What Is Network Security? Types, Controls, and Tools
Network security is the set of controls, policies, and monitoring that protect the confidentiality, integrity, and availability of data as it moves across a network and the systems connected to it.
In 2013, attackers stole network credentials from Fazio Mechanical, a refrigeration and HVAC contractor with remote access to Target's network. They logged in with those credentials, then moved across a network that did not separate the vendor portal from the systems that processed payments. They reached the point-of-sale terminals, installed card-scraping malware, and exfiltrated roughly 40 million credit and debit card records, along with personal data on about 70 million more people. No zero-day was used. The intrusion worked because once an attacker was on the network, almost nothing stopped them from moving to any other part of it.
That is the problem network security exists to solve. A breach is rarely a single event at the front door. It is a foothold, then movement, then reach. The network is the terrain all of that happens on, and network security is the discipline of controlling who can traverse it, watching what moves across it, and shrinking how far any single compromise can spread.
This guide covers what network security is, how defense in depth works, the core controls and the tools that implement them, why network segmentation and Zero Trust matter, the threats network security defends against, where the monitoring actually lives in a SOC, the best practices that move risk, and how to build the skill. It is written for blue teamers: SOC analysts, network defenders, and students prepping for detection-and-response work.
What is network security?
Network security is the set of controls, policies, and monitoring that protect the confidentiality, integrity, and availability of data as it moves across a network and the systems connected to it. It covers two jobs at once: stopping unauthorized access to the network, and detecting the activity that gets through anyway.
The goal is not a wall. The goal is control and visibility. A defender wants to decide which connections are allowed, contain a breach to the smallest possible area when one happens, and see enough of what crosses the wire to catch an intruder who is already inside. Those three aims, control, containment, and visibility, run through every network security control that follows.
Two facts shape the whole discipline.
A breach is a process, not a moment. An attacker who phishes one laptop has not won. They have a foothold. To reach anything valuable they have to move, escalate, and communicate out. Each of those steps crosses the network, which is exactly where a defender gets the chance to see and stop them. Mandiant's M-Trends 2026 report puts the global median dwell time, the gap between intrusion and detection, at 14 days. That window is where lateral movement and command-and-control traffic live, and the network is where you catch them.
The perimeter is no longer a clean line. Remote workers, cloud workloads, and software-as-a-service mean the "inside" of the network is not a building anymore. Network security adapts by trusting location less and verifying every connection more, which is the idea behind Zero Trust later in this guide.
How network security works: defense in depth
No single control stops every attack, so network security stacks them. The principle is defense in depth: layered controls so that getting past one still leaves an attacker facing the next. A firewall blocks unwanted connections at the edge. Segmentation limits where a connection can go once inside. Monitoring catches what the first two miss. An intrusion has to beat all of them, in sequence, without tripping an alert.
The layers fall into three rough jobs:
- Control the boundary. Decide what traffic is allowed in and out, and who and what is allowed onto the network in the first place.
- Control the interior. Divide the network so a compromise in one zone cannot reach every other zone, and so traffic between zones is restricted to what is actually needed.
- Watch everything. Inspect traffic for known attacks and for anomalies, and feed that telemetry to the people and systems that investigate it.
The rest of this guide is mostly those three jobs in detail.
The core network security controls and tools
The network security market is full of acronyms, but the controls map onto clear questions. Each one answers a different part of "who can connect, where can they go, and what is actually happening."
| Control | What it does | Question it answers |
|---|---|---|
| Firewall / NGFW | Filters traffic at a boundary by rule; a next-generation firewall adds application awareness, intrusion prevention, and TLS inspection | Should this connection be allowed at all? |
| IDS / IPS | Inspects traffic for known-malicious patterns; an IDS alerts, an IPS blocks inline | Is there a known attack in this traffic? |
| Network segmentation | Splits the network into zones so a breach in one cannot reach the rest | If one zone falls, what can it touch? |
| NAC (Network Access Control) | Decides which devices and users get onto the network, and into which segment | Should this device be on the network? |
| VPN / ZTNA | Encrypts remote access; ZTNA grants per-application access instead of full network access | How do remote users connect without exposing everything? |
| Secure web / email gateway | Filters malicious URLs, attachments, and phishing at the entry point | Is this inbound content safe? |
| NDR / network monitoring | Watches internal east-west traffic for anomalies and command-and-control | What is actually moving on the wire? |
| DLP (Data Loss Prevention) | Detects and blocks sensitive data leaving the network | Is data walking out the door? |
A few of these deserve more than a row.
