🌐 Network Security
Protecting enterprise networks through firewalls, IDS/IPS, segmentation, DDoS protection, VPNs, and comprehensive monitoring strategies.
Network security encompasses the policies, practices, and technologies designed to protect the integrity, confidentiality, and availability of network infrastructure and data. It covers both perimeter defense (firewalls, DMZ) and internal protection (microsegmentation, NAC, east-west traffic monitoring). Modern network security integrates with SD-WAN, SASE, and zero trust architectures.
Key Concepts
DDoS Protection
Volumetric, protocol, and application-layer DDoS mitigation using scrubbing centers, rate limiting, CDNs, and anycast routing.
EDR (Endpoint Detection & Response)
Continuous monitoring of endpoints for malicious activity. Capabilities: Process-level telemetry, file integrity monitoring, behavioral detection (fileless malware, living-off-the-land attacks), automated response (isolate host, kill process, quarantine file), and forensic data collection. Leading platforms: CrowdStrike Falcon (cloud-native, lightweight agent), SentinelOne Singularity (autonomous AI-driven), Microsoft Defender for Endpoint (deeply integrated with M365/Entra), Carbon Black (VMware), Cortex XDR (Palo Alto). Key differentiator: EDR goes beyond antivirus by detecting post-exploitation behavior — credential dumping, lateral movement, persistence mechanisms — not just known malware signatures.
Email Security Gateway
Filters inbound/outbound email to block phishing, spam, malware attachments, and BEC attacks. Capabilities: URL rewriting and sandboxing, attachment detonation, DMARC/DKIM/SPF enforcement, impersonation protection, and data loss prevention for outbound email. Tools: Proofpoint Email Protection, Microsoft Defender for Office 365, Mimecast, Cisco Secure Email, Barracuda. Key value: Email remains the #1 attack vector — over 90% of cyberattacks start with a phishing email.
Endpoint Security Fundamentals
Protecting end-user devices (laptops, desktops, mobile) from threats. Layers: Antivirus/Anti-malware (signature + heuristic detection), Host-based IPS (HIPS — monitors system calls and blocks exploitation), Device Encryption (BitLocker, FileVault — protects data at rest on endpoints), Application Whitelisting (only approved executables can run — blocks zero-days and unauthorized software), and Mobile Device Management (MDM — enforce security policies, remote wipe, app management for BYOD/corporate devices). Tools: Microsoft Intune (MDM), Jamf (macOS), CrowdStrike (EPP+EDR), Carbon Black, Symantec Endpoint Protection.
Firewalls (NGFW)
Next-Gen Firewalls provide application-aware filtering, deep packet inspection, SSL decryption, IPS integration, and threat intelligence-driven blocking.
IDS / IPS
Intrusion Detection Systems monitor traffic for suspicious patterns. Intrusion Prevention Systems actively block threats. Signature-based and anomaly-based detection methods.
NAC (Network Access Control)
Enforces security policy compliance before allowing devices onto the network. Checks patches, antivirus, and posture compliance.
NDR (Network Detection & Response)
Network-level threat detection using traffic analysis, metadata inspection, and machine learning. Capabilities: Detect lateral movement, C2 communication, data exfiltration, encrypted traffic analysis (without decryption via JA3/JA4 fingerprinting), DNS anomalies, and protocol abuse. Tools: Darktrace (AI-driven), ExtraHop Reveal(x), Vectra AI, Zeek (open-source network metadata), Suricata (open-source IDS/IPS). Key value: Sees east-west traffic that firewalls miss — critical for detecting attackers who are already inside the network.
Network Segmentation
Dividing the network into zones (VLANs, subnets, microsegments) to limit lateral movement and contain breaches. Critical for compliance and zero trust.
VPN & ZTNA
Secure remote access via IPsec/SSL VPNs transitioning to Zero Trust Network Access (ZTNA) solutions for identity-based access.
Web Security Gateway (SWG)
Inspects and filters web traffic to enforce acceptable use policies and block malicious content. Capabilities: URL filtering and categorization, SSL/TLS inspection for encrypted traffic, malware scanning of downloads, cloud app discovery and shadow IT detection, and bandwidth control. Tools: Zscaler Internet Access, Cisco Umbrella, Netskope, Palo Alto Prisma Access, Forcepoint. Key value: As users access cloud/SaaS apps directly, SWG provides consistent security without backhauling traffic through corporate data centers.
XDR (Extended Detection & Response)
Extends EDR across multiple security layers for correlated detection. Data sources: Endpoints + network + email + cloud + identity = unified threat view. Key advantage: Correlates signals across the entire attack surface — a suspicious email attachment → endpoint process spawn → unusual network connection → cloud API call — into a single incident instead of 4 separate alerts. Reduces alert fatigue by 90%+. Platforms: Microsoft Defender XDR (formerly M365 Defender), Palo Alto Cortex XDR, CrowdStrike Falcon XDR, Trend Micro Vision One. vs SIEM: XDR provides pre-built detection and response across its ecosystem; SIEM is more flexible for custom data sources.
