Network Security


Network security is not a single firewall rule or appliance. It is the combination of segmentation, identity, hardened management access, controlled routing, logging, patching, and operational discipline that limits what an attacker or malfunctioning device can reach.

Start with Segmentation

A flat network gives every connected device an unnecessarily large trust boundary. VLANs and routed security zones separate systems according to function and risk.

  • Management interfaces
  • Servers and storage
  • Employee devices
  • Voice and building systems
  • Guest or untrusted wireless
  • Backups and recovery infrastructure
  • Public-facing services

Segmentation only becomes a security control when communication between zones is explicitly governed. Creating VLANs without restricting inter-VLAN routing is organization, not isolation.

Default-Deny Where It Matters

A default-deny policy allows only documented traffic. This is especially appropriate between trust zones, toward management interfaces, and for inbound internet traffic. Rules should identify the source, destination, protocol, port, purpose, and owner.

Example extended ACL

ip access-list extended USERS_TO_SERVERS
 permit tcp 10.20.0.0 0.0.0.255 host 10.50.0.25 eq 443
 permit udp 10.20.0.0 0.0.0.255 host 10.1.0.53 eq domain
 permit tcp 10.20.0.0 0.0.0.255 host 10.1.0.53 eq domain
 deny ip any 10.50.0.0 0.0.0.255 log
 permit ip any any
Test before enforcement: Logging and flow data can reveal undocumented dependencies before a restrictive policy is activated.

Protect the Management Plane

  • Use SSH, HTTPS, and modern APIs instead of Telnet or unencrypted HTTP.
  • Restrict management access to dedicated subnets or a secure VPN.
  • Use centralized authentication with individual accounts.
  • Require multi-factor authentication where the platform supports it.
  • Disable unused services and management interfaces.
  • Send configuration changes and authentication events to centralized logging.
  • Back up device configurations and test restoration.

Layer 2 Security

Access-layer protections reduce the risk of spoofing, loops, and unauthorized devices:

  • Port security: Limits which MAC addresses may use an access port.
  • DHCP snooping: Identifies trusted DHCP server ports and builds a binding table.
  • Dynamic ARP Inspection: Validates ARP traffic against trusted bindings.
  • IP Source Guard: Restricts traffic that does not match expected source bindings.
  • BPDU Guard: Disables edge ports that unexpectedly receive spanning-tree BPDUs.
  • 802.1X: Authenticates users or devices before granting network access.

Routing Security

  • Authenticate routing-protocol neighbors when practical.
  • Use passive interfaces so protocols do not form adjacencies on user networks.
  • Filter routes at every trust boundary.
  • Set maximum-prefix limits on BGP sessions.
  • Validate public route origins with RPKI.
  • Prevent internal, default, and infrastructure routes from leaking to customers or peers.

IPv6 Security

IPv6 should receive the same design attention as IPv4. Blocking IPv6 at the edge while leaving it active internally can create blind spots. Security controls should account for Router Advertisements, Neighbor Discovery, DHCPv6, extension headers, and dual-stack policy consistency.

DDoS Preparation

DDoS planning begins before an attack. Document provider contacts, mitigation thresholds, blackhole communities, traffic baselines, protected prefixes, and the steps required to shift traffic to a scrubbing service. Local firewall rules cannot stop an attack that has already saturated the upstream circuit.

Operational Security Checklist

  • Maintain an inventory of network devices, software versions, and support status.
  • Apply security updates through a controlled change process.
  • Remove default credentials and shared administrative accounts.
  • Review firewall and ACL rules for obsolete access.
  • Monitor configuration changes and failed logins.
  • Test configuration backups and out-of-band access.
  • Document emergency contacts and rollback procedures.
  • Regularly verify that monitoring covers IPv4 and IPv6.

Security Without Unnecessary Complexity

Every control adds operational cost. A security design should be strict enough to reduce risk while remaining understandable during troubleshooting and incidents. Rules that nobody can explain, expired temporary exceptions, and undocumented policy-based routing can become risks of their own.