The Network Security Landscape
Network security has evolved from a simple perimeter firewall into a multi-layered discipline that spans every device, every connection, and every user in an organisation. The traditional model of a trusted internal network protected by a single firewall at the boundary is no longer viable. Attackers routinely bypass perimeter defences through phishing, compromised credentials, supply chain attacks, and vulnerabilities in remote access infrastructure. Once inside, a flat network gives them unrestricted access to everything.
The threat landscape facing UK organisations is stark. Ransomware gangs now operate as sophisticated businesses, offering ransomware-as-a-service platforms that enable even low-skill attackers to launch devastating campaigns. DDoS attacks are used as cover for data exfiltration. Man-in-the-middle attacks intercept unencrypted traffic on poorly segmented networks. Every organisation, regardless of size, is a target โ and the cost of a breach extends far beyond the immediate financial impact to include regulatory penalties, reputational damage, and loss of customer trust.
Defending against these threats requires a defence-in-depth approach that combines firewalls, VPNs, Zero Trust architecture, intrusion detection systems, and continuous monitoring. No single technology is sufficient on its own. Each layer adds friction for attackers and reduces the blast radius when a breach occurs. Understanding how these technologies work โ and how they complement each other โ is essential knowledge for every network engineer and IT security professional.
Firewall Types and Configuration
Firewalls remain the foundational layer of network security, controlling which traffic is allowed to enter and leave a network based on predefined rules. However, the term "firewall" now covers a broad spectrum of technologies โ from simple packet filters that inspect individual packets to next-generation firewalls (NGFWs) that perform deep packet inspection, application identification, and integrated threat intelligence. Choosing the right firewall type for each point in your network architecture is critical to maintaining both security and performance.
Modern organisations typically deploy multiple firewall types at different layers โ a perimeter NGFW at the network boundary, web application firewalls in front of public-facing services, and cloud-native firewalls protecting workloads in AWS, Azure, or Google Cloud. Each type has distinct strengths and is designed for specific use cases. Understanding these differences enables you to build a firewall strategy that provides comprehensive coverage without creating bottlenecks or blind spots.
Firewall Technologies Compared
| Firewall Type | How It Works | Best For | Key Vendors |
|---|---|---|---|
| Packet Filtering (Stateless) | Inspects individual packets against a set of rules based on source/destination IP, port, and protocol. Does not track connection state. Operates at Layer 3/4 of the OSI model. | Basic ACL enforcement on routers and switches. Simple, fast filtering where deep inspection is not required. | Cisco IOS ACLs, iptables, pfSense |
| Stateful Inspection | Tracks the state of active connections and makes filtering decisions based on the context of the traffic flow, not just individual packets. Remembers which connections are established. | Core perimeter firewalls where connection tracking is needed. More intelligent than packet filtering with minimal performance overhead. | Cisco ASA, pfSense, Juniper SRX |
| Application Layer / NGFW | Performs deep packet inspection (DPI) to identify and control applications regardless of port. Integrates IPS, malware detection, URL filtering, and threat intelligence feeds. | Enterprise perimeter defence requiring visibility into application-level traffic. Identifies Shadow IT and enforces granular application policies. | Palo Alto, Fortinet FortiGate, Check Point |
| Web Application Firewall (WAF) | Specifically protects web applications by filtering and monitoring HTTP/HTTPS traffic. Defends against SQL injection, cross-site scripting (XSS), and OWASP Top 10 threats. | Protecting public-facing web applications, APIs, and e-commerce platforms from application-layer attacks. | Cloudflare WAF, AWS WAF, Imperva |
| Cloud Firewall / FWaaS | Cloud-native firewall delivered as a service. Scales automatically with workloads. Integrates with cloud provider APIs for automated policy deployment and microsegmentation. | Protecting cloud workloads, hybrid environments, and distributed architectures where traditional hardware firewalls cannot be deployed. | AWS Security Groups, Azure Firewall, Zscaler |
Default Deny: The Golden Rule of Firewall Configuration
The single most important principle in firewall configuration is default deny โ block all traffic by default and only permit what is explicitly required. Many breaches occur because firewalls are configured with overly permissive rules, legacy "allow any" entries that were never cleaned up, or default configurations that permit all outbound traffic. Start with a deny-all baseline, then add specific permit rules for each required traffic flow. Document every rule with a business justification, review your rule base quarterly, and remove any rule that can no longer be justified. A lean, well-documented rule base is far more secure than a bloated one.
