Network Security

Best Practices
Robust network security best practices are more important than ever to protect against today’s increasingly
sophisticated cyber threats. This article explores a range of network and security best practices and technologies
you need to fortify your network against unauthorized access and data breaches.

Types of network devices and security

solutions
Before diving into enterprise network security best practices, let’s review the common types of network devices
and security solutions that organizations can take advantage of:

▪ Bridges were once used to connect two or more hosts or network segments. They are outdated and no longer used.

▪ Hubs were once used to connect local area network (LAN) devices. Because they have no built-in intelligence,
hubs are seldom used in modern network setups.

▪ A network switch is the default network appliance connecting computers, servers, printers and other devic-
es in a LAN. It uses MAC addresses to manage and forward data to specific devices. Unlike a hub, a switch can
intelligently direct traffic to reduce network congestion and improve network performance.

▪ A network router directs data packets between different networks to facilitate internet connectivity and
internal network communication. Routers use IP addresses to determine the most efficient path for data
packet transmission across networks. They can also provide security features like access control lists to re-
strict network access.

▪ A gateway serves as an intermediary for devices on separate networks, enabling them to communicate even
if they are using different communication protocols.

▪ A firewall segregates one network from another. Firewalls are available in hardware and software form and
can be integrated into devices like routers or servers. The classic example of a firewall is a dedicated appliance
that serves as a barrier between the internal network and the outside world.

▪ A network access control (NAC) system assesses whether devices trying to access the network meet defined
security standards (such as up-to-date antivirus software, system updates and specific configuration settings)
and then grants or denies access.

▪ A web filter restricts access to internet content based on predefined criteria. For instance, this type of secu-
rity solution can block access to malicious or inappropriate websites as defined by an organization’s policies.
 ▪ A proxy server acts as an intermediary between a user’s device and the internet. Proxy servers can mask the
user’s IP address as well as filter web requests to block access to malicious sites or content.

▪ An email filter (spam filter) helps prevent unwanted emails from reaching the user’s inbox altogether, or
delivers the email but removes potentially malicious hyperlinks and attachments. Simple filters use organiza-
tional policies or vendor-specified patterns to detect spam; advanced filters employ heuristic methods to spot
suspicious patterns or word frequency.

▪ DDoS mitigation tools are designed to identify distributed denial of service (DDoS) attacks in their early
stages, absorb the associated surge in traffic and help pinpoint the attack’s origin.

▪ Load balancers contribute to network security by evenly distributing network traffic across multiple servers.
For instance, they can help prevent any single server from becoming overloaded during a DDoS attack.

For more background information, review the OSI model for network systems in Appendix A.

Enterprise Network Security Best Practices

With those basics in mind, let’s explore known network security best practices that can help your organization
improve its security posture to block attacks, as well as best practices for promptly detecting and responding to
threats in progress.

Network security best practices for threat prevention

Segregate your network.

One of the core best practices for network security , network segmentation involves dividing a network into logical
or functional zones. This can be achieved through physical means like routers and switches, or virtually by using
VLANs. The objective is to contain a security breach to a single zone and thereby limit disruption and damage.
Segmentation also enables IT teams to apply different security controls and monitoring to each zone.

In particular, organizations can set up a demilitarized zone (DMZ) to serve as a buffer between its internal network
and the internet or other untrusted networks. The DMZ hosts external-facing services like web application serv-
ers; if these services are compromised, an attacker does not have direct access to the internal network.
An extreme form of segmentation is the air gap, where systems (such as servers with backups or other sensitive
information) are entirely disconnected from the network.

Place your security devices correctly.

firewalls is especially important. Ideally, a firewall should be situated at each network zone junction to serve as a
barrier between different segments. Modern firewalls often come with integrated features like intrusion detection
and prevention systems, DDoS mitigation, and web filtering, making them highly suitable for perimeter defense.

Web application firewalls (WAFs) are best placed in zones where applications are hosted, such as the DMZ. This
placement helps protect web applications from threats like SQL injection and cross-site scripting. Load balancers
that manage application traffic or DNS servers should also be located within the DMZ to optimize traffic flow and
improve security.

Use network address translation.

Network address translation (NAT) translates all private addresses of an organization into a single public IP ad-
dress for external communications. Without NAT, the world would have run out of IPv4 addresses long ago. But
the benefit of NAT for network security is that it masks the internal network’s structure from outsiders, adding a
layer of privacy and security.

Use personal firewalls.

Personal firewalls are software-based firewalls that reside on each computer or server. While they are frequently
integrated into the operating system, they can also be installed as third-party applications. Like conventional
firewalls, they restrict incoming and outgoing traffic to protect the device.

Configuring personal firewalls can initially be time-intensive due to the variety of applications and services running
on a device. However, forgoing this step for convenience can leave devices vulnerable to malware and hacking.
Always enable personal firewalls to ensure each device’s security within the broader network.

Use whitelisting when feasible.

Application whitelisting is the practice of creating a list of approved software and allowing only those applications
to run. This strategy can significantly reduce risk; for instance, it can prevent malware delivered by phishing
attacks or malicious websites from executing.

However, whitelisting is not always practical, since the list must be kept updated with all applications that anyone
in the organization has a legitimate reason to run.
Use a web proxy server to manage internet access.
By authenticating and monitoring outbound connections, a web proxy server helps ensure that only web traffic
initiated legitimate users is allowed. For example, this helps prevent malware inside the network from communi-
cating with the attacker’s command and control server.

Require VPNs for remote access.

