Network Security: Firewalls, Encryption, and Defense in Depth
Network security encompasses the policies, controls, and technologies that protect the confidentiality, integrity, and availability of network resources. As organizations expand their digital footprint and threat actors grow more sophisticated, a layered defense — defense in depth — has become the standard approach. This guide covers firewall architectures, intrusion detection and prevention, encryption (symmetric, asymmetric, and TLS), access control models, common attack vectors, and the NIST Cybersecurity Framework for structured security programs.
The Information Security Triad
The CIA triad defines three core objectives. Confidentiality ensures data is accessible only to authorized parties — achieved through encryption and access controls. Integrity guarantees data has not been altered — enforced by hashing algorithms (SHA-256, SHA-3) and digital signatures. Availability ensures systems are accessible when needed — maintained through redundancy, DDoS protection, and disaster recovery planning. A breach of any single objective constitutes a security incident.
Firewall Architectures
Firewalls are the first line of defense at the network perimeter. They enforce rules that permit or deny traffic based on security policy.
Packet Filtering Firewalls
Packet filters examine IP headers — source/destination address, port, and protocol — and make pass/block decisions on each packet independently. They are stateless (no memory of prior packets) and fast, but cannot detect attacks that span multiple packets or that embed malicious content in the payload. ACLs on routers are packet filters.
Stateful Firewalls
Stateful firewalls (RFC 6092) maintain a connection state table. When a packet matches an established connection (e.g., an HTTP response to an outbound GET request), it is allowed through automatically. Stateful tracking prevents an entire class of attacks where an attacker injects packets that would be permitted by stateless rules but are not part of any legitimate connection. Benefits: fewer explicit rules are needed, and the firewall automatically handles ephemeral ports for protocols like FTP (which uses dynamic ports for data transfer).
Next-Generation Firewalls
NGFWs (e.g., Palo Alto Networks, Fortinet FortiGate, Cisco Firepower) combine stateful inspection with deep packet inspection (DPI), application identification, and threat prevention. DPI examines the application-layer payload, so the firewall can distinguish between, say, an HTTP request to a banking site and an HTTP-tunneled C2 beacon. NGFWs typically include integrated intrusion prevention, SSL inspection, URL filtering, and antivirus. As of 2025, Gartner estimates that 90 percent of new firewall deployments are NGFW-class.
Cloud Firewalls and Network Security Groups
Cloud providers offer distributed firewall capabilities. AWS Security Groups are stateful virtual firewalls at the instance level. AWS Network ACLs are stateless filters at the subnet level. Azure Network Security Groups and GCP VPC Firewall Rules provide similar functionality. These cloud-native firewalls are software-defined and scale with the environment, but they lack the deep inspection features of dedicated NGFW appliances.
Intrusion Detection and Prevention
IDS and IPS monitor network traffic for malicious activity. IDS alerts; IPS blocks inline.
Signature-Based Detection
Signature-based systems compare traffic against a database of known attack patterns — similar to antivvirus. Snort and Suricata are the leading open-source implementations. Cisco Secure IPS and Trend Micro TippingPoint are commercial alternatives. Strengths: low false-positive rate for known threats, fast detection. Weaknesses: cannot detect zero-day attacks, requires constant signature updates (typically daily), evasion via polymorphism.
Anomaly-Based Detection
Anomaly detection establishes a baseline of normal traffic using machine learning or statistical models. Beaconing activity (periodic C2 callbacks), unusual data exfiltration volumes, and lateral movement scans deviate from the baseline and trigger alerts. Strengths: potentially catches novel attacks. Weaknesses: higher false-positive rate, susceptible to adversarial manipulation of the baseline.
Network vs. Host-Based Deployment
Network-based IDS/IPS sensors are deployed at strategic points (internet edge, DMZ segments, internal backbone) and inspect traffic in promiscuous mode. Host-based IDS (e.g., osquery, Wazuh, Microsoft Defender for Endpoint) monitors processes, file integrity, registry changes, and local network connections on individual servers. Modern security operations centers deploy both.
Encryption
Symmetric Encryption
Symmetric encryption uses the same key to encrypt and decrypt. AES (Advanced Encryption Standard, FIPS 197) is the dominant algorithm, operating on 128-bit blocks with key sizes of 128, 192, or 256 bits. AES-256 is recommended for classified data. AES-GCM mode provides both encryption and authentication (AEAD). Symmetric encryption is fast (hardware-accelerated on modern CPUs) but requires secure key distribution.
Asymmetric Encryption
Asymmetric (public-key) encryption uses a key pair: the public key encrypts, the private key decrypts. RSA (Rivest-Shamir-Adleman, 2048-4096 bits) and ECC (Elliptic Curve Cryptography, 256-bit for equivalent RSA-3072 security) are the common algorithms. Asymmetric encryption is computationally expensive — roughly 1,000 times slower than AES — so it is typically used to exchange a symmetric session key, after which bulk encryption uses AES.
