network security components

Network Security Components



Network Security Components

To design and implement a network security architecture is a composite of different technologies working at different layers in your infrastructure spanning on-premises and in the cloud. So we can have different point systems operating at each layer or look for an approach where each network security device somehow works holistically. These are the two options. Whichever path of security design you opt for, you will have the same network security components, either virtual or physical, or a combination of both. But there will be a platform-based approach or an individual point solution approach. However, some of the traditional security functionality that has been around for decades, such as firewalls, are still at large, along with new ways to protect, especially regarding endpoint protection.


Network Security Components

Key Network Security Components Discussion points:

  • Point solutions or integrated devices.

  • Network security challenges.

  • Recommended starting points.

  • Firewall types and load balancers.

  • Endpoint security and packet brokers.


  • A key point: Elements of network security

From the endpoints to the network edge, be it a public or private cloud we have a number of network security components. Policy and controls are enforced at each layer giving adequate control and visibility of threats that may seek to access, modify, or break a network and its applications. Firstly, network security is provided from the network; these are your IPS/IDS and both virtual firewalls and distributed firewalls technologies. Second, a portion of network security protects the end applications, known as endpoint security. Of course, you can’t have one without the other, but if you were to pick a favourite, it would be endpoint security. Keep in mind that most of these layers in most security architecture I see in many consultancies are distinct from each other. There may even be a different team looking after each component. This is how it has been for a while, but there needs to be some integration between the layers of security to be more in line with the changes in the security landscape.

network security components
Diagram: Network security components.


Network Security Challenges


The applications now are diverse. We have container based virtualization that can be hosted in both on-premises and cloud locations, enabling hybrid and multi-cloud environments that need to be protected. Native security controls in the public cloud are insufficient. For a start, security groups (SGs) in one public cloud do not span multiple clouds without some other technologies set that can sit in front of the two clouds enabling a secure multi-cloud. 


Multi cloud Terraform

The challenge with the cloud is that dynamic infrastructure means infinite volume. However, multi-cloud deployments add complexity because each provider has its interfaces, tools, and workflows. You may have the option to deploy across multiple clouds with Terraform consistently. Terraform lets you use the same workflow to manage multiple providers and handle cross-cloud dependencies. This simplifies management and orchestration for large-scale, multi-cloud infrastructures.


Changes in perimeter location and types

We also know that this new paradigm spreads the perimeter, potentially increasing the attack surface with many new entry points. For example, if you are protecting a microservices environment, each unit of work represents a business function that needs security. So we now have many entry points to protect, moving security closer to the endpoint.


  • A key point: A recommended starting point

So we need a multi-layered approach to network security that can implement security controls at different points and layers in the network. With this approach, we are ensuring a robust security posture regardless of network design. Therefore, the network design should become irrelevant to security. The network design can change; for example, you can add a different cloud, which should not affect the security posture. The remainder of the post will discuss the common network security component.

security components
Diagram: Security components.


Network Security Components

Step1: Access control 

Firstly, we need some access control. This is the first step to security. Bad actors are not picky about location when launching an attack. An attack can come from literally anywhere and at any time. Therefore, network security starts with access control carried out with authentication, authorization, accounting (AAA), and identity management. Authentication proves that the person or service is who they say they are. Authorization allows them to carry out tasks relented to their role. Identity management is all about managing the attributes related to the user, group of users, or another identity that may require access.  


  • A key point: Identity-centric access control

It would be best to have an identity based on logical attributes, for example, the multi-factor authentication (MFA), transport layer security (TLS) certificate, the application service, or the use of a logical label/tag. Be careful when using labels/tags when you have cross-domain security. So, rather than using IP addresses to base policies on that, you may have used in the past, policies are based on logical attributes. This ensures an identity-centric design around the user identity and not the IP address.

Once initial security controls are passed, a firewall security device ensures that the users can only access services they are allowed to. These devices decide who gets access to which parts of the network. Depending on the design, the network would be divided into different zones or micro-segments. Adopting micro-segments is more granular regarding the difference between micro-segmentation and micro-segmentation.


  • A key point: Dynamic access control

Access control is the most important component of an organization’s cybersecurity protection. For too long, access control has been based on static entitlements. Now we are demanding dynamic access control, with decisions made in real-time. Access support must support an agile IT approach with dynamic workloads across multiple cloud environments. A key point to access control is that it is dynamic and real-time, constantly accessing and determining the risk level. Thereby preventing unauthorized access and threats like a UDP scan. We also have zero trust network design tools such as single packet authentication (SPA) that can keep the network dark until all approved security controls are passed. Once security controls are passed, access is granted.

identity centric access control
Diagram: Identity centric access control.


Network Security Components

Step2: The firewall and firewall design locations

A firewalling strategy can offer your environment different firewalls, capabilities, and defence-in-depth levels. Each firewall type positioned in different parts of the infrastructure forms a security layer providing a defence-in-depth and robust security architecture. At a high level, there are two firewalling types; internal, which can be distributed among the workloads, and border-based firewalling. The different firewall types offer capabilities that begin with basic packet filters, reflexive ACL, stateful inspection, and next-generation features such as micro-segmentation and dynamic access control. These can take the form of physical or virtualized. Firewalls purposely built and designed for a particular type of role should not be repurposed to carry out the functions that belong and are designed to be offered by a different firewall type.