A virtual private network (VPN) establishes a secure and private network connection over a public network infra-
structure. It enables remote users to connect to the network as though they were locally connected. VPNs can
also be used to securely link LANs across the internet using a secure tunnel that encrypts all data in transit. VPNs
require either specialized hardware or VPN software installed on servers and workstations.

Network security best practices for threat detection

and response

Baseline network protocols and monitor usage.

Establish the baseline usage of different protocols on your wired and wireless networks. To create an accurate base-
line, data should be gathered from a variety of sources including routers, switches, firewalls, wireless access points,
network sniffers and dedicated data collectors. Then monitor for deviations from these baselines, which can be
indicative of data tunneling, malicious software transmitting data to unauthorized destinations, and other threats.

Use honeypots and honeynets.

A honeypot is a decoy system designed to look like a real network asset, and a honeynet is a network of hon-
eypots that simulates a larger, more complex network environment. They are designed to lure adversaries into
interacting with them, both to divert malicious actors from true assets and to enable security teams to study
attack techniques and gather other intelligence for effective threat management.
Use intrusion detection and prevention systems.
It is vital to monitor and log activity across the network and analyze it to spot unusual logins, suspicious computer
events and other anomalies. An intrusion detection system (IDS) monitors network data flows for potentially
malicious activity and alerts administrators about anomalies. An intrusion prevention system (IPS) also moni-
tors network traffic for threats; however, in addition to alerting administrators, it can automatically take action to
block or mitigate threats.

These tools can be a valuable part of your network security strategy. For example, by comparing current activity
to an established baseline, they could spot a spike in network activity that could indicate a ransomware or SQL
injection attack. They can also use attack signatures — characteristic features common to a specific attack or
pattern of attacks — to spot attacks that don’t generate activity that violates your organization’s baseline.

Automate response to attacks when appropriate.

Many modern security tools can be configured to respond automatically to known threats. For example, these
systems can:

▪ Block IP address — An IPS or firewall can block the IP address from which the attack originated. This option
is very effective against phishing and denial-of-service attacks. However, some attackers spoof the source IP
address during attacks, so the wrong address will be blocked.

▪ Terminate connections — Routers and firewalls can be configured to disrupt the connections that an intruder
maintains with the compromised system by targeting RESET TCP packets at the attacker.

▪ Acquire additional information — Tools can also collect valuable information that help determine such the
point of initial access, which accounts were compromised, how the intruders moved across the network and
what data was compromised.
Bonus best practice
A final network security best practice applies across both threat prevention and detection & response.

Use multiple vendors.

Using solutions from different vendors bolsters cyber resilience by reducing the risk associated with a single point
of failure — if a solution from one vendor is compromised, the presence of solutions from other vendors helps
maintain the defensive shield. This approach also enables greater adaptability in response to evolving threats and
security requirements. More broadly, it can lead to competitive pricing and drive innovation, as vendors strive to
offer the most advanced and cost-effective solutions.

Conclusion
By adhering to the network security best practices detailed here, your organization can reduce the risk of costly
business disruptions and security incidents, as well as ensure compliance with today’s strict legislative mandates.
Appendix A: The OSI Model
The OSI (Open Systems Interconnection) model is an established framework for network systems. It comprises
seven layers, from physical hardware to application-level interactions:

Layer Function Network Device Types Protocols or Standards

1: Physical Physically interfaces with Hub EIA RS-232, EIA RS-449,

transmission medium and IEEE, 802
sends data over the network

2: Data link Provides error checking Switch Ethernet, Token Ring,

and transfer of message 802.11
frames

3: Network Performs packet routing Router IP, OSPF, ICMP, RIP, ARP,
RARP

4: Transport Supports end-to-end Gateway TCP, UDP, SPX

delivery of data

5: Session Negotiates and establishes Gateways SQL, X- Window, ASP, DNA,

a connection with another SCP, NFS, RPC
computer

6: Presentation Provides encryption, code MPEG, JPEG, TIFF

conversion and data for-
matting

7: Application Provides services such as HTTP, FTP, TFTP, DNS,

email, file transfers and file SMTP, SFTP, SNMP, RLogin,
servers BootP, MIME
 Improve the Security
of Your Network
with Netwrix Auditor for Network Devices

Ensure no unwanted configuration change to your network devices

goes unnoticed with comprehensive logging and easy review of activity.

Ensure integrity and security with robust monitoring of remote access

to your network.

Stay ahead of security threats with real-time alerts on unusual events

and other suspicious activity.

Minimize downtime and disruptions with health and performance

monitoring that enables proactive maintenance of your network
devices.

Achieve and prove compliance with internal standards and external

regulations through automated reporting.

Download Free 20-Day Trial

About Netwrix
Netwrix makes data security easy. Since 2006, Netwrix solutions have been simplifying the lives of security
professionals by enabling them to identify and protect sensitive data to reduce the risk of a breach, and to detect,
respond to and recover from attacks, limiting their impact. More than 13,500 organizations worldwide rely on
Netwrix solutions to strengthen their security and compliance posture across all three primary attack vectors:
data, identity and infrastructure.

For more information, visit www.netwrix.com

Next Steps

Free Trial — Set up Netwrix software in your own test environment: netwrix.com/freetrial

Live Demo — Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request Quote — Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

6160 Warren Parkway, Suite 1-949-407-5125 Spain: +34 911 982608

100 Frisco, TX, US 75034 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
Switzerland: +41 43 508 3472
5 New Street Square, London +44 (0) 203 588 3023 France: +33 9 75 18 11 19 netwrix.com/social
EC4A 3TW Germany: +49 711 899 89 187
Hong Kong: +852 5808 1306
Italy: +39 02 947 53539