Network security: architectures, technologies and best practices

Network security is the backbone of every organization’s IT security. While endpoint security protects individual devices and application security safeguards software, network security protects the communication infrastructure—the arteries of the organization through which all data flows. A compromised network grants an attacker access to all connected systems.

The Classic Perimeter Model and Its Limitations

For decades, network security was based on the perimeter model: a firewall separates the “secure” internal network from the “insecure” internet. Everything inside the perimeter was treated as trustworthy.

This model has failed—for three reasons:

1. Cloud and Remote Work: Employees and data are no longer within the perimeter. SaaS applications run in the cloud, and employees work from home.

2. Lateral movement after initial compromise: Once an attacker has breached the firewall (via phishing, a VPN vulnerability, or a compromised vendor), they can move freely within the “trusted” internal network.

3. Insider Threats: Not all threats come from outside. Employees with malicious intent or compromised credentials are already inside the perimeter.

The model functions as one layer of defense in depth—but not as a standalone security strategy.

Defense in Depth: Multi-Layered Network Security

Modern network security utilizes multiple layers that complement each other:

Internet
    │
    ▼
┌─────────────────────────────────┐
│  DDoS Mitigation (Upstream ISP) │
└─────────────────────────────────┘
    │
    ▼
┌─────────────────────────────────┐
│  Perimeter Firewall / NGFW      │  → Blocks known attacks,
│  (Next-Generation Firewall)     │    IPS signatures, GeoIP
└─────────────────────────────────┘
    │
    ├──────────────────┐
    ▼                  ▼
┌─────────┐      ┌──────────────────────┐
│   DMZ   │      │  VPN Gateway          │
│  (Web,  │      │  (Remote Access,      │
│   Mail) │      │   Site-to-Site)       │
└─────────┘      └──────────────────────┘
    │                  │
    ▼                  ▼
┌─────────────────────────────────┐
│  Internal Firewall / Segmentation│  → VLAN Separation, Micro-Segmentation
└─────────────────────────────────┘
    │
    ├──── VLAN 10: Production (ERP, DBs)
    ├──── VLAN 20: Office IT (Workstations)
    ├──── VLAN 30: Development
    ├──── VLAN 50: OT/Industrial (isolated!)
    └──── VLAN 99: Management (highly restricted)
    │
    ▼
┌─────────────────────────────────┐
│  SIEM + NDR (Monitoring)         │  → Anomaly detection, alerting
└─────────────────────────────────┘

Network Segmentation in Detail

Network segmentation is one of the most effective security measures—and at the same time one of the most frequently neglected.

Why Segmentation Is Important

Without segmentation, an attacker who compromises an accounting computer can directly access the database server, the domain controller, and all other systems. With segmentation: They are trapped within their VLAN until they can bypass the internal firewall.

The NotPetya attack (2017) is the most prominent example: The malware spread within hours through flat, unsegmented networks and cost Maersk, Merck, and other companies a combined total of over $10 billion. Maersk had to reinstall 45,000 PCs.

VLAN Concept

VLANs (Virtual Local Area Networks) logically separate networks, even if they physically use the same infrastructure. This separation is enforced by switches and firewalls.

Recommended VLAN Structure:

VLAN	Use	Permitted Access
10	Server/Production	Only from VLAN 20/30 on defined ports
20	Office Clients	Internet (via proxy), internal services (defined)
30	Development	Dev servers, test environments, Internet (via proxy)
40	Guest Wi-Fi	Internet ONLY, no internal access
50	OT/SCADA	Physically isolated or strictly controlled gateway
60	IoT/Building Tech	Isolated, no access to other VLANs
99	Management (Out-of-Band)	Only from dedicated jump hosts

Micro-segmentation (Zero Trust Networks)

Micro-segmentation goes beyond VLANs: Individual workloads or applications are isolated, and communication is permitted only on defined paths. Implemented via:

• SDN (Software-Defined Networking): Centralized control of all network flows
• VMware NSX / Cisco ACI: Micro-segmentation in virtualized environments
• eBPF-based solutions (Cilium): Network policies in Kubernetes clusters

Firewall Technologies

Stateful Inspection Firewall

Tracks the state of active connections and allows only legitimate response packets. Blocks unwanted incoming connections.

Suitable for: Perimeter protection, NAT, basic packet filtering.

