What is network security?
Network security is a category of practices and technologies that keep internal networks protected from attacks and data breaches. It encompasses access control, cyber attack prevention, malware detection, and other security measures.
"Network security" most often refers to the protection of large enterprise networks. (For information on protecting smaller networks, see What is a LAN? and What is a router?)
Network definition
A network is a group of two or more connected computing devices. Networks range in size from small personal area networks (PANs) and local area networks (LANs) to large wide area networks (WANs), which connect smaller networks across wide distances.
Almost all businesses today rely on some type of network to be productive, whether it is a LAN that allows their employees to access the Internet, a WAN that connects their various office locations, or a network-as-a-service (NaaS) that performs these functions in the cloud.
What are common network security risks?
Like any important business asset, networks can be compromised in a variety of ways. Threats to prepare for include:
- Unauthorized access: If an unauthorized user gets access to a network, they could be able to view confidential information that would otherwise remain private. They could also leak confidential data or compromise internal systems.
- DDoS attacks: Distributed denial-of-service (DDoS) attacks aim to slow or deny service to legitimate users by flooding networks or servers with junk traffic. DDoS attacks can overwhelm a network so that it is no longer functional.
- Vulnerability exploits: Attackers can use vulnerabilities in login portals, applications, hardware, or other areas to penetrate a network for a variety of malicious purposes.
- Malware infections: Common malware infections include ransomware, which encrypts or destroys data; worms, malware that can quickly replicate throughout a network; and spyware, which allows attackers to track user actions. Malware can enter a network from a range of sources, including unsecured websites, infected employee devices, or targeted external attacks.
- Insider threats: Internal employees or contractors can unintentionally undermine network security or leak data when they are unaware of security best practices. In other cases, users may intentionally compromise a network or leak data for reasons of their own.
What are the important network security technologies?
Network security is a broad field. Below are just some of the technologies that an organization can use to protect their network. In order to reduce complexity, most organizations try to rely on as few vendors as possible for network security; many enterprises look for vendors that offer several of these technologies together.
Access control
Access control restricts access to data and the software used to manipulate that data. It is crucial for preventing unauthorized access and reducing the risk of insider threats. Identity and access management (IAM) solutions can help with this area. Many enterprises use virtual private networks (VPNs) to control access; however, today there are alternatives to VPNs.
User authentication
Authentication, or the verification of a user's identity, is a crucial component of access control. Using two-factor authentication (2FA) instead of simple passwords is an important step towards making networks more secure.
Firewalls
Firewalls filter potential threats from network traffic. They can block malware attacks, vulnerability exploits, bot attacks, and other threats. Traditional firewalls run within a business's physical location using a hardware appliance. Today, many firewalls can run in software or in the cloud, eliminating the need for firewall hardware.
DDoS protection
Websites and networking infrastructure both need to be protected from DDoS attacks in order to remain operational. In particular, networking infrastructure needs DDoS mitigation at the network layer, rather than the application layer.
Data loss prevention (DLP)
While firewalls and DDoS protection keep external attacks from coming into a network, data loss prevention (DLP) stops internal data from being taken outside of a network.
Browser isolation
Accessing the Internet from within a network introduces risk because web browsing involves executing code from external untrusted sources (e.g. various web servers) on user devices. Browser isolation eliminates this risk by executing code outside of an organization's internal network, often on a cloud server.
What other steps should enterprises take to secure their networks?
While it is not possible to be completely secure from attacks, these steps can further reduce risk:
Maintaining data backups: Even the most well-defended network can fall to an attack. Losing partial or full access to internal data and systems can be devastating to a business; keeping backup copies of data helps to mitigate the impact of such an attack.
User education: Many data breaches and malware infections occur because a user simply made a mistake, whether by accidentally opening an unsafe email attachment, providing their login credentials as a result of a phishing attack, or allowing outside access in some other way. Internal employees and contractors should be made aware of how to stay safe and protect the network.
Applying a 'zero trust' philosophy: Zero trust security is the principle that no user or device should be trusted by default.
How does Cloudflare keep enterprise networks secure?
- Cloudflare One is an all-encompassing product that includes networking services bundled with security — including all of the security technologies addressed above.
- Cloudflare Magic Transit protects networks from DDoS attacks at layers 3 (the network layer), 4 (the transport layer), and 7 (the application layer) of the OSI model.
- Cloudflare for Teams is a suite of products for access control and endpoint protection.
In addition to securing their networks, many enterprises today need to protect cloud computing resources as well. Learn more in How does cloud security work?