Network security is the practice of preventing and protecting against unauthorized intrusion into corporate networks. As a philosophy, it complements endpoint security, which focuses on individual devices; network security instead focuses on how those devices interact, and on the connective tissue between them.
The venerable SANS Institute takes the definition of network security a bit farther:
Network security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users, and programs to perform their permitted critical functions within a secure environment.
But the overall thrust is the same: network security is implemented by the tasks and tools you use to prevent unauthorized people or programs from accessing your networks and the devices connected to them. In essence, your computer can't be hacked if hackers can't get to it over the network.
Network security basics
Definitions are fine as top-level statements of intent. But how do you lay out a plan for implementing that vision? Stephen Northcutt wrote a primer on the basics of network security for CSOonline over a decade ago, but we feel strongly that his vision of the three phases of network security is still relevant and should be the underlying framework for your strategy. In his telling, network security consists of:
- Protection: You should configure your systems and networks as correctly as possible
- Detection: You must be able to identify when the configuration has changed or when some network traffic indicates a problem
- Reaction: After identifying problems quickly, you must respond to them and return to a safe state as rapidly as possible
This, in short, is a defense in depth strategy. If there's one common theme among security experts, it's that relying on one single line of defense is dangerous, because any single defensive tool can be defeated by a determined adversary. Your network isn't a line or a point: it's a territory, and even if an attacker has invaded part of it, you still have the resources to regroup and expel them, if you've organized your defense properly.
Network security methods
To implement this kind of defense in depth, there are a variety of specialized techniques and types of network security you will want to roll out. Cisco, a networking infrastructure company, uses the following schema to break down the different types of network security, and while some of it is informed by their product categories, it's a useful way to think about the different ways to secure a network.
- Access control: You should be able to block unauthorized users and devices from accessing your network. Users that are permitted network access should only be able to work with the limited set of resources for which they've been authorized.
- Anti-malware: Viruses, worms, and trojans by definition attempt to spread across a network, and can lurk dormant on infected machines for days or weeks. Your security effort should do its best to prevent initial infection and also root out malware that does make its way onto your network.
- Application security: Insecure applications are often the vectors by which attackers get access to your network. You need to employ hardware, software, and security processes to lock those apps down.
- Behavioral analytics: You should know what normal network behavior looks like so that you can spot anomalies or breaches as they happen.
- Data loss prevention: Human beings are inevitably the weakest security link. You need to implement technologies and processes to ensure that staffers don't deliberately or inadvertently send sensitive data outside the network.
- Email security: Phishing is one of the most common ways attackers gain access to a network. Email security tools can block both incoming attacks and outbound messages with sensitive data.
- Firewalls: Perhaps the granddaddy of the network security world, they follow the rules you define to permit or deny traffic at the border between your network and the internet, establishing a barrier between your trusted zone and the wild west outside. They don't preclude the need for a defense-in-depth strategy, but they're still a must-have.
- Intrusion detection and prevention: These systems scan network traffic to identify and block attacks, often by correlating network activity signatures with databases of known attack techniques.
- Mobile device and wireless security: Wireless devices have all the potential security flaws of any other networked gadget — but also can connect to just about any wireless network anywhere, requiring extra scrutiny.
- Network segmentation: Software-defined segmentation puts network traffic into different classifications and makes enforcing security policies easier.
- Security information and event management (SIEM): These products aim to automatically pull together information from a variety of network tools to provide data you need to identify and respond to threats.
- VPN: A tool (typically based on IPsec or SSL) that authenticates the communication between a device and a secure network, creating a secure, encrypted "tunnel" across the open internet.
- Web security: You need to be able to control internal staff's web use in order to block web-based threats from using browsers as a vector to infect your network.
Network security and the cloud
More and more enterprises are offloading some of their computing needs to cloud service providers, creating hybrid infrastructures where their own internal network has to interoperate seamlessly — and securely — with servers hosted by third parties. Sometimes this infrastructure itself is a self-contained network, which can be either physical (several cloud servers working together) or virtual (multiple VM instances running together and "networking" with each other on a single physical server).
