Best Practices - Network Security & Segmentation
Why Network Security & Segmentation Matters
Networks connect systems to each other and to the internet. Without proper segmentation and control, an attacker who compromises one system can move laterally through many others. This page focuses on securing routers, switches, firewalls, wireless networks, and network segments.
Common Risks
| Category | Description | Key Controls (At a Glance) |
|---|---|---|
Flat Networks | Minimal segmentation allows attackers to reach many systems after one compromise. | Segment by function and sensitivity; use VLANs and firewalls. |
Exposed Services | Unnecessary open ports invite scanning and exploitation. | Expose only required services; use reverse proxies where appropriate. |
Insecure Remote Management | Admin interfaces accessible from untrusted networks can be attacked directly. | Restrict management access to admin networks, VPN, or jump hosts. |
Configuration Drift | Ad-hoc firewall/routing changes reduce auditability and cause inconsistent security. | Document rules; review regularly; apply change management. |
Note:
The “Key Controls (At a Glance)” column is intended as a quick reference. Detailed expectations and implementation guidance are described in the Best Practices sections below.
General Best Practices
Segment by Function and Sensitivity
- Separate networks for endpoints, servers, databases, IoT/OT, and management functions.
- Use deny-by-default rules to limit unnecessary access.
Minimize Internet Exposure
- Only expose services that must be publicly reachable.
- Place web applications behind reverse proxies or application gateways.
- Use Web Application Firewalls (WAF) for externally facing apps.
Secure Remote Administration
- Restrict admin protocols (SSH, HTTPS, SNMP) to authorized networks.
- Use MFA and encrypted channels for all admin access.
Harden Network Devices
- Change default passwords; disable unused services.
- Keep device firmware and OS up to date.
- Sync device clocks with central NTP for consistent logging.
Manage Firewall and ACL Rules
- Regularly review and clean up firewall rules and ACLs.
- Remove obsolete or overly permissive rules.
- Document rule purpose and justification.
Monitor Network Activity
- Forward logs from firewalls, routers, VPNs, WAF and critical devices to central SIEM.
- Alert on unusual patterns (unexpected inbound/outbound flows, large data transfers).