Public cloud, private cloud, on-premises... Today, the emergence of a large number of network options for enterprise organizations has put forward new requirements for network security. The “secure network perimeter” model of the past is no longer relevant, and cybersecurity leaders are embracing new approaches.
"Cybersecurity may be complex, but it is the foundation of all other information security systems," said Thomas Lintemuth, senior research director at Gartner. "The good news is that cybersecurity is a mature market with strong, established vendors and Innovative start-ups who keep bringing us better new technologies to keep our networks safe and our assets protected.”
This article briefly introduces the key modern network security architecture concepts you need to know. We will provide a solid foundation for building cybersecurity by delineating the scope of security requirements, starting with the roles and responsibilities of cybersecurity leaders and down to the logical architecture.
1.Network security architect refers to a set of responsibilities related to cloud security architecture, network security architecture and data security architecture. Depending on the size of the organization, an organization can designate a single person responsible for each cybersecurity architecture area, or it can designate one person to oversee all of these areas. Regardless of the approach, organizations need to identify those responsible and empower them to make mission-critical decisions.
2.Network risk assessment refers to a comprehensive inventory of the ways in which malicious or careless actors, internal and external, might use the network to attack networked resources. Organizations are able to define risks through comprehensive assessments and mitigate them through security controls. These risks may include:
·Poor understanding of systems or processes
·It is difficult to measure the risk level of the system
·"Hybrid" systems subject to both business and technical risks
Collaboration between IT and business stakeholders is necessary to understand the scope of risk so that a practical assessment can be designed. This collaborative process and creating a process to understand the big picture of risk is as important as defining a final set of risk requirements.
3.Zero-Trust Architecture (ZTA) is a network security paradigm that assumes that some actors on the network are hostile and cannot provide adequate protection due to the large number of access points. Therefore, protecting the assets on the network rather than the network itself is an effective security posture. The agent will decide whether to approve each user-related access request based on the risk status calculated from comprehensive environmental factors such as application, location, user, device, time, and data sensitivity. As the name suggests, Zero Trust Architecture is an architecture, not a product. While it can't be purchased, it can be developed using some of the technical elements in this list.
4.A network firewall is a mature and well-known security product that, through a series of functions, prevents anyone from directly accessing the network servers on which an organization's applications and data reside. The flexibility of network firewalls allows them to be used both on-premises and in the cloud. And in the cloud, there are cloud-specific offerings, and there are strategies deployed by IaaS providers that do the same.
5.The purpose of a secure web gateway has evolved from optimizing Internet bandwidth in the past to protecting users from malicious content on the Internet. Features such as URL filtering, anti-malware, decryption and inspection of websites accessed over HTTPS, Data Loss Prevention (DLP), prescribed forms of Cloud Access Security Broker (CASB), etc. are now standard features.
6.Remote access relies less on virtual private networks (VPNs) and more on zero trust network access (ZTNA). Zero Trust Network Access makes assets invisible to users and facilitates access to individual applications using contextual profiles.
7.An Intrusion Prevention System (IPS) deploys an IPS device to unpatched servers that detects and blocks attacks, protecting against vulnerabilities that cannot be patched (such as on packaged applications that are no longer supported by service providers). IPS functionality is often included in other security products, but there are also stand-alone products. IPS is making a comeback as cloud-native controls have been slow to join IPS.
8.Network access control provides visibility into everything on the network and policy-based access control of network infrastructure. Policies can define access based on a user's role, authentication, or other factors.
9.A network packet broker device processes network traffic so that other monitoring devices, such as those dedicated to network performance monitoring and security-related monitoring, can operate more efficiently. Features include packetized data filtering to determine risk levels, packet payload distribution, and hardware-based timestamp insertion, among others.
10.Sanitized Domain Name System (DNS) is a vendor-provided service that operates as an organization's domain name system and prevents end users, including remote workers, from accessing websites with a bad reputation.
11.DDoSmitigation limits the destructive impact of distributed denial of service (DDoS) attacks on network operations. These products employ a multi-layered strategy to protect network resources inside the firewall, resources located locally but in front of the network firewall, and resources located outside the organization, such as from Internet service providers or content delivery networks.
12.Network Security Policy Management (NSPM) optimizes the rules that guide network security through analysis and auditing and change management workflows, rule testing, and compliance assessment and visualization. NSPM tools can use a visual network map to display all device and firewall access rules superimposed on multiple network paths.
13.Microsegmentation can inhibit the lateral movement of attackers already on the network to gain access to critical assets in the network. There are three categories of microsegmentation tools for network security:
·Network-based tools are deployed at the network level, often combined with software-defined networking and used to protect network-connected assets.
·The original form of microsegmentation is hypervisor-based tools, which are designed to increase the visibility of opaque network traffic moving between different hypervisors.
·Host-agent-based tools install an agent on a host that will be isolated from the rest of the network; host-agent solutions work equally well on cloud workloads, hypervisor workloads, and physical servers.
14.Secure Access Service Edge(SASE) is a new framework that combines comprehensive network security functions including SWG, SD-WAN and ZTNA with comprehensive and comprehensive WAN functions to help meet the security access requirements of enterprise organizations. need. SASE is more of a concept than a framework, and its goal is to achieve a unified security service model that can provide functions across the entire network in a scalable, flexible and low-latency manner.
15.Network detection and response continuously analyzes inbound and outbound traffic and data flow records to record normal network behavior so it can identify anomalies and alert organizations. These tools can use a combination of machine learning (ML), heuristics, analytics tools, and rule-based detection.
16.DNSsecurity extensions are an additional feature of the DNS protocol that enables validation of DNS responses. The security advantage of DNSSEC is that it requires digitally signing authenticated DNS data, a process that is extremely processor-intensive.
17.Firewall as a Service(FWaaS) is a new technology closely related to cloud SWG. Where it differs is in the architecture: FWaaS operates over VPN connections between endpoints and network edge devices and a security stack in the cloud. It can also connect end users with local services through a VPN tunnel. FWaaS is far less popular than SWG.
Top comments (0)