Next-Generation Firewall (NGFW)

NGFWs (Palo Alto, Fortinet, Check Point, Cisco Firepower) combine:

• Deep Packet Inspection (DPI): Analyzes packet content, not just headers
• Application Awareness: Recognizes applications regardless of port (e.g., Netflix on port 443)
• IPS Integration: Intrusion prevention built directly into the firewall
• User Identity: Rules based on user identity (via Active Directory integration)
• SSL/TLS Inspection: Decrypts and inspects encrypted traffic (HTTPS inspection)
• URL Filtering: Category-based web filters
• Threat Intelligence: Blocks IPs/domains from threat feeds

Web Application Firewall (WAF)

A WAF specifically protects web applications against OWASP Top 10 attacks: SQL injection, XSS, CSRF, SSRF. It operates at the application layer (Layer 7) and understands the HTTP/HTTPS protocol.

Suitable for: Protecting public web applications, API protection, OWASP compliance.

Intrusion Detection and Prevention

IDS/IPS Architectures

Network IDS (NIDS): Passive system that monitors network traffic and reports anomalies. Minimal impact on performance, no blocking.

Network IPS (NIPS): Inline system that blocks attacks in real time. Higher impact in case of false positives (blocking of legitimate traffic).

Host-based IDS/IPS (HIDS/HIPS): Runs on individual hosts, analyzes system calls, file access, and processes. Often integrated today as part of EDR solutions.

Detection Methods

Signature-based Detection: Known attack patterns (such as antivirus signatures) are searched for in traffic. High accuracy for known attacks, blind to zero-day exploits.

Anomaly-based detection: The system learns normal behavior (baseline) and reports deviations. Detects unknown attacks, higher false positive rate.

Behavior-based detection (NDR): Network Detection and Response systems (Darktrace, ExtraHop, Vectra AI) use machine learning for continuous behavior monitoring. Detects subtle signs such as:

• Unusual data volumes (potential exfiltration)
• Lateral movement within the network
• Command-and-control communication
• Anomalous access times or patterns

Secure Network Communication

TLS/HTTPS Everywhere

All network communication should be encrypted—even internally. "HTTP only internally" is no longer an acceptable security measure. Use TLS 1.3 or TLS 1.2 with strong cipher suites.

IPsec for Site-to-Site and Remote Access

IPsec encrypts IP packets at the network layer (Layer 3). Standard for site-to-site VPNs between corporate locations. IKEv2 is the current standard; IKEv1 should be disabled.

WireGuard as a Modern Alternative

WireGuard is a more modern VPN protocol with a significantly smaller codebase (~4,000 lines vs. ~100,000 for OpenVPN). Faster, easier to configure, and cryptographically up-to-date.

DNS over HTTPS / DNS over TLS

Standard DNS queries are unencrypted—ISPs and attackers can see all resolved domains. DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypt DNS queries.

Network Security and OT/ICS

Operational Technology (OT)—industrial control systems (SCADA, ICS, PLC)—poses particular challenges:

• Legacy protocols: Modbus, DNP3, and Profinet often lack authentication and encryption
• Patching difficulties: OT systems often cannot be easily patched (maintenance intervals, vendor approvals)
• Availability is a priority: Restarting a control system is not an option
• Air gap is not a solution: Many OT networks are connected to IT for remote maintenance and updates

Best Practices for OT/IT Network Segmentation:

• Physical or logical separation (demilitarized zone between IT and OT)
• Unidirectional gateways (data diodes) for monitoring traffic from OT → IT
• Strict jump server solution for legitimate IT→OT access
• IDS for OT protocols (Nozomi Networks, Claroty, Dragos)

Common Attack Vectors and Countermeasures

Network Scanning and Reconnaissance

Attacker: nmap, masscan to identify open ports and services

Countermeasures:

• Close unnecessary ports
• IDS signatures for port scan patterns
• Rate limiting on the firewall for new connections

ARP Spoofing (LAN Attacks)

Attacker: Pretends to be the default gateway → Man-in-the-Middle on the local network

Countermeasures:

• Dynamic ARP Inspection (DAI) on switches
• 802.1X authentication for all LAN ports
• Private VLANs (prevents communication between clients in the same VLAN)

VLAN Hopping

Attacker: Exploits misconfigurations in trunk ports or double tagging to access other VLANs

Countermeasures:

• Explicitly configure trunk ports (no auto-trunking)
• Change the native VLAN from the default (VLAN 1) to an unused VLAN
• Place unused ports in a "parking" VLAN and disable them

SMB-based attacks (lateral movement)

Attacker: EternalBlue, Pass-the-Hash, Pass-the-Ticket via SMB (Windows File Sharing)

Countermeasures:

• Do not allow SMB between clients (firewall rule: VLAN 20 → VLAN 20: SMB prohibited)
• Enable Windows Defender Firewall (endpoint firewall)
• Disable SMB v1 (WannaCry countermeasure)
• Credential Guard (Windows 11) against Pass-the-Hash

