Network Devices & Security: Firewalls, Routers, Switches, and Network Segmentation
Introduction
In previous days, we focused on understanding how data moves across a network, how traffic behaves, how ports and services operate, and how attackers exploit weak configurations.
Day 6 marks a critical transition in the SOC learning journey.
Until now, we were mostly answering the question
“How does traffic move?”
From Day 6 onward, we start answering a more important SOC question:
“Where can traffic be controlled, restricted, monitored, and stopped?”
This article focuses on network devices and security controls that SOC analysts interact with daily, directly or indirectly:
Firewalls
Routers
Switches
Network Segmentation
These components form the structural backbone of enterprise security.
If an attacker succeeds, it is often because one of these controls failed, was misconfigured, or was not monitored properly.
- Firewalls — The First Line of Defense Press enter or click to view image in full size
Press enter or click to view image in full size
What Is a Firewall?
A firewall is a security device or software that controls incoming and outgoing network traffic based on predefined security rules.
From a SOC perspective, a firewall is not just a blocking device.
It is also a visibility and evidence source.
In simple terms:
Firewalls decide what traffic is allowed
Firewalls decide what traffic is blocked
Firewalls generate logs that SOC analysts investigate
Why Firewalls Are Critical in Enterprise Networks
Without a firewall:
Any external system can attempt to connect to internal services
Open ports become direct entry points
Attack surface increases drastically
With a firewall:
Only explicitly permitted traffic flows
Unauthorized access attempts are blocked
Every decision can be logged and reviewed
For SOC teams, firewall logs are often:
The first indicator of reconnaissance
The earliest sign of a breach attempt
How Firewalls Make Decisions
Firewalls operate using rules, which evaluate traffic based on:
Source IP address
Destination IP address
Port number
Protocol (TCP, UDP, ICMP)
Action (allow, deny, drop, log)
A single firewall rule may look conceptually like:
Allow internal users to access the internet on HTTPS
Block all inbound traffic to internal databases
SOC analysts do not usually create these rules, but they analyze the outcomes of these rules through logs and alerts.
Types of Firewalls (SOC Awareness)
Packet Filtering Firewalls
Inspect packet headers only
Work at lower OSI layers
Very fast but limited context
Cannot track sessions
Stateful Firewalls
Maintain a connection state table
Understand whether traffic belongs to an existing session
Block unsolicited packets
Widely used in enterprise environments
Application Layer Firewalls
Operate at OSI Layer 7
Inspect application data
Understand protocols like HTTP, DNS, SMTP
Detect payload-level attacks
From a SOC viewpoint:
Stateful and application-layer firewalls provide better detection capability because they generate richer logs.
Firewall Logs and SOC Operations
Firewall logs typically show:
Source and destination IPs
Ports and protocols
Action taken (allowed or blocked)
Timestamp
SOC analysts look for:
Repeated blocked attempts from the same IP
Port scanning patterns
Access attempts at unusual times
Traffic targeting sensitive services
A firewall does not stop all attacks — but it often reveals attacker intent early.
- Routers — Traffic Directors Between Networks Press enter or click to view image in full size
Press enter or click to view image in full size
What Is a Router?
A router is a network device that connects different networks and forwards data packets based on IP addresses.
Routers commonly connect:
Internal networks to the internet
One subnet to another subnet
Different organizational network zones
They operate primarily at OSI Layer 3 (Network Layer).
How Routers Work
Routers use a routing table that contains:
Destination networks
Next-hop addresses
Interfaces
Metrics (cost)
When a packet arrives:
The router checks the destination IP
It finds the best route in the routing table
The packet is forwarded accordingly
If no valid route exists:
The packet is dropped
Or forwarded to a default gateway
Security Role of Routers
Although routers are not security devices by default, they play a major role in security posture.
Become a Medium member
Routers can:
Restrict traffic using Access Control Lists (ACLs)
Limit which networks can communicate
Reduce exposure of internal segments
Misconfigured routers can:
Expose internal networks
Allow unauthorized routing paths
Enable data exfiltration
Router Logs from a SOC Perspective
SOC analysts monitor routers for:
Unexpected outbound connections
Traffic bypassing security devices
Sudden routing changes
Large data transfers leaving the network
In many breaches, routers are not compromised directly — but they reveal the attacker’s movement path.
- Switches — The Core of Internal Networks Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
What Is a Switch?
A switch is a network device used within a Local Area Network (LAN).
It:
Connects multiple devices
Operates mainly at OSI Layer 2
Uses MAC addresses to forward data
Unlike hubs, switches are intelligent devices.
How Switches Handle Traffic
Switches maintain a MAC address table:
Learn MAC addresses from incoming frames
Associate MAC addresses with switch ports
Forward frames only to the correct destination port
This:
Reduces unnecessary traffic
Improves performance
Limits collisions
Why Switches Matter for Security
Most internal attacks occur inside the LAN, not from the internet.
Switch-related risks include:
ARP spoofing
MAC flooding
Man-in-the-middle attacks
Unauthorized device connections
From a SOC perspective:
Internal traffic must never be assumed to be trusted.
Switch Logs and Internal Threat Detection
SOC teams look for:
MAC address changes
Excessive ARP traffic
Broadcast storms
Lateral movement patterns
Switches are critical for detecting:
Insider threats
Post-compromise activity
Malware spreading internally
- Network Segmentation — Controlling the Blast Radius Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
What Is Network Segmentation?
Network segmentation is the practice of dividing a network into multiple isolated segments or zones.
Each segment:
Has a specific purpose
Has defined access rules
Communicates with other segments in a controlled way
Why Segmentation Is Essential
Without segmentation:
One compromised system can reach everything
Malware spreads rapidly
SOC has poor visibility
With segmentation:
Attacker movement is limited
Damage is contained
Detection becomes easier
Types of Network Segmentation (Overview)
Physical segmentation
Logical segmentation
VLAN-based segmentation
Firewall-based segmentation
Zone-based segmentation
Micro-segmentation
DMZ segmentation
Each type balances security, cost, and complexity.
Segmentation and Lateral Movement
Lateral movement is when attackers:
Move from one compromised system to another
Search for higher privileges
Target critical assets
Segmentation:
Breaks attacker paths
Forces additional authentication
Generates detectable events
SOC analysts focus heavily on inter-segment traffic logs.
- SOC Analyst’s Big Picture View By the end of Day 6, a SOC analyst should understand:
Firewalls control and log traffic
Routers define where traffic can go
Switches reveal internal movement
Segmentation limits attack impact
Security is not about one device — it is about how all devices work together.
Final Takeaways
Network devices are security controls, not just connectivity tools
Misconfiguration is often more dangerous than no security
Logs are as important as blocking
Internal traffic deserves as much attention as external traffic
Segmentation is one of the strongest defenses against breaches
Closing Note
Day 6 builds the structural security mindset required for SOC analysts.
From here onward, every alert, log, and incident will map back to these components.
Understanding where traffic is controlled is the foundation of understanding how attacks are detected and stopped.
Top comments (0)