Network Defense Architecture
Defense-in-Depth Network Architecture
Multiple layers of security controls from perimeter to core
Common Risks & Threats
| Threat | Severity | Description |
|---|---|---|
| Man-in-the-Middle (MitM) | Critical | Intercepting communications between two parties to steal data or inject malicious content |
| DDoS Attacks | Critical | Overwhelming network resources to cause service disruption and outages |
| Lateral Movement | High | Attackers moving between systems within a flat network after initial compromise |
| DNS Attacks | High | DNS spoofing, tunneling, and hijacking to redirect or exfiltrate data |
| Rogue Devices | Medium | Unauthorized devices connecting to the network bypassing security controls |
🏗️ 8 Cybersecurity Layers
A defense-in-depth framework that organizes security controls into 8 interdependent layers — from perimeter defenses to human-layer awareness. Each layer provides unique protection, and together they create a resilient security posture.
1️⃣ Perimeter Security
Next-Gen Firewalls • VPNs • WAF • NAC • Web Security Gateways • Email Security Gateways • DDoS Protection • IDS/IPS • NDR
2️⃣ Endpoint Security
Antivirus • Vulnerability & Patch Mgmt • EDR • HIPS • Device Encryption • Application Whitelisting • MDM • XDR
3️⃣ Application Security
Secure Coding • SAST • DAST • IAST • RASP • API Security • Penetration Testing
4️⃣ Identity Management
IAM • MFA • SSO • RBAC • PAM
5️⃣ Data Security
Data Classification • DLP • Secure Backups • DB Activity Monitoring • DB Encryption • DB Vulnerability Mgmt
6️⃣ Threat Intelligence
Threat Intelligence Platform (TIP) • Threat Hunting • Dark Web Monitoring
7️⃣ Incident Response & Recovery
IRP • Ransomware Readiness (RRP) • DRP • SOAR • Forensics & Investigation • Backup & Restore • NDR
8️⃣ Security Awareness & Training
Phishing Simulations • Employee Cyber Training • Regular Security Drills
Interview Preparation
What is the difference between IDS and IPS?
IDS (Intrusion Detection System) passively monitors network traffic and generates alerts for suspicious activity — it's a detective control placed out-of-band. IPS (Intrusion Prevention System) is placed inline and can actively block malicious traffic — it's a preventive control. IDS is lower risk (won't block legitimate traffic) but requires manual response. IPS provides real-time protection but can cause false-positive disruptions. Best practice is to use IPS inline with careful tuning.
Explain network segmentation and microsegmentation.
Network segmentation divides a network into separate zones using VLANs, subnets, and firewalls to limit blast radius and lateral movement. Microsegmentation takes this further — applying security policies at the individual workload or application level, often using software-defined networking (SDN). Example: in a segmented network, the database VLAN is separate from the web VLAN. With microsegmentation, each database server has its own policy controlling which specific applications can connect.
Explain the 8 layers of cybersecurity and why defense-in-depth matters.
The 8 cybersecurity layers represent a defense-in-depth strategy:
1PERIMETER SECURITY — First line of defense: NGFWs, IDS/IPS, DDoS protection, email and web security gateways, VPNs, NAC to control network entry points.
2ENDPOINT SECURITY — Protecting devices: antivirus, EDR/XDR, HIPS, device encryption, application whitelisting, MDM for mobile.
3APPLICATION SECURITY — Securing code: SAST, DAST, IAST, API security, secure SDLC, penetration testing.
4IDENTITY MANAGEMENT — Controlling access: IAM, MFA, SSO, RBAC, PAM for privileged users.
5DATA SECURITY — Protecting information: classification, DLP, encryption, secure backups, database monitoring.
6THREAT INTELLIGENCE — Staying ahead: TI platforms, threat hunting, dark web monitoring for credential leaks.
7INCIDENT RESPONSE & RECOVERY — When breaches occur: IR plans, SOAR automation, forensics, disaster recovery, ransomware readiness.
8SECURITY AWARENESS — The human layer: phishing simulations, cyber training, regular security drills. WHY DEFENSE-IN-DEPTH MATTERS: No single layer is foolproof. If a phishing email bypasses email gateway (Layer 1), endpoint EDR should catch the payload (Layer 2). If EDR is evaded, identity controls limit lateral movement (Layer 4). Each layer compensates for gaps in others. This is why flat-network, single-control architectures fail — and why CISOs must invest across all 8 layers proportionally based on risk assessment.
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-53 SC-7 (Boundary Protection), AC-4 (Info Flow), SI-4 (System Monitoring) |
| MITRE | T1040 (Network Sniffing), T1046 (Network Service Scan), T1498 (Network DoS) |
| ISO | A.13.1 (Network Security Mgmt), A.13.2 (Info Transfer), A.9.1 (Access Control Policy) |
