Network security is the field of cybersecurity focused on protecting computer networks from cyber threats. Network security has three chief aims: to prevent unauthorized access to network resources; to detect and stop cyberattacks and security breaches in progress; and to ensure that authorized users have secure access to the network resources they need, when they need them.
As networks grow in size and complexity, so does the risk of cyberattack. For example, according to IBM's Cost of a Data Breach 2022 report, 83 percent of organizations surveyed experienced more than one data breach (a security breach that results in unauthorized access to sensitive or confidential information). These attacks were expensive: The global average cost of a data breach is USD 4.35 million, and the average cost of a data breach in the United States is more than twice that amount, USD 9.44 million.
Network security safeguards the integrity of network infrastructure, resources and traffic to thwart these attacks and minimize their financial and operational impact.
Network security systems work at two levels: at the perimeter and inside the network.
At the perimeter, security controls try to stop cyberthreats from entering the network. But network attackers sometimes break through, so IT security teams also put controls around the resources inside the network, like laptops and data. Even if attackers get in, they won't have free reign. This strategy—layering multiple controls between hackers and potential vulnerabilities—is called "defense in depth."
To build network security systems, security teams combine the following tools:
A firewall is software or hardware that stops suspicious traffic from entering or leaving a network while letting legitimate traffic through. Firewalls can be deployed at the edges of a network or used internally to divide a larger network into smaller subnetworks. If one part of the network is compromised, hackers are still shut off from the rest.
There are different types of firewalls with different features. Basic firewalls use packet filtering to inspect traffic. More advanced next-generation firewalls (NGFWs) add intrusion prevention, AI and machine learning, application awareness and control, and threat intelligence feeds for extra protection.
Network access control (NAC) solutions act like gatekeepers, authenticating and authorizing users to determine who is allowed into the network and what they can do inside. "Authentication" means verifying that a user is who they claim to be. "Authorization" means granting authenticated users permission to access network resources.
NAC solutions are often used to enforce role-based access control (RBAC) policies, in which users' privileges are based on their job functions. For example, a junior developer might be able to view and edit code but not push it live. In contrast, senior developers could read, write, and push code to production. RBAC helps prevent data breaches by keeping unauthorized users away from assets they are not permitted to access.
In addition to authenticating users, some NAC solutions can do risk assessments on users' endpoints. The goal is to keep unsecured or compromised devices from accessing the network. If a user tries to enter the network on a device with outdated anti-malware software or incorrect configurations, the NAC will deny access. Some advanced NAC tools can automatically fix non-compliant endpoints.
An intrusion detection and prevention system (IDPS)—sometimes called an intrusion prevention system (IPS)—can be deployed directly behind a firewall to scan incoming traffic for security threats. These security tools evolved from intrusion detection systems (IDSs), which only flagged suspicious activity for review. IDPSs have the added ability to automatically respond to possible breaches, such as by blocking traffic or resetting the connection. IDPSs are particularly effective at detecting and blocking brute force attacks and denial of service (DoS) or distributed denial of service (DDoS) attacks.
A virtual private network (VPN) protects a user's identity by encrypting their data and masking their IP address and location. When someone uses a VPN, they no longer connect directly to the internet but to a secure server that connects to the internet on their behalf.
VPNs can help remote workers securely access corporate networks, even through unsecured public wifi connections like those found in coffee shops and airports. VPNs encrypt a user's traffic, keeping it safe from hackers who might want to intercept their communications.
Instead of VPNs, some organizations use zero trust network access (ZTNA). Rather than using a proxy server, ZTNA uses zero-trust access control policies to securely connect remote users. When remote users log into a network through ZTNA, they don't gain access to the whole network. Instead, they only gain access to the specific assets they're permitted to use, and they must be reverified every time they access a new resource. See 'A zero trust approach to network security' below for a closer look at how zero trust security works.
Application security refers to the steps security teams take to protect apps and application programming interfaces (APIs) from network attackers. Because many companies today use apps to carry out key business functions or process sensitive data, apps are a common target for cybercriminals. And because so many business apps are hosted in public clouds, hackers can exploit their vulnerabilities to break into private company networks.
Application security measures defend apps from malicious actors. Common application security tools include web application firewalls (WAFs), runtime application self-protection (RASP), static application security testing (SAST), and dynamic application security testing (DAST).
The IBM Security X-Force Threat Intelligence Index found that phishing is the most common initial cyberattack vector. Email security tools can help thwart phishing attacks and other attempts to compromise users' email accounts. Most email services have built-in security tools like spam filters and message encryption. Some email security tools feature sandboxes, isolated environments where security teams can inspect email attachments for malware without exposing the network.
