#  Best Practices - Network Security & Segmentation 

 



   ![Cybersecurity access bridge concept with wooden blocks network icons and central keyhole ](/sites/g/files/omnuum12036/files/styles/hwp_1_1__360x360_scale/public/2026-02/networksecurity.jpeg?itok=7a-WYczH) 

 

## Why Network Security & Segmentation Matters

Networks connect systems to each other and to the internet. Without proper segmentation and control, an attacker who compromises one system can move laterally through many others. This page focuses on securing routers, switches, firewalls, wireless networks, and network segments.



 

##  Common Risks 

SortCategoryDescriptionKey Controls (At a Glance)Flat Networks

Minimal segmentation allows attackers to reach many systems after one compromise.

Segment by function and sensitivity; use VLANs and firewalls.

Exposed Services

Unnecessary open ports invite scanning and exploitation. 

Expose only required services; use reverse proxies where appropriate. 

Insecure Remote Management 

Admin interfaces accessible from untrusted networks can be attacked directly.

Restrict management access to admin networks, VPN, or jump hosts.

Configuration Drift

Ad-hoc firewall/routing changes reduce auditability and cause inconsistent security.

Document rules; review regularly; apply change management.





**Note:**  
*The “Key Controls (At a Glance)” column is intended as a quick reference. Detailed expectations and implementation guidance are described in the Best Practices sections below.*



 

###  General Best Practices 

 



#### Segment by Function and Sensitivity

- Separate networks for endpoints, servers, databases, IoT/OT, and management functions.
- Use deny-by-default rules to limit unnecessary access.

#### Minimize Internet Exposure 

- Only expose services that must be publicly reachable.
- Place web applications behind reverse proxies or application gateways.
- Use Web Application Firewalls (WAF) for externally facing apps.

#### Secure Remote Administration

- Restrict admin protocols (SSH, HTTPS, SNMP) to authorized networks.
- Use MFA and encrypted channels for all admin access.



 

 

#### Harden Network Devices

- Change default passwords; disable unused services.
- Keep device firmware and OS up to date.
- Sync device clocks with central NTP for consistent logging.

#### Manage Firewall and ACL Rules

- Regularly review and clean up firewall rules and ACLs.
- Remove obsolete or overly permissive rules.
- Document rule purpose and justification.

#### Monitor Network Activity

- Forward logs from firewalls, routers, VPNs, WAF and critical devices to central SIEM.
- Alert on unusual patterns (unexpected inbound/outbound flows, large data transfers).



 

 

 

 

##  Related Resources 

- [University Standards](/apply-standards "Apply Standards")
- [NIST SP 800-207 (Zero Trust Architecture)](https://csrc.nist.gov/pubs/sp/800/207/final)
- [CIS Benchmarks (Network Device Hardening)](https://www.cisecurity.org/cis-benchmarks)
- [NSA Infrastructure Security Guidance (LAN Segmentation)](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2949885/nsa-details-network-infrastructure-best-practices/)
- [CISA Known Exploited Vulnerabilities (KEV) Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)