The edge firewall

Macro segmentation

The firewall monitors and controls incoming and outgoing network traffic based on predefined security rules. It establishes a barrier between the trusted network and the untrusted network. At the network’s edge, the firewall commonly inspects Layer 3 to Layer 4. In addition, to reduce hairpinning and re-architecture, we have internal firewalls. We can put an IPD/IDS or an AV on an edge firewall. But for the classic definition, the edge firewall does access control and segmentation based on IP subnets, known as macro segmentation. Macro segmentation is another term for traditional network segmentation. It is still the most prevalent segmentation technique in most networks and can have benefits and drawbacks.


Same segment, same sensitivity level 

It is easy to implement, but ensures that all endpoints in the same segment have or should have the same security level and, by security policy, can talk freely. We will always have endpoints of similar security levels, and macro segmentation is a perfect choice. Why introduce complexity when you do not need to?



The same edge firewall can be used to do more granular segmentation; this is known as micro-segmentation. This is where the firewall works at a finer granularity, logically divides the data center into distinct security segments down to the individual workload level, and then defines security controls and delivers services for each unique segment.   So each endpoint has its segment and can’t talk outside that segment without policy. However, we can have a specific internal firewall to do the micro-segmentation.


Cisco ACI and microsegmentation

Some micro-segmentation solutions could be Endpoint Groups (EPGs) with the Cisco ACI and ACI networks. ACI networks are based on ACI contracts that have subjects and filters to restrict traffic and enable the policy. Within the Endpoint Groups, traffic is unrestricted; however, for traffic to cross EPGs, we need an ACI contract.


Internal firewalls 

Internal firewalls inspect higher up in the application stack and can have different types of firewall context. They operate at a workload level creating secure micro perimeters with application-based security controls. The firewall policies are application-centric, purpose-built for firewalling east-west traffic with layer 7 network controls with the stateful firewall at a workload level. 


Diagram: Firewall design locations.


Virtual firewalls and VM NIC firewalling

I often see virtualized firewalls here, and the rise of virtualization internal to the network introduces the world of virtual firewalls. The virtual firewalls are the internal firewall distributed close to the workloads. For example, we can have the VM NIC firewall. In a virtualized environment, the VM NIC firewall is a packet filtering solution inserted between the VM Network Interfaces card of the Virtual Machines (VM) and the virtual hypervisor switch. All traffic that goes in and out of the VM has to pass via the virtual firewall.


Web application firewalls (WAF)

We could use web application firewalls (WAF) for application-level firewalls. These devices are similar to reverse proxies that can terminate and initiate new sessions to the internal hosts. The WAF has been around for quite some time to protect web applications by inspecting HTTP traffic. However, they have the additional capability to work with illegal payloads that can better identify bad behaviour patterns than a simple VM NIC firewall. WAF is good at detecting static and dynamic threats. WAFs protected a list of common types of web attacks such as SQL injection and cross-site scripting using pattern-matching techniques against the HTTP traffic. Dynamic threats have been the main source of threat and value a WAF can bring.


Network Security Components

Step3: The load balancer

Load balancing and load balancer scaling refer to efficiently distributing incoming network traffic across a group of backend servers, also known as a server farm or server pool. For security, a load balancer has some capability and can absorb a lot of attacks, such as a volumetric DDoS attack. Here we can have an elastic load balancer that is running in software. So it can run in front of a web property and load balance between the various front ends, i.e., web servers. If it sees an attack, it can implement certain techniques. So it’s doing a function beyond the load balancing function and providing a security function.


Network Security Components

Step4: The IDS 

Traditionally the IDS consists of a sensor installed on the network that monitors traffic for a set of defined signatures. The signatures are downloaded and applied to network traffic every day. The traditional IDS systems are not learning from behaviours over time or other network security devices. The solution only looks at a specific point in a time, lacking an overall picture of what’s happening on the network.

They operate from an island of information, only examining individual packets and trying to ascertain whether there is a threat. This approach results in many false positives that cause alert fatigue. Also, when a trigger does occur, there is no copy of network traffic to do an investigation. Without this, how do you know the next stage of events? Working with IDS, security professionals are stuck with what to do next.


  • A key point: IPS/IDS  

Then we have the IPS/IDS. Firewalls use a static set of rules limiting network access to prevent access but don’t monitor for malicious activity. An IPS/IDS examines network traffic flows to detect and prevent vulnerability exploits. The classic IPS/IDS in most cases is that they have deployed behind the firewall and typically protocol analysis and do signature matching on various parts of the data packet. The protocol matching is, in some sense, a compliance check against the publicly declared spec of the protocol. If someone is abusing some of the tags and we are doing basic protocol checks. Then the IPS/IDS uses signatures to prevent known attacks. For example, an IPS/IDS uses a signature to prevent you from doing SQL injections. 