TLS in Practice
Transport Layer Security (RFC 8446 for TLS 1.3) is the primary protocol securing web traffic, email (SMTP STARTTLS), and API connections. A TLS session begins with a handshake: the client and server negotiate a cipher suite (e.g., TLS_AES_256_GCM_SHA384), exchange certificates, and derive a shared symmetric key via key exchange (ECDHE — Ephemeral Diffie-Hellman). The data session proceeds with symmetric AES encryption. Key management — certificate lifecycle, private key protection, revocation via OCSP stapling — is often the weakest link in TLS deployments.
Access Control
Authentication, Authorization, and Accounting
Authentication verifies identity: “Who are you?” Something you know (password), something you have (TOTP token, smart card, YubiKey), or something you are (fingerprint, face ID). Multi-factor authentication requires two or more factors.
Authorization determines what the authenticated identity can do. Role-based access control (RBAC) assigns permissions to job functions. Attribute-based access control (ABAC) uses device posture, time of day, geolocation, and data classification in addition to role.
Accounting logs every action: who accessed what, when, and from where. SIEM platforms (Splunk, Wazuh, Microsoft Sentinel) aggregate logs from firewalls, servers, and applications for correlation and incident detection.
Zero Trust Architecture
Zero trust (NIST SP 800-207) eliminates the concept of a trusted internal network. No user, device, or network segment is trusted by default — every access request is authenticated, authorized, and encrypted, regardless of origin. Microsegmentation creates per-application or per-workload network segments, reducing the blast radius of a compromise. The “never trust, always verify” model requires: continuous authentication, device posture validation, least-privilege access, and encrypted communication between all services.
Common Network Attacks
DDoS attacks saturate network links or exhaust server resources. Volumetric attacks (UDP amplification, ICMP floods) measurably consume bandwidth; protocol attacks (SYN floods, ping-of-death) consume state-table capacity; application-layer attacks (HTTP floods, slowloris) exhaust application resources. ARP spoofing on a local segment redirects traffic through an attacker’s machine. DNS tunneling encodes data in DNS queries for command-and-control traffic, bypassing HTTP inspection. Rogue DHCP servers issue malicious network configuration. VLAN hopping exploits trunk port misconfiguration to reach other VLANs.
Best Practices and Compliance
Implement defense in depth: perimeter firewalls, internal segmentation, host-based controls, application-layer protections, and encryption at every layer. Apply the principle of least privilege: no user or service has more permissions than necessary. Patch vulnerabilities promptly — the median time to exploitation after a CVE disclosure is 15 days (Google Project Zero). Align with a security framework: NIST CSF 2.0 provides a five-function model (Identify, Protect, Detect, Respond, Recover) adopted across industries. Regular penetration testing and tabletop incident response exercises validate controls.
FAQ
Q: What is the difference between a firewall and an IPS?
A: A firewall permits or blocks traffic based on policy rules (IP, port, protocol). An intrusion prevention system inspects the payload of allowed traffic and blocks malicious content. NGFWs combine both functions.
Q: Is TLS 1.2 still safe to use?
A: TLS 1.2 is still safe if configured correctly — remove CBC mode ciphers, enable AEAD (AES-GCM), disable compression and renegotiation. However, TLS 1.3 offers fewer attack surfaces and better performance. Migrate to TLS 1.3 when possible.
Q: Why is zero trust replacing the traditional perimeter model?
A: The perimeter model assumes internal traffic is trusted. This fails when attackers breach the perimeter (via phishing or VPN compromise) and move laterally. Zero trust removes implicit trust at every hop. With cloud and remote work, there is no single perimeter to defend.
Q: What is the most common network security misconfiguration?
A: Overly permissive firewall rules — using “allow any any” for internal segments, leaving default passwords unchanged, and not segmenting IoT devices from production networks. Cloud security groups defaulting to permissive rules also rank high.
Q: How often should firewall rules be reviewed?
A: Quarterly review is a minimum for regulated industries; monthly is better. Automated rule-analysis tools (Algosec, FireMon, Tufin) flag unused rules, overly permissive rules, and rules violated by current traffic.
Internal Links
- HTTP and HTTPS Guide — TLS security in web communications
- OSI Model Guide — mapping security controls to OSI layers
- Network Troubleshooting — analyzing security events with Wireshark
References
- NIST SP 800-207, “Zero Trust Architecture”
- NIST CSF 2.0, “Cybersecurity Framework”
- RFC 8446, “The Transport Layer Security (TLS) Protocol Version 1.3”
- Federal Information Processing Standard (FIPS) 197, “Advanced Encryption Standard”
- Stallings, W. and Brown, L., Computer Security: Principles and Practice, 4th ed., Pearson, 2018
- Kurose, J. F. and Ross, K. W., Computer Networking: A Top-Down Approach, 8th ed., Pearson, 2021, Section 8 (“Network Security”)
For a comprehensive overview, read our article on Cabling Standards.
For a comprehensive overview, read our article on Cdn Guide.