search close

Solutions
- By Challenge
  - By Challenge
    - By Challenge
      Learn more
  - Understand, Prioritise & Mitigate Risks
    - Understand, Prioritise & Mitigate Risks
      
      Improve your risk posture with attack surface management
      Learn more
  - Protect Cloud-Native Apps
    - Protect Cloud-Native Apps
      
      Security that enables business outcomes
      Learn more
  - Protect Your Hybrid World
    - Protect Your Hybrid, Multi-Cloud World
      
      Gain visibility and meet business needs with security
      Learn more
  - Securing Your Borderless Workforce
    - Securing Your Borderless Workforce
      
      Connect with confidence from anywhere, on any device
      Learn more
  - Eliminate Network Blind Spots
    - Eliminate Network Blind Spots
      
      Secure users and key operations throughout your environment
      Learn more
  - See More. Respond Faster.
    - See More. Respond Faster.
      
      Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
      Learn more
  - Extend Your Team
    - Extend Your Team. Respond to Threats Agilely
      
      Maximise effectiveness with proactive risk reduction and managed services
      Learn more
  - Operationalising Zero Trust
    - Operationalising Zero Trust
      
      Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
      Learn more
- By Role
  - By Role
    - By Role
      Learn more
  - CISO
    - CISO
      
      Drive business value with measurable cybersecurity outcomes
      Learn more
  - SOC Manager
    - SOC Manager
      
      See more, act faster
      Learn more
  - Infrastructure Manager
    - Infrastructure Manager
      
      Evolve your security to mitigate threats quickly and effectively
      Learn more
  - Cloud Builder and Developer
    - Cloud Builder and Developer
      
      Ensure code runs only as intended
      Learn more
  - Cloud Security Ops
    - Cloud Security Ops
      
      Gain visibility and control with security designed for cloud environments
      Learn more
- By Industry
  - By Industry
    - By Industry
      Learn more
  - Healthcare
    - Healthcare
      
      Protect patient data, devices, and networks while meeting regulations
      Learn more
  - Manufacturing
    - Manufacturing
      
      Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
      Learn more
  - Oil & Gas
    - Oil & Gas
      
      ICS/OT Security for the oil and gas utility industry
      Learn more
  - Electric Utility
    - Electric Utility
      
      ICS/OT Security for the electric utility
      Learn more
  - Automotive
    - Automotive
      Learn more
  - 5G Networks
    - 5G Networks
      Learn more
- Small & Midsized Business Security
  - Small & Midsized Business Security
    
    Stop threats with easy-to-use solutions designed for your growing business
    Learn more
Platform
- Vision One Platform
  - Vision One Platform
    - Trend Vision One
      
      Our Unified Platform
      
      Bridge threat protection and cyber risk management
      Learn more
  - AI Companion
    - Trend Vision One Companion
      
      Your generative AI cybersecurity assistant
      Learn more
- Attack Surface Management
  - Attack Surface Management
    
    Stop breaches before they happen
    Learn more
- XDR (Extended Detection & Response)
  - XDR (Extended Detection & Response)
    
    Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
    Learn more
- Cloud Security
  - Cloud Security
    - Trend Vision One™
      
      Cloud Security Overview
      
      The most trusted cloud security platform for developers, security teams, and businesses
      Learn more
  - Attack Surface Risk Management for Cloud
    - Attack Surface Risk Management for Cloud
      
      Cloud asset discovery, vulnerability prioritisation, Cloud Security Posture Management, and Attack Surface Management all in one
      Learn more
  - XDR for Cloud
    - XDR for Cloud
      
      Extend visibility to the cloud and streamline SOC investigations
      Learn more
  - Container Security
    - Container Security
      
      Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
      Learn more
  - File Security
    - File Security
      
      Protect application workflow and cloud storage against advanced threats
      Learn more
- Endpoint Security
  - Endpoint Security
    - Endpoint Security Overview
      
      Defend the endpoint through every stage of an attack
      Learn more
  - XDR for Endpoint
    - XDR for Endpoint
      
      Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
      Learn more
  - Workload Security
    - Workload Security
      
      Optimised prevention, detection, and response for endpoints, servers, and cloud workloads
      Learn more
  - Industrial Endpoint Security
    - Industrial Endpoint Security
      Learn more
  - Mobile Security
    - Mobile Security
      
      On-premises and cloud protection against malware, malicious applications, and other mobile threats
      Learn more
- Network Security
  - Network Security
    - Network Security Overview
      
      Expand the power of XDR with network detection and response
      Learn more
  - XDR for Network
    - XDR for Network
      
      Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
      Learn more
  - Network Intrusion Prevention (IPS)
    - Network Intrusion Prevention (IPS)
      
      Protect against known, unknown, and undisclosed vulnerabilities in your network
      Learn more
  - Breach Detection System (BDS)
    - Breach Detection System (BDS)
      
