoring and location tracking as well as configuration management and security management for all devices.

Security services that protect mobile devices only or mobile and IoT devices are known as Mobile Device Management (MDM) systems. Often, a UEM is a combined package of an endpoint protection system that secures desktops and an MDM for mobile devices. These two modules will implement different procedures to protect their fleets of devices.

Network security

The main responsibility of network managers lies with the health and performance of network devices, such as switches and routers. The settings of these devices are the focus of security measures implemented on the network. Configuration management systems standardize the settings of these devices and store an image of each configuration. The service monitors devices for any unauthorized changes and automatically restores the original settings by reapplying the configuration image.

Network security also extends to availability measures, such as route redundancy and secure connections through to cloud-based backup servers. Encryption on all network traffic makes wiretapping a waste of time.

Other network security measures include the separation of different traffic types with VLANs. This is particularly the case when running voice traffic over the data network. Different levels of security can be applied to separate network segments. For example, access to a web server by the public will have less strict security measures in what is known as a “demilitarized zone” (DMZ).

The use of network firewalls is standard practice in network administration. A firewall can be implemented as an appliance and is also now available as an edge service, hosted by a cloud provider.

Internet security

Internet security responsibilities fall into two categories: website availability and inter-site connection protection.

Companies operating websites need to ensure that the pages of that site are constantly available. The response times and loading error events that occur once the code for those pages is delivered are the responsibility of application performance monitors. Availability monitors are also called uptime monitors.

Protection from hacker activity on web pages that can introduce viruses onto endpoints is usually covered by EDR systems.

The main network security issue for websites lies in DDoS protection. This aims to mitigate attempts to overload web servers with a large volume of connection requests. Edge services can filter out attack traffic.

Company traffic that travels over the internet between sites can be protected in two ways. One of these is a virtual private network (VPN) service and the other is connection security provided by software-defined WANs (SD-WANs).

System-wide protection

There are four main categories of system-wide protection that involve network security measures. These are:

Access rights management

This has three elements: user account management device access levels and a permissions system that maps between the two. Access controls can be unified throughout an IT system with a Single Sign-on policy. Access management is implemented by authorization systems.

Intrusion detection systems (IDS)

Also known as “advanced threat protection,” this category of system protection service includes Intrusion Prevention Systems (IPS), which implement threat mitigation actions to turf off intruders and lock resources. There are two types of IDS: Host-based Intrusion Protection Systems (HIDS), which explore log files, and Network-based Intrusion Detection Systems (NIDS), which monitor and examine network traffic.

Security information and event management (SIEM)

SIEM is a combination of Security Information Management (SIM), which is the same as a HIDS, and Security Event Management (SEM), which is the same as a NIDS. SIEM systems are great for those who need to show compliance to data protection standards because they include the management of log files, which is a requirement for external auditing.

Data loss prevention (DLP)

DLP aims to detect data theft and block it. The main tool for implementing this strategy is a reverse firewall to read through all outgoing data. This is a network security device. However, DLP isn’t solely a network security issue because it also involves peripheral device controls and endpoint activity monitoring.

Hacker activity detection methods

There are a number of tool categories that contribute to several network security and system-wide protection system. These include:

User and entity behavior analytics (UEBA)

This is a machine learning technique used to establish a baseline of normal activity on a network, on servers, or on endpoints. UEBA is becoming widely implemented because it helps to reduce false-positive reporting.

Email security

Email security systems can be implemented in a number of ways. One is to filter out spam and other potentially harmful email messages at the email server. Another method is a network security measure because it is implemented at the network firewall. This scans the contents of emails looking for blacklisted words and banned sources. Some email security systems aim to block phishing attempts. These don’t rely on the detection of signals within the email contents; instead, they work with a central reporting database that lists email addresses known to be the sources of phishing attempts.

Vulnerability scanners

A vulnerability scanner will check a system for all known weaknesses, including network security issues.

Penetration testing

Pen testing employs white-hat hackers to manually explore a system, try to break in, and steal data.

Combined security solutions

The safest strategy for network security is to use a combination of security tools, including protection for endpoints and internet connections. Many cybersecurity systems providers offer platforms of modules that work together to close off all possible attack strategies – CrowdStrike Falcon is an example of this.

Specialized security tools can work with your existing systems through a process called “Security Orchestration, Automation, and Response” (SOAR). Treat network security as part of wider system protection to ensure confidentiality, integrity, and availability.

Network security FAQs