VPN Technologies
Virtual Private Networks (VPNs) create encrypted tunnels across untrusted networks, enabling secure remote access for employees and site-to-site connectivity between offices. VPN technology has been a cornerstone of network security for decades, but the landscape has evolved significantly. Traditional IPsec VPNs are now complemented by SSL/TLS-based solutions, the lightweight WireGuard protocol, carrier-grade MPLS services, and software-defined WAN (SD-WAN) platforms that combine multiple connectivity options intelligently.
Selecting the right VPN technology depends on your specific use case, security requirements, and performance expectations. A site-to-site connection between two data centres has very different requirements to a remote worker connecting from a coffee shop. Understanding the strengths, limitations, and trade-offs of each VPN technology enables you to design a connectivity strategy that balances security, performance, and operational complexity.
VPN Technologies Compared
| VPN Type | Use Case | Encryption | Performance | Complexity |
|---|---|---|---|---|
| IPsec | Site-to-site connectivity between offices and data centres. Industry standard for permanent, always-on encrypted tunnels between network devices. | AES-256, IKEv2 key exchange. Strong, well-audited cryptographic standards with broad vendor support. | High throughput with hardware acceleration. Most enterprise firewalls include dedicated IPsec offload chips. | Complex to configure and troubleshoot. Requires careful management of security associations, certificates, and NAT traversal. |
| SSL/TLS VPN | Remote access for individual users. Browser-based or lightweight client access without requiring full network-layer tunnelling on the endpoint. | TLS 1.3, AES-256-GCM. Uses the same encryption standards as HTTPS, making it firewall-friendly. | Good for remote access workloads. Slightly higher overhead than IPsec due to TCP-based transport in some implementations. | Simpler deployment than IPsec. Users connect via a web browser or thin client. Easier to deploy across diverse endpoints. |
| WireGuard | Modern, lightweight VPN for both site-to-site and remote access. Increasingly adopted for its simplicity, speed, and minimal attack surface. | ChaCha20 symmetric encryption, Curve25519 key exchange. Minimal, modern cryptographic primitives with a tiny codebase. | Excellent performance with very low latency. Operates in the kernel space for minimal overhead. Faster handshakes than IPsec or OpenVPN. | Significantly simpler than IPsec. Configuration files are short and readable. Growing enterprise adoption but fewer management tools. |
| MPLS | Carrier-provided private WAN connectivity between sites. SLA-backed with guaranteed bandwidth, latency, and packet delivery. | Not encrypted by default โ relies on carrier trust. Often paired with IPsec for encryption over the MPLS backbone. | Excellent performance with carrier QoS guarantees. Traffic is label-switched, not routed, reducing latency at each hop. | Low operational complexity for the customer. The carrier manages the MPLS infrastructure. Higher cost than internet-based alternatives. |
| SD-WAN | Software-defined multi-link connectivity combining MPLS, broadband, 4G/5G, and other transports. Intelligent path selection based on application requirements. | AES-256 encryption across all transport links. Encrypted overlay tunnels regardless of the underlying connectivity type. | Optimises performance dynamically by routing traffic over the best available link. Adapts in real time to congestion and outages. | Moderate complexity. Requires initial planning but centralised management simplifies ongoing operations compared to traditional WAN. |
A VPN Is Not a Complete Security Solution
VPNs encrypt traffic in transit and provide authenticated access to network resources, but they are not a substitute for a comprehensive security strategy. A VPN grants an authenticated user access to the network โ but if that user's device is compromised, the VPN becomes a secure tunnel for the attacker. VPN split-tunnelling, overly broad network access, and a lack of endpoint health checks all create risk. Always combine VPN access with endpoint security, multi-factor authentication, network segmentation, and continuous monitoring. The shift towards Zero Trust architecture addresses many of the limitations inherent in traditional VPN-only remote access.
Zero Trust Architecture
Zero Trust is a security model built on the principle of "never trust, always verify". Unlike traditional perimeter-based security โ which assumes that everything inside the corporate network is trusted โ Zero Trust treats every access request as potentially hostile, regardless of whether it originates from inside or outside the network boundary. Every user, device, and application must prove its identity and authorisation before being granted access to any resource, and that access is continuously validated throughout the session.
The Zero Trust model was developed by Forrester Research and has since been endorsed by the UK National Cyber Security Centre (NCSC), the US National Institute of Standards and Technology (NIST), and virtually every major security framework. It addresses the fundamental weakness of perimeter security: once an attacker breaches the boundary โ through phishing, compromised credentials, or a supply chain attack โ they have unrestricted access to everything on the internal network. Zero Trust eliminates this by requiring authentication and authorisation at every layer, for every request.
