Netzwerksicherheit
The totality of all technical and organizational measures taken to protect networks and the data transmitted over them—including firewalls, IDS/IPS, network segmentation, encryption, and access controls.
Network security refers to the protection of computer networks against unauthorized access, data loss, sabotage, and espionage. It forms the foundation of all corporate IT security—all other security areas (endpoints, cloud, applications) rely on secure networks.
Security Objectives
Network security serves three fundamental security objectives:
Confidentiality: Data is only read by authorized individuals (encryption, access controls).
Integrity: Data cannot be altered without detection (hashing, digital signatures, IDS/IPS).
Availability: Networks and services are reliably accessible (DDoS protection, redundancy, QoS).
Core Technologies
Firewall
The firewall is the first line of defense. It filters network traffic based on rules:
- Stateless Firewall: Checks individual packets without context (outdated)
- Stateful Inspection Firewall: Tracks connection states (standard)
- Next-Generation Firewall (NGFW): Deep Packet Inspection, Application Awareness, IDS/IPS integration, SSL inspection
Internet → NGFW (DMZ) → WAF → Web server
→ VPN Gateway → Intranet
→ SIEM (Logging of all flows)IDS and IPS
IDS (Intrusion Detection System): Detects attacks and anomalies in network traffic, generates alerts.
IPS (Intrusion Prevention System): Detects and blocks attacks in real time.
Signature-based: Detects known attack patterns (high accuracy, but blind to new attacks).
Anomaly-based: Detects deviations from normal behavior (also detects zero-day attacks, higher false positive rate).
Modern NGFWs integrate IPS functionality directly.
Network Segmentation
The Principle: The network is divided into isolated segments (VLANs, subnets). Compromising one segment does not automatically grant access to all others.
Segment: Production (VLAN 10) - ERP, databases
Segment: Office IT (VLAN 20) - Workstations, printers
Segment: DMZ (VLAN 30) - Web server, mail relay
Segment: Management (VLAN 99) - Switches, routers, BMC
Segment: OT/Industrial (VLAN 50) - Control systems (physically separated!)
Firewall rule: VLAN 20 → VLAN 10: Port 443 ONLY (HTTPS)
Firewall rule: VLAN 30 → VLAN 10: PROHIBITEDWithout segmentation, an attacker can move laterally across the entire network once initial access is gained (lateral movement).
VPN (Virtual Private Network)
VPNs encrypt connections over insecure networks (Internet):
- Site-to-Site VPN: Connects company branches
- Remote Access VPN: Employees connect from outside (IPsec, OpenVPN, WireGuard)
Security risks: Unpatched VPN appliances are frequently targeted entry points (Fortinet, Citrix, and Pulse Secure had critical vulnerabilities in 2020–2024).
NAC (Network Access Control)
NAC controls who is allowed to connect to the network. Before access is granted, devices are checked for compliance:
- Is the operating system up to date?
- Is antivirus software active?
- Is the device inventoried?
Non-compliant devices are placed in a quarantine VLAN.
DNS Security
DNS is an underestimated attack vector:
- DNS spoofing/cache poisoning: Falsified DNS responses redirect traffic to attacker servers
- DNS tunneling: Malware uses DNS for command and control (difficult to block)
- DNSSEC: Cryptographic signing of DNS responses (authenticity protection)
- DNS filtering: Blocks domains of malware/C2 servers (category filters)
Common Network Attacks
ARP Spoofing / ARP Poisoning: An attacker on the local network pretends to be the default gateway → Man-in-the-Middle position. Countermeasure: Dynamic ARP Inspection (DAI) on switches, 802.1X.
VLAN Hopping: Switch spoofing or double tagging enables access to other VLANs. Countermeasure: Explicitly configure trunk ports, change the native VLAN.
Rogue Access Points: Unauthorized Wi-Fi access points (including those brought in by employees). Countermeasure: Wi-Fi IDS, 802.1X instead of pre-shared keys.
Man-in-the-Middle: An attacker positions themselves between the client and server to read or manipulate communication. Countermeasure: TLS everywhere, HSTS, certificate pinning.
DDoS (Distributed Denial of Service): Volumetric overload of network connections or services. Countermeasure: Upstream DDoS mitigation, anycast, CDN, scrubbing centers.
Testing Network Security
Network Penetration Testing: Simulates an attacker who attacks the network from the outside (external) or after an initial breach (internal). Tests firewall rules, segmentation, authentication, and unpatched systems.
# Typical penetration testing tools (network)
nmap -sV -sC -O --script vuln 192.168.0.0/24 # Discovery + vulnerabilities
masscan -p1-65535 --rate=10000 10.0.0.0/8 # Fast port scanning
responder -I eth0 -rdwv # LLMNR/NBT-NS poisoning
impacket-secretsdump -target-ip 10.0.0.5 # SMB/NTLM dataNetwork Security and Compliance
NIS2 Art. 21: Security measures explicitly include network security (network configuration, firewalls, segmentation).
BSI IT-Grundschutz NET modules: NET.1.1 (Network Architecture), NET.1.2 (Network Management), NET.3.2 (Firewall), NET.3.3 (VPN) define detailed requirements.
ISO 27001 A.8.20: "Network security" as an explicit control in ISO/IEC 27001:2022.
KRITIS: Operators of critical infrastructure must operate "attack detection systems" (SzA) in accordance with IT-SiG 2.0—typically implemented via IDS/IPS and SIEM.
Zero Trust and Network Security
Traditional network security is based on the perimeter model: "Inside is safe, outside is dangerous." Zero Trust replaces this model:
- No implicit trust based on network location
- Every connection is authenticated and authorized (user + device + context)
- Micro-segmentation down to the application level
- Continuous monitoring of all connections
Network segmentation remains important—but not as the sole security measure.