To handle the security aspects, many cloud vendors establish centralized security control policies on their own platform. However, the trick here is that those security systems won't always match up with your policies and procedures for your internal networks, and this mismatch can add to the workload for network security pros. There are a variety of tools and techniques available to you that can help ease some of this worry, but the truth is that this area is still in flux and the convenience of the cloud can mean network security headaches for you.
Network security software
To cover all those bases, you'll need a variety of software and hardware tools in your toolkit. Most venerable, as we've noted, is the firewall. The drumbeat has been to say that the days when a firewall was the sum total of your network security is long gone, with defense in depth needed to fight threats behind (and even in front of) the firewall. Indeed, it seems that one of the nicest things you can say about a firewall product in a review is that calling it a firewall is selling it short.
But firewalls can't be jettisoned entirely. They're properly one element in your hybrid defense-in-depth strategy. And as eSecurity Planet explains, there are a number of different firewall types, many of which map onto the different types of network security we covered earlier:
- Network firewalls
- Next-generation firewalls
- Web application firewalls
- Database firewalls
- Unified threat management
- Cloud firewalls
- Container firewalls
- Network segmentation firewalls
Beyond the firewall, a network security pro will deploy a number of tools to keep track of what's happening on their networks. Some of these tools are corporate products from big vendors, while others come in the form of free, open source utilities that sysadmins have been using since the early days of Unix. A great resource is SecTools.org, which maintains a charmingly Web 1.0 website that keeps constant track of the most popular network security tools, as voted on by users. Top categories include:
- Packet sniffers, which give deep insight into data traffic
- Vulnerability scanners like Nessus
- Intrusion detection and prevention software, like the legendary Snort
- Penetration testing software
That last category might raise some eyebrows — after all, what's penetration testing if not an attempt to hack into a network? But part of making sure you're locked down involves seeing how hard or easy it is to break in, and pros know it; ethical hacking is an important part of network security. That's why you'll see tools like Aircrack — which exists to sniff out wireless network security keys — alongside staid corporate offerings that cost tens of thousands of dollars on the SecTools.org list.
In an environment where you need to get many tools to work together, you might also want to deploy SIEM software, which we touched on above. SIEM products evolved from logging software, and analyze network data collected by a number of different tools to detect suspicious behavior on your network.
Network security jobs and salaries
If you're looking for a career in network security, you're in luck: these jobs are in high demand, and they pay well. Staffing agency Mondo pegged network security analyst as one of the six highest paying cybersecurity jobs, claiming they could earn between $90,000 and $150,000 a year.
What does a network security analyst do, exactly? And is it different from a network security engineer? When it comes to job titles, there's always less clarity than you'd like, as the pros hashing things out and talking about their career paths on this Reddit thread demonstrate nicely.
In theory, a network security engineer is more likely to be building out security systems, while a network security analyst is more likely to be tasked with combing through data from network security tools to find trouble. But the reality is that many people with both titles do a little of each, and what you do will hinge more on your job description than your two-word title. For what it's worth, Glassdoor pegs network security analysts as being slightly lower paid, at around $80K a year rather than $82K for network security engineers. But your mileage very much may vary and you should take any salary numbers with a grain of salt.)
One thing you can be hopeful for is that either job is a career path with a future. Alissa Johnson, currently the CISO of Xerox, was a network security engineer at Northrup Grumman before eventually climbing the ladder into her current executive role.
Network security certifications
While there aren't many certifications that focus on network security alone, there are a number that can help you prove your bona fides, either because they're security certifications with a network component or a network certification that includes material on security. Some of the most prestigious include:
- CISSP, the "crown jewel" of cybersecurity certification
- CompTIA's Network+
- Cisco Certified Network Associate
- Certified Ethical Hacker certification, for you aspiring penetration testers out there