Zero Trust is structured around five interconnected pillars, each of which must be addressed to achieve a comprehensive implementation. It is not a single product or technology โ it is an architectural approach that integrates identity management, endpoint security, network segmentation, application controls, and data protection into a unified security posture.
The 5 Pillars of Zero Trust
| Pillar | Principle | Implementation Approach |
|---|---|---|
| Identity | Strong authentication for every user. Multi-factor authentication (MFA) is mandatory everywhere. Single sign-on (SSO) with conditional access policies that evaluate risk at every login. | Deploy an identity provider (Azure AD, Okta) with MFA enforced for all users. Implement conditional access policies that block logins from untrusted locations, unmanaged devices, or anomalous behaviour patterns. |
| Device | Endpoint validation and health checks before granting access. Every device must meet security baseline requirements โ patched OS, active antivirus, encrypted storage, compliant configuration. | Use endpoint management (Intune, JAMF) to enforce compliance policies. Only devices that pass health checks are granted access. Non-compliant devices are quarantined or given limited access until remediated. |
| Network | Micro-segmentation and least-privilege network access. No user or device gets broad network access. Each session is granted access only to the specific resources required for the task at hand. | Replace flat VPN access with per-application tunnels. Implement micro-segmentation using software-defined networking. Deploy network access control (NAC) to enforce device posture before granting connectivity. |
| Application | Per-application access with no lateral movement. Users connect directly to the application they are authorised to use โ not to the network the application sits on. Application-level authentication is enforced. | Deploy a Zero Trust Network Access (ZTNA) solution that brokers connections to individual applications. Eliminate direct network-level access. Integrate application-level logging and anomaly detection. |
| Data | Data classification, encryption, and data loss prevention (DLP). Sensitive data is identified, labelled, encrypted at rest and in transit, and protected by DLP policies that prevent unauthorised exfiltration. | Implement data classification using Microsoft Purview or similar tools. Enforce encryption for all data at rest and in transit. Deploy DLP policies that monitor and block sensitive data leaving the organisation. |
Zero Trust Is a Journey, Not a Product
No vendor can sell you a "Zero Trust appliance" that solves everything overnight. Zero Trust is a strategic architectural shift that takes months or years to implement fully. Start with quick wins โ enforce MFA everywhere, eliminate legacy VPN full-tunnel access, and begin segmenting your most sensitive workloads. Build a maturity roadmap that progressively addresses each of the five pillars. Measure progress against frameworks like the NIST Zero Trust Architecture (SP 800-207) and the NCSC Zero Trust design principles. The organisations that succeed with Zero Trust are those that treat it as a continuous programme, not a one-off project.
IDS/IPS and Network Monitoring
Firewalls and VPNs control access to the network, but they cannot detect every threat that slips through โ especially threats from compromised insiders, zero-day exploits, or encrypted malicious traffic. Intrusion detection and prevention systems (IDS/IPS) and network monitoring tools provide the visibility needed to detect, investigate, and respond to threats that bypass preventive controls. Without these tools, an attacker can operate undetected inside your network for weeks or months before the breach is discovered.
Modern network monitoring has evolved far beyond simple signature-based detection. Machine learning-powered network detection and response (NDR) platforms analyse traffic patterns to identify anomalous behaviour that no signature can match. Security Information and Event Management (SIEM) platforms correlate logs from across the entire infrastructure to surface threats that would be invisible in isolation. A mature security operations capability combines multiple monitoring technologies into a layered detection strategy that is far more effective than any single tool.
