Network Security Controls: Preventive, Detective, and Corrective Measures

The computer network is the most important component of the information age. With the network, data packets can move across the world, leading to the information sharing driving today’s technological revolution.

The dependency on computer networks for homes, businesses, governments, and other entities is more critical than ever before. That’s why securing the confidentiality, integrity, and availability of information passing through them is paramount.

And because networks especially the internet are shared resources, the chances of an eavesdrop, tampering, bogus requests, or spoofing are extremely high. Network focused attacks such as DDoS and intrusions make up over 70% of all attack vectors, according to statistics from ENISA.

What is network security?

Network security involves making assumptions about trust, assessing and evaluating threats, and putting in place mitigating controls. Preventing malicious communication and lateral spread relies on layered network defenses.

So, that’s the approach we’ll take: let’s look at how to secure networks, looking at specific controls that organizations and service providers can invest in to address vulnerabilities and contain threats. There are three approaches to network security, which work best together: preventive, detective, and corrective network security.

Network security control categories

Preventive network security

Preventative network security focuses on putting in place measures to deter attacks from infiltrating the corporate network from the outside or inside. These controls are most common in an IT environment and are usually set up in a defense-in-depth approach where variable barriers across multiple layers can thwart attacks or limit their impact.

Some of the common preventive controls in an IT network include:

Physical security controls

Access to network closets is secured through access control systems such as key locks and biometric systems. In addition, the areas around network equipment are secured through locked racks, and secured cables and cabinets.

Visitor management practices can also add a preventative layer that limits physical attacks by human adversaries. Other physical security controls include the use of fire suppression systems and HVAC systems to prevent damage caused by fires, surging temperatures or water.

Intrusion prevention systems (IPS)

An IPS is a network security tool that analyzes network traffic in real time, identifies suspicious patterns or known threats, and automatically taking actions such as dropping or blocking malicious traffic.

Network firewall

The firewall is a network security appliance that is preconfigured with rules to filter traffic and block any data that does not comply with the rules. The standard configuration for a firewall is to reject all network traffic unless explicitly allowed.

Extra security functionality includes keeping track of the state of active connections, as well as deep packet inspection and behavior analysis to identify and block complex threats such as intrusions and malware.

Proxy server

As the name implies, a proxy acts as an intermediary between a user and the internet, offering anonymity and control to protect users from malicious activity. By acting as a middle layer, a proxy server masks a user’s real IP address and can filter internet traffic to prevent exposing the users to malware coming from infected websites.

Demilitarized Zone (DMZ)

A DMZ is a physical or logical subnet that separates the local area network of an organization, from other untrusted networks such as the public internet. This neutral zone sits between two firewalls and protects internal systems from external threats by hosting public facing services and limiting their interaction with internal systems unless through specified services.

Network segmentation

This control involves the use of routers and switches to reduce the attack surface by breaking flat networks into segments that are physically or logically separated and so cannot communicate with each other. These segments restrict the lateral movement of cyber attackers across the entire network and help isolate sensitive data and enforce strict access controls.

Segmentation reduces network complexity, which helps in management, and raises the chances of pinpointing malicious activity.

Zero-trust architecture

This is a micro-segmentation approach through software defined networking where every system is assumed to be untrusted and therefore should be isolated. The philosophy behind it is “never trust, always verify”. This requires authentication by multiple parameters such as user identify, device, location, timestamp and recent activity.

Zero-trust architecture is implemented through small-sized network segments that surround specific assets such as data, applications and services, and grant approved users the specific privileges for which they have an immediate need.

(See why zero trust is becoming the go-to model for remote work.)

Network access control (NAC)

This control is a solution provided by firewalls to grant or restrict access based on the results of a health check conducted on a user’s device. This solution is configured with security policies based on operational scenarios and evaluates the security compliance by the type of user, device or operating system. These policies then block or isolate devices that don’t meet these policies such as an unpatched operating system or not having the latest antivirus update. This solution can also be used to provision guest networks which restrict their access to corporate information.

Detective network security

Detective network security involves the uses of controls that identify, record, and alert security intrusions on occurrence. These act as a second line of defense, whenever preventive networks controls have been breached.

Some of the common detective controls include:

Surveillance

This network involves the use of guards or CCTV systems to watch and record the environment surrounding network equipment such as data centers, racks, and access points. CCTV footage would be reviewed by security employees and contractors based on alerts received by other detective systems, or other pertinent information.

The use of AI for image recognition has recently come to the fore where automated detection of anomalous behavior can be flagged for review and then appropriate response.

Physical intrusion alarms

These controls alert security personnel whenever there is a physical breach of the environment or facilities handling network equipment. These alarms are triggered by activity impacting security sensors such as motion sensors, sound sensors, or contact sensors.

Security Information and Event Management (SIEM) systems

A SIEM is a comprehensive security solution that collects security-related events and logs from network devices and other associated technology systems to a centralized repository for correlation and analysis of potential security breaches.

SIEM solutions consolidate data from multiple sources and enrich it with contextual information that helps quickly determine deviations from normal network behavior and aids security personnel better detect, investigate and respond to intrusions.

Intrusion detection systems (IDS)

An IDS is a security solution that passively monitors network traffic for malicious packets and changes in traffic patterns, then triggers alerts to be acted upon by cybersecurity staff or SIEM solutions. The IDS works by:

• Conducting stateful protocol analysis at the TCP/IP layer.
• Monitoring for malicious network traffic using signature-based or anomaly-based detection techniques.

Honeypots

A honeypot is a network-attached system used to lure cyber attackers away from organizational network systems. This non-production system is designed to mirror enterprise systems and acts as an easy target, but in reality, it collects intelligence on the tactics used.

The data gathered by honeypots is used by cybersecurity analysts to detect intrusions, and misdirects malicious persons away from critical live systems.

Corrective network security

Corrective controls act after an information security incident has occurred, and aid in restoring network systems back to normal working condition, and working to minimize the impacts of a cyberattack. Examples of corrective controls in network security include backups, incident response plans, and evidence collection.

Backups

Network configuration information is regularly backed up based on the organization’s retention and continuity requirements. Backups are stored in a safe location, miles away from the production network systems, and regularly tested to ensure they can be relied upon to restore services in case of a disruption or attack.

Incident response plans (IRPs)

These controls include tried and tested techniques to respond to intrusions and anomalies detected on network systems. Incident response plans include guidance on:

• Containing network incidents
• Communicating with stakeholders.
• Restoring services.
• Conducting post-analysis to identify vulnerabilities and lessons learnt.

These plans should be regularly reviewed and tested by relevant cybersecurity personnel to ensure they remain effective and reliable whenever an incident occurs.

Evidence collection

Digital forensic techniques are used to identify, collect, and preserve network logs for purposes of disciplinary and legal actions. This is crucial especially where cyberattacks transcend international boundaries, and the data of the impacted network devices needs to be properly handled to support investigations and ensure admissibility in court proceedings.

Securing the network: an always-on activity

As seen from the preceding information, securing networks is not a one-off activity but a regular cycle of prevention, detection and correction based on events and improvements. A multi-pronged approach involves equipping of cybersecurity teams with the right tools, processes, and knowledge required to effectively secure systems and respond effectively to any negative occurrence is a must-have for any organization seeking the best network security posture.

FAQs about Network Security