      Detect and respond to targeted attacks moving inbound, outbound, and laterally
      Learn more
  - Secure Service Edge (SSE)
    - Secure Service Edge (SSE)
      
      Redefine trust and secure digital transformation with continuous risk assessments
      Learn more
  - Industrial Network Security
    - Industrial Network Security
      Learn more
  - 5G Network Security
    - 5G Network Security
      Learn more
- Email Security
  - Email Security
    - Email Security
      
      Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
      Learn more
  - Email and Collaboration Security
    - Trend Vision One™
      
      Email and Collaboration Security
      
      Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace
      Learn more
- OT Security
  - OT Security
    - OT Security
      
      Learn about solutions for ICS / OT security.
      Learn more
  - XDR for OT
    - XDR for OT
      
      Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
      Learn more
  - Industrial Network Security
    - Industrial Network Security
      Industrial Network Security
  - Industrial Endpoint Security
    - Industrial Endpoint Security
      Learn more
- Threat Insights
  - Threat Insights
    
    See threats coming from miles away
    Learn more
- Identity Security
  - Identity Security
    
    End-to-end identity security from identity posture management to detection and response
    Learn more
- On-Premises Data Sovereignty
  - On-Premises Data Sovereignty
    
    Prevent, detect, respond and protect without compromising data sovereignty
    Learn more
- All Products, Services, and Trials
  - All Products, Services, and Trials
    Learn more
Research
- Research
  - Research
    - Research
      Learn more
  - Research, News, and Perspectives
    - Research, News, and Perspectives
      Learn more
  - Research and Analysis
    - Research and Analysis
      Learn more
  - Security News
    - Security News
      Learn more
  - Zero Day Initiatives (ZDI)
    - Zero Day Initiatives (ZDI)
      Learn more
Services
- Our Services
  - Our Services
    - Our Services
      Learn more
  - Service Packages
    - Service Packages
      
      Augment security teams with 24/7/365 managed detection, response, and support
      Learn more
  - Managed XDR
    - Managed XDR
      
      Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
      Learn more
  - Incident Response
    - Incident Response
      - Incident Response
        
        Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
        Learn more
    - Insurance Carriers and Law Firms
      - Insurance Carriers and Law Firms
        
        Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
        Learn more
  - Support Services
    - Support Services
      Learn more
Partners
- Partner Program
  - Partner Program
    - Partner Program Overview
      
      Grow your business and protect your customers with the best-in-class complete, multilayered security
      Learn more
  - Partner Competencies
    - Partner Competencies
      
      Stand out to customers with competency endorsements that showcase your expertise
      Learn more
  - Partner Successes
    - Partner Successes
      Learn more
  - Managed Security Service Provider
    - Managed Security Service Provider
      
      Deliver modern security operations services with our industry-leading XDR
      Learn more
  - Managed Service Provider
    - Managed Service Provider
      
      Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
      Learn more
- Alliance Partners
  - Alliance Partners
    - Alliance Partners
      
      We work with the best to help you optimise performance and value
      Learn more
  - Technology Alliance Partners
    - Technology Alliance Partners
      Learn more
  - Find Alliance Partners
    - Find Alliance Partners
      Learn more
- Partner Resources
  - Partner Resources
    - Partner Resources
      
      Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
      Learn more
  - Partner Portal Login
    - Partner Portal Login
      Login
  - Trend Campus
    - Trend Campus
      
      Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalised technical guidance
      Learn more
  - Co-Selling
    - Co-Selling
      
      Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
      Learn more
  - Become a Partner
    - Become a Partner
      Learn more
  - Distributors
    - Distributors
      Learn more
- Find Partners
  - Find Partners
    
    Locate a partner from whom you can purchase Trend Micro solutions
    Learn more
Company
- Why Trend Micro
  - Why Trend Micro
    - Why Trend Micro
      Learn more
  - Customer Success Stories
    - Customer Success Stories
      Learn more
  - The Human Connection
    - The Human Connection
      Learn more
  - Industry Accolades
    - Industry Accolades
      Learn more
  - Strategic Alliances
    - Strategic Alliances
      Learn more
- Compare Trend Micro
  - Compare Trend Micro
    - Compare Trend Micro
      
      See how Trend outperforms the competition
      Let's go
  - vs. Crowdstrike
    - Trend Micro vs. Crowdstrike
      
      Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organisations seeking cost-effective scalability through a true single platform
      Let's go
  - vs. Microsoft
    - Trend Micro vs. Microsoft
      
      Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems
      Let's go
  - vs. Palo Alto Networks
    - Trend Micro vs. Palo Alto Networks
      
      Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
      Let's go
- About Us
  - About Us
    - About Us
      Learn more
  - Trust Centre
    - Trust Centre
      Learn more
  - History
    - History
      Learn more
  - Diversity, Equity and Inclusion
    - Diversity, Equity and Inclusion
      Learn more
  - Corporate Social Responsibility
    - Corporate Social Responsibility
      Learn more
  - Leadership
    - Leadership
      Learn more
  - Security Experts
    - Security Experts
      Learn more
  - Internet Safety and Cybersecurity Education
    - Internet Safety and Cybersecurity Education
      Learn more
  - Legal
    - Legal
      Learn more
  - Investors
    - Investors
      Learn more
  - Formula E Racing
    - Formula E Racing
      Learn more
- Connect With Us
  - Connect With Us
    - Connect With Us
      Learn more
  - Newsroom
    - Newsroom
      Learn more
  - Events
    - Events
      Learn more
  - Careers
    - Careers
      Learn more
  - Webinars
    - Webinars
      Learn more

arrow_back

search close

What Are Network Security Basics?

Network Security vs. Endpoint Security
Access Control
Network Segmentation
Perimeter Security
Encryption

Network security basics are the critical elements of network or cyber security. They should be implemented within all networks including home, business, and internet. Effective network security requires protection of wired and wireless networks with firewalls, anti-malware software, intrusion detection systems, access control, and more.

Network security basics

Network security is a complex topic that involves many different technologies with configurations that are sometimes complicated.

The security issue to address is the separation between what is on the network and the endpoints or host systems that are attached to it. The technology for both the network and the endpoints includes access control and encryption, but on the network, there is also segmentation and perimeter security.

Network security vs. endpoint security

Network security is only part of the security equation, and it is usually considered to apply to the devices that protect the network itself. A firewall can be a standalone device that sits beside networking equipment such as routers or switches, or software within the same physical box that also routes and/or switches. On the network there are firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), virtual private network (VPN) appliances, data leak prevention (DLP) systems, etc.

The network exists to connect systems to each other. It is what enables you to browse Amazon or shop online at your local grocery store. But end systems must also be protected; that is called endpoint security. These devices include laptops, tablets, phones, but also the internet of things (IoT) devices.

IoT includes devices such as connected thermostats, cameras, refrigerators, front door locks, light bulbs, pool pumps, smart duvets, etc. These devices require security controls as well, but not all devices are sophisticated enough to contain something like a host-based firewall or anti-malware agent. If the endpoint is a light bulb, then it probably relies on network security for its protection.

Access control

The first place to start is with access control. Businesses commonly referred to this as identity and access management (IAM). Controlling access is not new. Humans have controlled access to buildings since the first lock was installed on a door over six thousand years ago. Access control is now performed on networks, computers, phones, applications, websites, and files.

Fundamentally, access control is broken down into IAAA:

Identification is the assertion of a user's name or identification such as a User ID or email address.
Authentication provides proof that the user is who they claim to be. This is still most commonly done with passwords.
Authorisation is granting permissions to the user, or not. It could be that the user is not authorised and therefore has no permissions, or the user could be granted permissions for read, write, full control, etc.
Accountability is tracking what happened. The log shows that a user attempted access or gained access. The log could also include all the actions the user takes.

Authentication types

Within IAAA, authentication might be the most important topic today. Passwords are still the most common authentication on most systems. They are typically not very secure, however, because they are easy to crack.

If a password is short enough, the hacker has little trouble figuring out what it is. Hackers use a password-guessing attack that entails brute force – trying all possible combinations. Or the attacker could use a password-cracking attack, which entails using a program to recreate passwords that hash to the same value.

There are three authentication types or factors in use today. They are:

Something you know – a string of characters, numbers or a combination of those that are stored in your brain. Today they should be stored in a password manager.
Something you have – a device or a piece of software on a device you need to have to authenticate. This includes devices such as an RSA token or the Google authenticator on a smart phone.
Something you are – an aspect of your person. This is biometrics, either physiological like a fingerprint, or behavioral like a voice print.

The best choice is two-factor authentication (2FA), sometimes referred to as multi-factor authentication (MFA). We highly recommended it for your personal accounts such as Amazon or Facebook.

Applications such as the Google authenticator are free to use and a much better choice than receiving a text or short message service (SMS) message to your phone. The National Institute of Standards and Technology (NIST) recommends against SMS.

We also recommend 2FA for the office, but it is a decision at a policy or management level to require this or not. It depends on many factors such as the asset, its data classification, the risks, and the vulnerabilities.

Network segmentation

Network segmentation improves security by controlling the flow of data between different networks. This is most commonly accomplished with virtual local area networks (VLANs). There are many variations on this theme, such as private virtual LAN (PVLAN), virtual extensible LAN (VXLAN), and so on. A VLAN exists at the data link layer – layer 2 of the open system interconnect (OSI) model. Most network administrators map an internet protocol (IP) subnet to a VLAN.