Move security to the workload

Like the application-based firewalls, the IPS/IDS functionality at each workload ensures comprehensive coverage without any blind spots. So as you can see, the security functions are moving much closer to the workloads, bringing the perimeter from the edge to the workload.



Network Security Components

Step5: Endpoint Security

Network detection and response 

Then we have the network detection and response solutions. The Network detection and response (NDR) solutions are designed to detect cyber threats on corporate networks using machine learning and data analytics. They can help you discover evidence on the network and in the cloud of malicious activities that are in progress or have already occurred. Some of the analyses promoting the NDR tools are “Next-Gen IDS.”  One of the big differences between NDR and old IDS tools is that NDR tools use multiple Machine Learning (ML) techniques to identify normal baselines and anomalous traffic rather than static rules or IDS signatures which have a troubled time handling dynamic threats.


Anti-malware gateway

Anti-malware gateway products have a very specific job. They look at the download, then take the file and try to open it. Files are put through a sandbox to test whether they contain anything malicious. The bad actors who develop malware test against these systems before releasing the malware. Therefore the gateways often lag one step behind. Also, anti-malware gateways are limited in scope, and not focused on anything but malware.

Endpoint detection and response (EDR) solutions look for evidence and effects of malware that may have slipped past EPP products. EDR tools are also used to find signs of malicious insider activities such as data exfiltration attempts, left-behind accounts, and open ports. Endpoint security has the best opportunity to detect several threats. It is the closest to providing a holistic offering. It is probably the best point solution, but remember, it is just a point solution. 


  • A key point: DLP security 

By monitoring the machine and process, endpoint security is there for the long haul instead of assessing a file on a once-off basis. It can see when malware is executing and then implement DLP. Data Loss Prevention (DLP) solutions are security tools that help organizations to ensure that sensitive data such as Personally Identifiable Information (PII) or Intellectual Property (IP) does not get outside the corporate network or to a user without access. However, endpoint security does not take into account sophisticated use cases. For example, it doesn’t care what you print or what Google drives you share. 


  • A key point: Endpoint security and correlation?

In general, endpoint security does not do any correlation. For example, let’s say there is a .exe that connects to the database; there is nothing on the endpoint to say that it is a malicious connection. Endpoint security finds it hard to distinguish the benign from legitimate unless there is a signature. Again, it is the best solution, but it is not managed service or has a holistic view. 

Endpoint security
Diagram: Endpoint security.

The issue with point solutions

The security landscape is constantly evolving. To have any chance, security solutions also need to evolve. There needs to be a more focused approach, constantly working to develop security in line with today’s and tomorrow’s threats. For this, it is not to continuously buy more point solutions that are not integrated but to make continuous investments to ensure the algorithms are accurate and complete. So if you want to change the firewall, you may need to buy a physical or virtual device.


Complex and scattered

Something impossible to do with the various point solutions designed with complex integration points scattered through the network domain. It’s far more beneficial to, for example, update an algorithm than to update number point solutions scattered throughout the network. The point solution addresses one issue and requires a considerable amount of integration. You must continuously add solutions to the stack, managing overhead and increased complexity. Not to mention license costs.


Would you like to buy a car or all the parts?

Let’s consider you are searching for a new car. Would you prefer to build the car with all the different parts or buy the already-built car? If we examine security, the way it has been geared up at the moment is provided in parts. So I have to add this part here, and that part there, and none of these parts connect. Each part must be carefully integrated with another. It’s your job to support, manage and build the stack over time. For this, you must be an expert in all the different parts.


    • Example: Log management

Let’s examine a log management system that needs to integrate numerous event sources such as firewalls, proxy servers, endpoint detection, and behavioural response solutions. We also have the SIEM. The SIEM collects logs from multiple systems. They present challenges to deploy and require a huge amount of work to integrate into existing systems. How do logs get into the SIEM when the device is offline? How do you normalize the data, write the rules to detect suspicious activity, and then investigate if there are legitimate alerts? The results you gain from the SIEM are poor, considering the investment you have to make. Therefore, considerable resources are needed to pull it off successfully.


  • A note: Security controls from the different vendors 

As a final note consider how you may have to administer the security controls from the different vendors. How do you utilize the different security controls from different vendors, and more importantly, how do you use them adjacent to one another? For example, Palo Alto utilizes an App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls. In a network, different vendors will not support this feature. This poses the question, how do I utilize next-generation features from vendors adjacent to devices that don’t support it? Your network needs the ability to support features from one product across the entire network and then consolidate them into one. How do I use all the next-generation features without having one vendor?


A key point: Use of a packet broker

But it would be better to change a type of algorithm that can affect all firewalls operating in your network. That would be an example of an advanced platform controlling all your infrastructures. Another common example has a packet broker that can sit in the middle of all these tools. Fetch the data from the network and endpoints and then send it back to our existing security tools. Essentially, this ensures that there are no blind spots in the network. This packet broker tool should support any workload and have the ability to send to any existing security tools. Now we are bringing information from the network into your existing security tools. Adopting a network-centric approach to security.


Matt Conran: The Visual Age
Latest posts by Matt Conran: The Visual Age (see all)

Comments are closed.