While the following tools are not strictly network security tools, network administrators often use them to protect areas and assets on a network.
Data loss prevention (DLP) refers to information security strategies and tools that ensure sensitive data is neither stolen nor accidentally leaked. DLP includes data security policies and purpose-built technologies that track data flows, encrypt sensitive information, and raise alerts when suspicious activity is detected.
Endpoint security solutions protect any devices that connect to a network—laptops, desktops, servers, mobile devices, IoT devices—against hackers who try to use them to sneak into the network. Antivirus software can detect and destroy trojans, spyware, and other malicious software on a device before it spreads to the rest of the network. Endpoint detection and response (EDR) solutions are more advanced tools that monitor endpoint behavior and automatically respond to security events. Unified endpoint management (UEM) software allows companies to monitor, manage, and secure all end-user devices from a single console.
Web security solutions, such as secure web gateways, block malicious internet traffic and keep users from connecting to suspicious websites and apps.
Network segmentation is a way of breaking large networks down into smaller subnetworks, either physically or through software. Network segmentation can limit the spread of ransomware and other malware by walling off a compromised subnetwork from the rest of the network. Segmentation can also help keep legitimate users away from assets they shouldn't access.
Cloud security solutions protect data centers, apps, and other cloud assets from cyberattacks. Most cloud security solutions are simply standard network security measures—like firewalls, NACs, and VPNs— applied to cloud environments. Many cloud service providers build security controls into their services or offer them as add-ons.
User and entity behavior analytics (UEBA) uses behavioral analytics and machine learning to flag abnormal user and device activity. UEBA can help catch insider threats and hackers who have hijacked user accounts.
Traditional company networks were centralized, with key endpoints, data, and apps located on premises. Traditional network security systems focused on keeping threats from breaching the network's perimeter. Once a user got in, they were treated as trustworthy and granted practically unrestricted access.
However, as organizations pursue digital transformation and adopt hybrid cloud environments, networks are becoming decentralized. Now, network resources exist across cloud data centers, on-site and remote endpoints, and mobile and IoT devices.
Perimeter-based security controls are less effective in distributed networks, so many IT security teams are shifting to zero-trust network security frameworks. Instead of focusing on the perimeter, zero-trust network security places security controls around individual resources. Users are never implicitly trusted. Every time a user tries to access a resource, they must be authenticated and authorized, regardless of whether they're already on the company network. Authenticated users are granted least-privilege access only, and their permissions are revoked as soon as their task is done.
Zero trust network security relies on granular access policies, continuous validation, and data gathered from as many sources as possible — including many of the tools outlined above — to ensure that only the right users can access the right resources for the right reasons at the right time.
While a defense-in-depth approach can protect a company's network, it also means the IT security team has to manage a number of separate security controls. Enterprise network security platforms can help streamline network security management by integrating disparate security tools and allowing security teams to monitor the whole network from a single console. Common network security platforms include:
Security information and event management (SIEM) collects information from internal security tools, aggregates it in a central log, and flags anomalies.
Security orchestration, automation, and response (SOAR) solutions collect and analyze security data and allow security teams to define and execute automated responses to cyberthreats.
Network detection and response (NDR) tools use AI and machine learning to monitor network traffic and detect suspicious activity.
Extended detection and response (XDR) is an open cybersecurity architecture that integrates security tools and unifies security operations across all security layers—users, endpoints, email, applications, networks, cloud workloads and data. With XDR, security solutions that aren’t necessarily designed to work together can interoperate seamlessly on threat prevention, detection, investigation and response. XDR can also automate threat detection, incident triage, and threat hunting workflows.
Catch hidden threats lurking in your network, before it’s too late. IBM Security QRadar Network Detection and Response (NDR) helps your security teams by analyzing network activity in real time. It combines depth and breadth of visibility with high-quality data and analytics to fuel actionable insights and response.
Safeguard your entire network with next-generation network security solutions that intelligently recognize even unknown threats, and adapt to prevent them in real time.
Extend your team with proven security skills, expertise and solutions for protecting your infrastructure and network from sophisticated cybersecurity threats.
SIEM is a security solution that helps organizations recognize potential security threats and vulnerabilities before they have a chance to disrupt business operations.
IDC has recognized IBM Security QRadar SIEM as a Leader in its 2022 IDC Marketscape vendor assessment. Get the details in the full report.
The IBM Security® X-Force® Threat Intelligence Index offers CISOs, security teams, and business leaders actionable insights for understanding cyberattacks attacks and proactively protecting your organization.
Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.