Routers enable traffic to pass between VLANS according to the configuration. If you want control, router configuration is critical.

Another option found within the cloud is called a virtual private cloud (VPC). Traffic control to and from the VPC is also controlled by configurations.

Understanding the business requirements for the workload is essential to configure and control access to or from VLANs and VPCs.

Perimeter security

Perimeter security is based on the logic that there is a defined edge between an internal/trusted network and an external/untrusted network. This is traditional network design that dates to when the network and data centre were confined within a single building. In this configuration, a router connects the internal and external networks. Basic configuration of an access control list (ACL) within the router controls the traffic that can pass through.

You can add security at the perimeter with firewalls, IDS, and IPS. For more information on these, see the Network Security Measures page.

Encryption

Encryption is essential to keep sensitive data and communications away from prying eyes. Encryption protects files on your computer’s hard drive, a banking session, data stored in the cloud, sensitive emails, and a long list of other applications. Cryptography also provides verification of data integrity and authentication of the data’s source.

Encryption falls into two basic types of cryptography: symmetric and asymmetric.

Symmetric cryptography has a single key that encrypts and decrypts. As a result, it must be shared with someone else to complete the encrypted communication. Common algorithms include the Advanced Encryption Standard (AES), Blowfish, Triple-DES (Data Encryption Standard), and many more.
Asymmetric cryptography has two distinct keys, one public and one private, that work as a matched set. The set of keys belongs to one user or one service: for example, a web server. One key is for encryption and the other is for decryption.
If the public key encrypts the data, it keeps the data confidential. This is because the owner of the private key is the only one who can decrypt it.
If the private key encrypts the data, it proves the authenticity of the source. When the data is successfully decrypted with the public key, it means that only the private key could have encrypted it. The public key is truly public, accessible to anyone.

A third topic is hashing. Even though it is not encryption, it needs to be included at this point in security discussions. Hashing runs an algorithm against a message that calculates a resultant answer, called the hash, that is based on the bits of that message. Bits can be data, voice, or video. Hashing does not change the value of the data in any way. In contrast, encryption alters the data to an unreadable state.

Hashing proves that the bits of the message have not changed. It ensures the data has integrity and that it is in its original format. Only hashing protects data from accidental changes.

If the hash is encrypted with an asymmetric private key, it proves that a hacker has not maliciously tampered with the data. Malicious changes cannot occur unless the private key is compromised.

If the key has not been compromised, then you know that the person who has the private key must be the person who calculated the hash. That key could be a symmetric key, which is sometimes referred to as a private key, or the asymmetric private key.

Wireless security

It is difficult to protect data, voice or video transmitted over a wireless network. Wireless transmissions are intended to emit a signal, and this makes it easier for a hacker within range to capture the transmission. There are encryption standards for wireless, but most have been broken in one way or another.

Encryption standards include WEP, WPA, WPA2, and now WPA3.

Wired equivalent privacy (WEP) uses the RC4 symmetric algorithm to encrypt the wireless transmission. Hackers quickly broke it and there is now a handy hacking tool called WEP crack for that purpose.
Wi-Fi Protected Access (WPA) replaced WEP but still used RC4. Hackers modified WEP crack to break WPA.
WPA2, the second version of WPA, has two options.
- WPA2-personal uses a pre-shared key, sometime called a security key. It is essentially a password that is typed into a wireless device such as a laptop or phone, and into the wireless access point (WAP). Hackers found the first flaw in 2017, called a Key Reinstallation AttaCK (KRACK).
- WPA2-enterprise uses an additional layer of security by authenticating the user at a centralised remote authentication dial-in user service (RADIUS) server. It also uses the extensible authentication protocol (EAP) to pass the authentication information on the local wireless connection. The combination of RADIUS and EAP as a security protocol is called IEEE 802.1x.

Source: https://www.securew2.com/solutions/802-1x/

WPA3 also has two options.
- WPA3-personal gives users a higher level of protection using a 128-bit encryption key. This provides robust password authentication, even when user passwords are too simplistic for safety. WPA3-personal achieves this using simultaneous authentication of equals (SAE) instead of the pre-shared key in WPA2-personal.
- WPA3-enterprise[SM2] [TA(3] [SM4] uses a 192-bit encryption key for greater security. It is an enhancement of WPA2 that applies security protocols consistently throughout an organisation’s network.

Security certifications

Network security is complex. It is an unending battle of wits against the hackers. See the Network Security Measures page for more information.

It is always a great idea to pursue security certifications. Either the CompTIA Security+ certification or the System Security Certified Practitioner ((ISC)^2®SSCP) certification is a great starting point. A more advanced manager-level certification, with a bit of technical knowledge thrown in, is the Certified Information System Security Professional ((ISC)^2®CISSP) certification. You can also take vendor-specific exams such as the cloud-based exams for AWS, GCP, or Azure.