Protecting networks

Firewalls act as a barrier between a trusted internal network and untrusted external networks (like the internet). They filter incoming and outgoing network traffic based on a set of predefined security rules, allowing or blocking data packets based on their source, destination, and content.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are tools that monitor network traffic for suspicious or malicious activities. IDS detects and alerts administrators about potential threats, while IPS can actively block or prevent these threats from reaching the network.

Example

Below is an example of intrusion detection software in action.

Implement strong access control mechanisms to ensure that only authorized users and devices can access network resources. This includes robust user authentication, granular authorization, and continuous auditing.

Use multi-factor authentication (MFA) to strengthen identity verification and enforce strong password policies or passwordless authentication where possible. Apply the principle of least privilege so users and systems are granted only the access necessary to perform their roles.

Image source Wikipedia.

• Encrypt sensitive data as it travels across the network to protect it from interception and unauthorized access. Use SSL/TLS for web traffic to secure HTTP communications, ensuring that data exchanged between clients and servers is encrypted and tamper-proof.
• For remote users or branch offices, implement VPNs (Virtual Private Networks) to create secure, encrypted tunnels that safeguard data as it traverses public or untrusted networks.
• Use end-to-end encryption for email, messaging, and file transfers, ensuring that only intended recipients can read the content.E
• Enforce encryption at rest for sensitive data stored on servers, databases, or cloud services to protect it even if storage devices are compromised.

Regularly update and patch network devices, operating systems, and software applications to address known vulnerabilities. Attackers often exploit unpatched systems, making timely updates critical for preventing breaches.

Establish a patch management process that includes:

• Monitoring vendors for security updates and advisories

• Testing patches in a controlled environment before deployment

• Applying critical patches promptly while scheduling routine updates for less urgent fixes

• Documenting patching activities for accountability and compliance

In addition, consider automating updates where feasible and using intrusion detection or vulnerability scanning tools to identify unpatched or misconfigured systems. Consistent patching reduces the attack surface and strengthens overall network security.

Divide your network into segments or zones, each with its own security policies and controls. This helps contain and mitigate the impact of a security breach.

Develop and enforce network security policies and best practices that define acceptable use, password management, and other security-related behaviors for users and administrators.

• Establish and enforce policies for safe and responsible use of network resources
• Define acceptable use for users and administrators
• Implement password management standards (strong passwords, rotation, MFA)
• Set security protocols for access control, data encryption, and incident reporting
• Train and raise awareness to ensure compliance
• Monitor, audit, and update policies to address emerging threats

Employ network monitoring tools to continuously monitor network traffic, looking for anomalies that might indicate a security breach.

Below is an screenshot from the popular Wireshark network monitoring tool which analyses packets sent across the network.

Have a well-defined incident response plan in place to react promptly and effectively to security incidents when they occur. This plan should outline how to contain, investigate, and recover from security breaches.

The basic steps in the process are:

• Preparation: Establish a response team, create a plan, and train staff.
• Identification: Detect and confirm security incidents.
• Containment: Isolate affected areas to prevent further damage.
• Eradication: Remove the root cause of the incident.
• Recovery: Restore systems and services to normal.
• Communication: Notify stakeholders and maintain clear communication.
• Documentation: Record incident details and actions taken.
• Legal Compliance: Ensure adherence to laws and regulations.
• Learn and Improve: Analyze the incident for lessons and update the plan.
• Testing: Regularly practice incident response procedures.

Conduct regular security audits, vulnerability assessments, and penetration testing to identify and address weaknesses proactively.

Maintain a secure audit trail that logs key security events — including login attempts, configuration changes, firewall rule updates, and access to sensitive systems. Each log entry should record who performed the action, what was done, when it occurred, where it originated, and whether it succeeded.

Regularly review and protect these logs to support threat detection, investigations, and compliance.

Regularly back up critical data and have a disaster recovery plan in place to ensure business continuity in the event of a network breach or other catastrophic events.

• • Perform regular backups of critical data to secure locations
• • Maintain a disaster recovery plan to restore systems quickly
• • Ensure business continuity during network breaches or catastrophic events
• • Test recovery procedures periodically to verify effectiveness
• • Implement redundancy and offsite storage to minimize downtime

Stay informed about the latest security threats and vulnerabilities by subscribing to threat intelligence feeds and promptly applying security updates and patches.

White box testing is a method where the tester is given full knowledge of the system before testing begins. This may include network diagrams, source code, IP addresses, and user credentials.

Because the tester has detailed information, white box testing allows for thorough examination of internal security controls, code vulnerabilities, and configuration weaknesses. It is effective for identifying hidden flaws but may not fully reflect how an external attacker would approach the system.

Black box testing is a method where the tester is given no prior information about the system. The tester must gather information in the same way an external attacker would, using reconnaissance and probing techniques.

This approach closely simulates real-world attacks and is useful for testing perimeter defenses, detection systems, and incident response. However, it may miss deeper internal vulnerabilities due to limited access and time.