Network Detection and Monitoring Technologies
| Technology | What It Does | Deployment | Example Tools |
|---|---|---|---|
| IDS (Intrusion Detection System) | Monitors network traffic passively and generates alerts when suspicious activity or known attack signatures are detected. Detection only โ does not block traffic. | Passive deployment via network TAP or SPAN port. Analyses a copy of network traffic without sitting inline. No impact on network performance or availability. | Snort, Suricata, Zeek (formerly Bro) |
| IPS (Intrusion Prevention System) | Sits inline in the network path and actively blocks malicious traffic in real time. Combines signature-based detection with protocol anomaly analysis to prevent attacks. | Inline deployment between network segments. All traffic passes through the IPS. Requires careful tuning to avoid false positives that block legitimate traffic. | Snort (inline mode), Suricata, Palo Alto Threat Prevention |
| SIEM (Security Information and Event Management) | Aggregates and correlates logs from firewalls, servers, endpoints, applications, and cloud services. Uses rules and analytics to identify threats across multiple data sources. | Centralised platform that ingests logs from all infrastructure components. Requires log source onboarding, rule tuning, and analyst resources for investigation. | Splunk, Microsoft Sentinel, Elastic SIEM, IBM QRadar |
| NDR (Network Detection and Response) | Uses machine learning to establish baseline network behaviour and detect deviations that indicate compromise. Identifies lateral movement, data exfiltration, and command-and-control traffic. | Deployed via network sensors that analyse traffic metadata and full packet captures. ML models are trained on normal traffic patterns for each environment. | Darktrace, Vectra AI, ExtraHop Reveal(x) |
| NTA (Network Traffic Analysis) | Analyses network flow data (NetFlow, sFlow, IPFIX) to identify traffic patterns, bandwidth usage, and anomalies. Provides visibility into east-west traffic within the network. | Collects flow data from routers, switches, and firewalls. Lower storage requirements than full packet capture. Effective for long-term trend analysis and capacity planning. | SolarWinds NTA, Kentik, ntopng, ManageEngine NetFlow |
Layered Defence: Defence in Depth
No single detection technology catches every threat. Defence in depth requires deploying multiple, complementary monitoring tools that each cover different attack vectors and detection methods. An IPS catches known signatures inline. An NDR platform detects anomalous behaviour that no signature exists for. A SIEM correlates events across your entire infrastructure to reveal complex, multi-stage attacks. Together, these layers create a detection mesh that is far more resilient than any individual tool. Invest in breadth of detection before depth โ covering all your critical network segments with basic monitoring is more valuable than deploying advanced analytics on only one segment.
UK Cyber Essentials Network Requirements
Cyber Essentials is the UK government-backed certification scheme that defines a baseline of cybersecurity controls every organisation should implement. It is a mandatory requirement for organisations bidding on certain UK government contracts and is increasingly expected by private-sector partners and customers as evidence of basic security hygiene. The scheme focuses on five technical controls that address the most common attack vectors โ and network security features prominently across all five.
For network engineers, understanding how Cyber Essentials maps to specific network configuration requirements is essential. Each of the five controls translates directly into concrete actions on firewalls, switches, routers, and endpoints. Meeting Cyber Essentials is not just about ticking boxes โ it represents the minimum viable security posture that every UK organisation should achieve before considering more advanced frameworks like Cyber Essentials Plus, ISO 27001, or NIST Cybersecurity Framework.
Cyber Essentials Controls and Network Actions
| Cyber Essentials Control | Specific Network Actions |
|---|---|
| Boundary Firewalls and Internet Gateways | Configure firewalls with a default deny rule for inbound traffic. Block all inbound connections unless explicitly required and documented. Disable unused ports and protocols. Review firewall rules quarterly and remove any that are no longer justified. Ensure personal firewalls are enabled on all devices that connect to untrusted networks. |
| Secure Configuration | Change all default passwords on network devices including routers, switches, access points, and firewalls. Disable unnecessary services, protocols, and accounts on every network device. Remove or disable default and guest accounts. Ensure only required software and services are running on each device. |
| Access Control | Implement separate administrator accounts for network device management. Enforce multi-factor authentication for all administrative access to network infrastructure. Apply the principle of least privilege โ users only receive the network access necessary for their role. Remove access promptly when staff leave or change roles. |
| Malware Protection | Deploy endpoint protection software on all devices connected to the network. Ensure antivirus definitions are updated automatically. Configure endpoint protection to scan files on access and prevent execution of known malicious software. Consider application whitelisting for high-risk environments. |
| Patch Management | Apply critical and high-risk patches to network device firmware within 14 days of release. Maintain an inventory of all network devices and their firmware versions. Subscribe to vendor security advisories for all network equipment. Test patches in a staging environment before deploying to production where possible. |
Network Devices: The Most Overlooked in Patching
Most organisations have established patch management processes for servers and workstations, but network devices are consistently the most neglected. Switches, routers, firewalls, and wireless access points all run firmware that contains vulnerabilities โ and attackers know this. Critical vulnerabilities in network device firmware are regularly exploited in the wild, yet many organisations run firmware that is months or years out of date. Make network device firmware patching a first-class priority in your patch management programme. Maintain a current inventory of every network device and its firmware version, subscribe to vendor security advisories, and treat network device patches with the same urgency as operating system patches.
Advance Your Network Engineering Career
Ready to secure, defend, and monitor professional business networks? Our accredited Network Engineering course covers firewalls, VPN technologies, Zero Trust architecture, intrusion detection, and the hands-on security skills UK employers are actively hiring for. Turn your network security knowledge into a recognised qualification.
Explore Our Network Engineering Course