Network Security Fundamentals and Best Practices

Network infrastructure is the foundation of organizational security. This guide covers fundamental network security concepts and testing methodologies.

Network Security Architecture

Defense in Depth Strategy

Modern networks require multiple layers of security:

1. Perimeter Security: Firewalls and intrusion detection
2. Network Segmentation: VLANs and DMZs
3. Access Control: Authentication and authorization
4. Encryption: Protecting data in transit
5. Monitoring: Detection and response

Network Segmentation

Proper segmentation limits the impact of breaches:

DMZ (Demilitarized Zone)

• Separates internet-facing systems from internal networks
• Hosts web servers, email servers, DNS
• Strictly controlled access to internal networks

VLAN Segmentation

• Separates departments and security zones
• Finance, HR, Development in different VLANs
• Reduces lateral movement opportunity

Microsegmentation

• Granular network boundaries
• Server-to-server segmentation
• Zero-trust network architecture

Firewall Configuration

Firewalls are the primary network security control.

Stateful Inspection

Modern firewalls maintain connection state:

Inbound Rule Example:
Source: Any
Destination: 192.168.1.100
Port: 443 (HTTPS)
Action: Allow
State: Established connections

Outbound Rule Example:
Source: 192.168.1.0/24
Destination: Any
Port: 53 (DNS), 80 (HTTP), 443 (HTTPS)
Action: Allow

Default Deny Policy

Best practice: Deny all traffic by default, then allow specific traffic:

Bad Practice:

Allow all traffic
Deny sensitive ports

Good Practice:

Deny all traffic (default)
Allow only required services
    - HTTP (80)
    - HTTPS (443)
    - SSH (22) from admin subnet
    - DNS (53)

Testing Firewall Rules

Port Scanning:

# Identify open ports
nmap -p 1-65535 target.com

# Service identification
nmap -sV -p 1-65535 target.com

Rule Verification:

• Test allowed ports are accessible
• Verify denied ports are blocked
• Check for unintended access
• Test from different network locations

Intrusion Detection & Prevention Systems

IDS/IPS systems monitor for malicious activity.

IDS (Intrusion Detection System)

Passive monitoring that alerts on suspicious traffic:

Detection Methods:

• Signature-based: Matches known attack patterns
• Anomaly-based: Detects deviation from normal behavior
• Behavior-based: Identifies suspicious patterns

IPS (Intrusion Prevention System)

Active system that blocks malicious traffic:

Capabilities:

• Drops malicious packets
• Terminates suspicious connections
• Rate limiting
• Protocol enforcement

Testing IDS/IPS

Signature Testing:

# Test with known attack signatures
curl "http://target.com/index.php?id=1' OR '1'='1"

# XML External Entity (XXE) test
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>

Evasion Testing:

• Test IDS evasion techniques
• Verify IPS blocks actual attacks
• Check for false positives/negatives
• Validate alert accuracy

SSL/TLS Configuration

Encryption protects data in transit.

Certificate Management

# View certificate details
openssl s_client -connect example.com:443

# Check certificate expiration
openssl x509 -in cert.pem -noout -dates

# Verify certificate chain
openssl verify -CAfile ca.pem cert.pem

TLS Configuration Best Practices

Enabled Protocols:

• TLS 1.3 (preferred)
• TLS 1.2

Disabled Protocols:

• SSLv3 (deprecated)
• TLSv1.0 (deprecated)
• TLSv1.1 (deprecated)

Strong Ciphers:

- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256

Testing SSL/TLS

# Test TLS version support
nmap --script ssl-enum-ciphers -p 443 target.com

# Detailed SSL analysis
sslscan target.com

# Check for common misconfigurations
testssl.sh https://target.com

VPN & Remote Access

Secure remote access requires proper controls:

VPN Best Practices

• Use modern VPN protocols (WireGuard, IKEv2)
• Implement multi-factor authentication
• Use strong encryption (AES-256)
• Enforce device compliance checks
• Log all VPN access
• Implement idle session timeouts

Testing Remote Access

• Attempt access without MFA
• Test credential enforcement
• Verify encryption strength
• Check logging functionality
• Test account lockout mechanisms

Wireless Network Security

Wireless networks face unique threats.

Wi-Fi Security

WPA2/WPA3 Configuration:

• Use WPA3 when possible (WPA2 minimum)
• Disable WEP and WPA (legacy)
• Use strong Pre-Shared Key (PSK)
• Hide SSID broadcasting (minimal benefit)
• Regular firmware updates

Enterprise Wi-Fi:

• Use 802.1X with EAP
• Implement certificate-based auth
• Separate authentication server
• Monitor for rogue access points

Testing Wireless Security

# Scan for wireless networks
sudo airodump-ng wlan0

# Test Wi-Fi encryption
sudo aircrack-ng capture.cap

Network Monitoring & Logging

Effective monitoring detects and deters attacks.

Essential Logs

• Firewall logs: Allowed and denied traffic
• IDS/IPS logs: Suspicious activity
• Authentication logs: Login attempts
• Access logs: Resource access
• Application logs: Error and security events

Log Analysis

Tools:

• Splunk: Log management and analysis
• ELK Stack: Elasticsearch, Logstash, Kibana
• Graylog: Log aggregation

Queries:

- Failed authentication attempts by user
- Unusual outbound traffic
- Port scanning activity
- Access to sensitive resources

Network Penetration Testing

Comprehensive testing of network security:

External Testing

Phase 1: Reconnaissance

• DNS enumeration
• Whois lookups
• Port scanning
• OS fingerprinting

Phase 2: Scanning

• Detailed port enumeration
• Service version identification
• Vulnerability scanning

Phase 3: Exploitation

• Attempt known vulnerabilities
• Manual exploitation
• Privilege escalation
• Lateral movement

Internal Testing

• Test network segmentation effectiveness
• Attempt unauthorized access
• Test internal system vulnerabilities
• Verify access controls

Compliance & Standards

• PCI DSS: Payment systems security
• HIPAA: Healthcare data security
• SOC 2: Trust services controls
• ISO 27001: Information security

Network Security Checklist

• Firewall with default-deny policy
• Network segmentation implemented
• IDS/IPS deployed and tuned
• TLS 1.2+ configured
• VPN access controlled with MFA
• Wi-Fi encryption WPA2/WPA3
• Comprehensive logging enabled
• Regular security monitoring
• Incident response plan
• Regular penetration testing

Conclusion

Network security requires a comprehensive approach combining proper architecture, strong controls, and continuous monitoring. Regular penetration testing ensures your network defenses remain effective against evolving threats.

At Cyenetic Solutions, our network security experts conduct comprehensive penetration tests covering external networks, internal infrastructure, wireless systems, and security device configuration. We help you identify and remediate network vulnerabilities before attackers find them.

Strengthen your network security - Schedule a network penetration test today.