🛡️

Understanding Network Security in Cybersecurity

Apr 21, 2025

Cybersecurity Architecture Series: Network Security

Overview

  • Focus on network security as a fundamental element in cybersecurity architecture.
  • Previous topics: Identity management and endpoint security.
  • Key components: Firewalls, segmentation, VPNs, SASE.

Firewalls

  • Purpose: Create isolation and protection, akin to physical firewalls in buildings.
  • Packet Filtering:
    • Examines source address, destination address, and port to allow/block traffic.
    • Internet-facing and internal-facing firewalls for layered security.
    • Prevents spoofed internal addresses from external sources.
  • Stateful Packet Inspection:
    • Examines full packet contents and context.
    • More sophisticated than basic packet filtering.
  • Application Firewalls:
    • Inspect application-specific traffic for harmful content.
  • Proxy Servers:
    • Acts on behalf of another server to inspect traffic.
    • Used for security and privacy enhancements.
  • Network Address Translation (NAT):
    • Translates internal non-routable addresses to external routable ones.
    • Provides protection by obscuring internal network addresses from the internet.

Segmentation

  • Bastion Host:
    • Early method to place web servers outside the internal network.
    • Not recommended due to direct exposure to the internet.
  • Tri-Homed Network:
    • Three network interfaces for internet, internal, and DMZ traffic.
    • Low cost but a single point of failure.
  • Basic DMZ (Demilitarized Zone):
    • Uses two firewalls for increased security and defense in depth.
    • Separates untrusted, semi-trusted, and trusted zones.
  • Multi-Tiered DMZ:
    • More granular segmentation with three firewalls.
    • Higher cost and complexity, but increased security and granularity.

Virtual Private Networks (VPNs)

  • Purpose: Create secure channels over untrusted networks by encrypting data.
  • Technologies:
    • Application Layer: Secure Shell (SSH), Secure FTP.
    • Transport Layer: TLS/SSL for secure web connections.
    • Network Layer: IPsec for network-wide encryption.
    • Data Link Layer: PPTP, L2TP.
  • Shift Towards Application-Specific VPNs:
    • More control and granularity compared to broad network VPNs.

Secure Access Service Edge (SASE)

  • Concept: Combines network security plus WAN capabilities delivered from the cloud.
  • Components:
    • Network Security: Firewalls, secure web gateways, DLP.
    • WAN: Software-defined, agile, and flexible networking.
    • Cloud: Scale, elasticity, identity management.
  • Benefits:
    • Consolidates separate functions (e.g., firewalls, DLP) into one cloud-delivered service.
    • Modernizes network and security management.

Conclusion

  • Network security is a broad and mature topic with many facets.
  • Future topics to include application security.
  • Suggestions for additional content (e.g., 5G and Wi-Fi security) welcome.

Full transcript