DNS Attacks

Attackers: DNS tunneling for C2 communication (bypasses firewall rules), DNS spoofing

Countermeasures:

• DNS filtering (block known C2 domains, category filters)
• DNS traffic analysis in SIEM (unusually high DNS query volumes)
• DNSSEC (against spoofing)
• Internal DNS servers instead of direct internet access to external DNS

Network penetration test

A network penetration test simulates an attacker who:

• Attempts to penetrate the network from the outside (external test)
• Attempts to move laterally and escalate privileges from the inside (internal test / "Assumed Breach")

Typical findings from network penetration tests:

Most Common Findings (Real-World Data):

1. Unpatched systems (critical) – often Windows Server 2012+, older VPN appliances
2. SMB v1 still active – EternalBlue risk
3. LLMNR/NBT-NS enabled – NTLM hash capture with Responder
4. Lack of network segmentation – client VMs can access servers
5. Default credentials on network devices (switches, printers, routers)
6. Unencrypted protocols internally (Telnet, HTTP, FTP)
7. Kerberoasting vulnerability (weak service account passwords)
8. Unmonitored out-of-band management access (IPMI, iDRAC, iLO)

Scope of a network penetration test:

• External test: Company’s public IP addresses
• Internal test: Internal network (often via initial VPN connection or on-site)
• Assumption-of-Privilege Test: Starts with low-privileged domain credentials

Monitoring and Detection

SIEM (Security Information and Event Management)

SIEMs collect logs from all network sources and correlate them:

• Firewall logs: Blocked connections, allowed flows
• IDS/IPS alerts: Detected attacks
• DNS query logs: Connections to C2 domains
• VPN logs: Authentications, connection durations
• Netflow/IPFIX: Network traffic statistics (who is communicating with whom?)
• Active Directory logs: Authentications, privilege usage

Critical correlation rules:

• Brute-Force: 10+ failed logins in 60 seconds → Alert
• Lateral Movement: New admin login on a non-standard workstation
• Exfiltration: Unusual volume of outbound data to an external destination
• Beacon: Regular small DNS queries to rarely visited domains

Network Detection and Response (NDR)

NDR systems analyze network traffic (not just logs) at the behavioral level—and detect attacks that leave no signature.

Network Security in the Cloud

Cloud network security differs from the traditional on-premises approach:

VPC/VNET (Virtual Private Cloud / Virtual Network): Logically isolated networks in AWS/Azure/GCP. Security Groups and Network ACLs replace physical firewalls.

Security Groups: Stateful firewall rules at the instance level. Whitelist model: only explicitly allowed traffic gets through.

Service Endpoints / Private Link: Connections to cloud services (S3, Azure Storage) via private network connections instead of the public internet.

Cloud-native Firewall: AWS Network Firewall, Azure Firewall, GCP Cloud Armor – managed firewall services with IPS functionality.

Challenge: Misconfigurations (publicly accessible S3 buckets, open security groups) are the most common cause of cloud data breaches.

Compliance Requirements

BSI IT-Grundschutz:

• NET.1.1 Network Architecture: Segmentation, DMZ, management network
• NET.1.2 Network Management: Secure administration of network components
• NET.3.2 Firewall: Configuration requirements, change management
• NET.3.3 VPN: Cryptographic requirements (BSI TR-02102-3)

NIS2 Art. 21: Network security measures as an explicit requirement.

ISO 27001:2022 Annex A 8.20: Network security as a standalone control measure.

KRITIS IT-SiG 2.0: Intrusion detection systems (IDS) mandatory – typically IDS/IPS + SIEM + NDR.

Recommendations for Getting Started

Immediate Measures (Low-Hanging Fruit):

1. Disable LLMNR and NetBIOS name resolution (prevent NTLM hash capture)
2. Disable SMB v1 on all Windows systems
3. Change default credentials on all network devices
4. Restrict management access to network devices to defined admin IPs
5. Disable all unused switch ports and set them to "Parking VLAN"

Short term (1–3 months): 6. Create and implement a network segmentation strategy 7. Enable IDS/IPS (use NGFW feature if available) 8. Enable DNS filtering 9. Upgrade VPN to MFA (certificate + OTP or FIDO2) 10. Commission a network penetration test

Medium term (3–12 months): 11. Implement SIEM with basic correlation rules 12. 802.1X for Wi-Fi and wired ports 13. Introduce NAC (Network Access Control) 14. Develop a zero-trust strategy