Leadership Vision eBook: 2022 Top Actions for Security Leaders
Public cloud, private cloud, on-premises — the sheer options available for organizational networks today means new requirements for network security. The “protect the network perimeter” model of the past no longer works, and network security leaders are embracing new approaches.
Download now: How to Mature Your Information Security Program
“Network security can be complex, yet it is foundational to all other information security systems,” says Thomas Lintemuth, Senior Director Analyst, Gartner. “The good news is that network security is a mature market with strong, established providers, along with innovative startups that are constantly bringing new and better technology to keep the network safe and the assets protected.”
Here, we provide a primer on the key concepts to understand for a modern network security architecture. Beginning with the roles and responsibilities of network security leaders followed by a logical architecture, mapping the range of security requirements offers a strong foundation on which to build.
17 key network security concepts
Network security architect refers to a set of responsibilities related to cloud security architecture, network security architecture and data security architecture. Depending on the size of the organization, there might be a separate person responsible for each of these domains. Alternatively, an organization might tap a single individual to oversee them all. Regardless of the approach, organizations need to define who has this responsibility, and give them the authority to make mission-critical decisions.
Ultimate Guide: Cybersecurity
Network risk assessment is the full inventory of the ways in which nefarious or careless actors, internal and external, could use the network to attack connected resources. A full assessment allows the organization to define risks and mitigate them with security controls. These risks could include:
- Poorly understood systems or processes
- Systems whose risk level is hard to measure
- “Hybrid” systems that are subject to both business and technology risk
Crafting useful assessments requires collaboration between IT and business stakeholders to understand the span of risks. The process of working together and creating a process for understanding the broad risk picture is as important as the end set of risk requirements.
Zero-Trust Architecture (ZTA) is a network security paradigm that operates from the assumption that some actors on the network are hostile, and there are too many entry points to fully protect. An effective security stance therefore protects the assets on the network rather than the network itself. As it relates to users, a proxy decides whether to grant each access request based on a risk profile calculated from combined contextual factors such as the application, location, user, device, time of day, data sensitivity and so forth. As the name indicates, ZTA is an architecture, not a product. You can’t buy it; however, you can develop it from some of the technical elements included in this list.
Listen now: Prepare Your Organization for Zero Trust
Network firewall is a mature and well-known security product with a range of functionality aimed at preventing anyone from directly accessing the network servers that host an organization’s applications and data. Network firewalls offer flexibility and are used for on-premise networks as well as cloud. For the cloud, there are cloud-focused products, as well as methods that IaaS providers deploy to fulfill some of the same functions.
Secure web gateway has evolved from its past purpose of optimizing internet bandwidth toward protecting users from malicious content from the internet. Functions such as URL filtering, anti-malware, decrypting and inspecting websites accessed via HTTPS, data loss prevention (DLP) and a limited form of cloud access security broker (CASB) are now standard.
Remote access is becoming less reliant on virtual private networks (VPNs) and increasingly reliant on zero trust network access (ZTNA) that keeps assets invisible to users and uses contextual profiles to facilitate access to individual applications.
Intrusion Prevention System (IPS) protects against vulnerabilities that cannot be patched (e.g. on packaged applications that the service provider no longer supports) by placing an IPS appliance in-line with the unpatched server to detect and block an attack. IPS functionality is often included in other security products, but stand-alone products also exist. IPS is experiencing a resurgence because cloud-native controls have been slow to include it.
Network access control provides visibility over everything on the network and policy-based control over access to the network infrastructure. Policies may define access based on the user’s role, authentication or other factors.
Read more: 4 Metrics That Prove Your Cybersecurity Program Works
Network packet broker appliances process network traffic so that other monitoring appliances, such as those dedicated to network performance monitoring and security-related monitoring, can operate more efficiently. Features include packet data filtering to identify the risk level, distributing packet loads and hardware-based time stamp insertions, among others.
Sanitized Domain Name System (DNS) is a vendor-provided service that operates as the domain name system for an organization, preventing end users (including remote workers) from accessing sites that have a poor reputation.
DDoS mitigation limits the disruptive impact of distributed denial of service (DDoS) attacks on the network’s operations. The products take a multi-layered approach to protect the network resources inside of the firewall, the resources that are on-premise but in front of the network firewall, and resources external to the organization, such as those from internet service providers or content delivery networks.
Read more: 3 Actions Help You Train More Cybersecurity Savvy Employees
Network Security Policy Management (NSPM) involves analytics and auditing to optimize the rules that guide network security, as well as change management workflow, rule-testing and compliance assessment and visualization. NSPM tools may use a visual network map that shows all the devices and firewall access rules overlaid onto multiple network paths.
Microsegmentation is the technology that inhibits an attacker already on the network from moving laterally within it to access critical assets. Microsegmentation tools for network security come in three categories:
- Network-based tools are deployed at the network level, often in conjunction with software-defined networking, and serve to protect assets that are connected to the network.
- Hypervisor based tools were the original form of microsegmentation, developed to increase visibility of the opaque network traffic moving between different hypervisors.
- Host-agent based tools install an agent on the hosts they want to segment off from the rest of the network; host-agent solutions work equally well on cloud workloads, hypervisor workloads and physical servers.
Secure Access Service Edge (SASE) is an emerging framework that combines comprehensive network security functions, such as SWG, SD-WAN and ZTNA, to name three, with comprehensive WAN capabilities to support the secure access needs of organizations. More a concept than a framework, the goal of SASE is to deliver a unified security service model for providing functionality across a network in a way that is scalable, flexible and low-latency.
Network detection and response continuously analyzes inbound and outbound traffic and flow records to document normal network behavior, so it can identify and alert the organization about anomalies. The tools use a combination of machine learning (ML), heuristics, analytics and rule-based detection.
DNS security extensions is an add-on to the DNS protocol that aims to authenticate DNS responses. The security benefits of DNSSEC require digitally signing validated DNS data, which is a processor-intensive process.
Firewall as a Service (FWaaS) is a newer technology closely related to cloud-based SWG. The difference is in the architecture: FWaaS operates over VPN connections between endpoints and network edge devices, and the security stack in the cloud. It can also connect end users to on-premises services through VPN tunnels. FWaaS is far less common than SWG.
Recommended resources for Gartner clients*:
Guide to Network Security Concepts
*Note that some documents may not be available to all Gartner clients.