ABC of Cyber
Back to Lessons
Intermediate
20 min

Network Security Fundamentals

Your network is the backbone of your organization. If it's not secure, nothing else matters. This lesson covers firewalls, segmentation, patching, and the basics of keeping your network from behaving like an open door.

Defense in Depth

No single security control is perfect. Defense in depth is the strategy of layering multiple security controls so that if one fails, another catches the threat. Think of it as a castle with a moat, walls, gates, guards, and internal checkpoints — not just a locked front door.

Perimeter

Firewalls & gateways

Network

Segmentation & VLANs

Endpoint

Antivirus & patching

Data

Encryption & backups

Firewalls: Your First Line of Defense

A firewall monitors and controls incoming and outgoing network traffic based on security rules. Think of it as a security guard who checks IDs at every entry point and stops anything suspicious.

What Firewalls Do
  • Block unauthorized access from external networks
  • Prevent malicious traffic from entering your network
  • Log and alert on suspicious connection attempts
  • Enforce policy by blocking specific applications or services
Best Practices
  • Default-deny policy: block everything, allow only what's needed
  • Regularly review and prune firewall rules
  • Segment networks with internal firewalls
  • Keep firewall firmware and software updated

Network Segmentation

Segmentation divides your network into smaller, isolated sections. If an attacker compromises one segment, they cannot easily move laterally to others. This is why your office printer should not be on the same network as your financial servers.

Real-World Example

In the 2013 Target breach, attackers gained access through an HVAC vendor's network segment that was not properly isolated. They then moved laterally to the POS system and stole 40 million credit card numbers. Proper segmentation would have stopped this.

Guest Network

Visitors and contractors get internet-only access, completely isolated from internal resources. Separate SSID, separate VLAN, no internal routing.

IoT & Devices

Printers, cameras, smart thermostats, and other IoT devices should be on their own segment. These devices are notoriously insecure and should never touch production.

Critical Systems

Financial systems, HR databases, and production servers operate in their own segments with strict access controls. Only specific users and services can reach them.

Patch Management

Software vulnerabilities are discovered constantly. Patches are the fixes released by vendors to close these security holes. Unpatched systems are the #1 target for attackers because exploits for known vulnerabilities are widely available.

Good Patching Practices
  • ✓ Apply critical security patches within 48 hours
  • ✓ Test patches in a staging environment first
  • ✓ Maintain an inventory of all software and versions
  • ✓ Automate patching where possible
  • ✓ Have a rollback plan for failed patches
Common Pitfalls
  • ✗ “If it's not broken, don't fix it” — this is how WannaCry happened
  • ✗ Ignoring end-of-life software that no longer receives updates
  • ✗ Patching only servers but ignoring endpoints and IoT devices
  • ✗ Not having an inventory — you can't patch what you don't know about

Wi-Fi Security

Wireless networks are inherently more vulnerable than wired ones because the signal travels through walls and parking lots. Simple precautions make a massive difference.

Secure Configuration
  • Use WPA3 encryption (or WPA2 if WPA3 is unavailable)
  • Disable WPS (Wi-Fi Protected Setup) — it's a security hole
  • Change default SSID and admin credentials on access points
  • Use a strong, unique passphrase (see Password Security lesson)
Public Wi-Fi Risks
  • Public Wi-Fi is open to eavesdropping (man-in-the-middle attacks)
  • Always use a VPN when connecting to public or untrusted networks
  • Enable HTTPS-only mode in your browser
  • Turn off automatic Wi-Fi connectivity and file sharing

Monitoring & Detection

Security controls are useless if you don't know when they're being tested. Monitoring gives you visibility into what's happening on your network.

Log Management

Collect and centralize logs from firewalls, servers, and endpoints. Use a SIEM (Security Information and Event Management) system to correlate events.

Intrusion Detection

IDS/IPS systems monitor network traffic for suspicious patterns and known attack signatures. They can alert or automatically block malicious activity.

Vulnerability Scanning

Regular automated scans identify open ports, outdated software, and misconfigurations. Scan at least monthly, or weekly for critical systems.

Network Security Checklist

Firewall configured with default-deny policy and reviewed within the last 90 days
Network segmentation in place — guest, IoT, and production on separate VLANs
Patch management process documented — critical patches applied within 48 hours
Wi-Fi uses WPA3 (or WPA2) with a strong passphrase; WPS disabled
Logging enabled and logs centralized to a SIEM or log management platform
Vulnerability scans scheduled and reviewed at least monthly
VPN required for remote access and public Wi-Fi usage
Inventory of all network devices maintained and kept current

Next Steps

Next Lesson: Social Engineering DefenseBack to All Lessons