Firewalls and NGFWs. The firewall is the oldest network control: it permits or denies traffic against a rule set. A traditional firewall reasons about ports and addresses. A next-generation firewall adds awareness of the actual application, an intrusion prevention engine, and the ability to inspect encrypted traffic, so it can tell that traffic on port 443 is a file transfer to an unknown host rather than ordinary web browsing.
IDS and IPS. An intrusion detection system inspects traffic and raises an alert when it matches a known-bad signature or an anomaly. An intrusion prevention system sits inline and drops the traffic instead of just flagging it. Open-source engines like Suricata, Snort, and Zeek are the backbone of network detection in many SOCs, and the alerts they generate are a primary feed into monitoring.
NAC. Network access control answers a question the firewall does not: should this device be allowed to connect in the first place? NAC checks identity and posture at connection time, blocks unmanaged or non-compliant devices, and places each device into the segment it belongs in. It is how an organization stops a random laptop in a conference-room jack from landing in the same zone as the servers.
VPN and ZTNA. A VPN encrypts a remote user's connection back to the corporate network, historically by dropping them onto the internal LAN. That last part is the weakness: a VPN often grants broad network access once connected. Zero Trust Network Access (ZTNA) replaces that model by granting access to specific applications rather than the whole network, so a compromised remote account reaches one app instead of everything.
Network segmentation: ending the flat network

The Target breach is the textbook lesson because it failed on one control: segmentation. A flat network, one where every device can reach every other device, means a single foothold has the run of the place. Segmentation breaks the network into zones with controlled paths between them, so a compromise in the guest Wi-Fi or a vendor portal cannot reach the payment systems or the domain controllers.
Segmentation is implemented with VLANs, subnets, and firewall rules between zones, separating, for example, user workstations from servers, production from development, and IT from operational technology. The payoff is blast-radius reduction. When an attacker lands, the question stops being "what is on the network" and becomes "what is in this one segment," which is a far smaller and more defensible problem.
Microsegmentation pushes the idea to its limit: instead of a handful of broad zones, it enforces policy down to the individual workload, so even two servers in the same tier cannot talk unless a rule explicitly allows it. This is the network control that most directly attacks lateral movement, because it removes the open paths an intruder relies on to spread.
Zero Trust and the dissolving perimeter
The old network security model trusted location: inside the perimeter was safe, outside was hostile. Remote work and cloud killed that assumption. There is no single inside anymore, so trusting the network position of a request is a liability.
Zero Trust is the model that replaces it. Its principle is "never trust, always verify": no request is trusted because of where it comes from, and every request is authenticated, authorized, and validated on its own merits. The authoritative reference is NIST Special Publication 800-207, Zero Trust Architecture, published in 2020, which describes the shift from defenses built on network segments to defenses built around individual resources and identities.
In network terms, Zero Trust means several concrete things: strong identity verification on every connection, least-privilege access scoped to the specific resource, microsegmentation so trust does not extend across a zone, ZTNA in place of broad VPN access, and continuous monitoring rather than a one-time check at the door. Zero Trust is not a product you buy. It is the design principle that the loss of a clean perimeter forces on a modern network.
The threats network security defends against
Network security is aimed at a specific set of attacker behaviors, most of which leave a trace on the wire.
Unauthorized access and intrusion. An attacker getting onto the network through stolen credentials, an exposed service, or an unmanaged device. This is the entry that everything else builds on.
Lateral movement. Spreading from the initial foothold to higher-value systems, using stolen credentials, remote-management protocols, or exploits. This is the step segmentation and east-west monitoring are built to stop, and it is where most dwell time is spent.
Command and control (C2). A compromised host beaconing out to an attacker's server to receive instructions and stage the next phase. C2 traffic crosses the network boundary, often disguised as ordinary web or DNS traffic, which makes outbound monitoring as important as inbound.
Data exfiltration. Sensitive data leaving the network, the final goal of many intrusions. DLP and egress monitoring exist to catch it.
Denial of service. Flooding a network or service with traffic to take it offline, an attack on availability rather than confidentiality.
Eavesdropping and man-in-the-middle. Intercepting or altering traffic in transit on an unencrypted or compromised path, which is why encryption in transit is a baseline control.
Malware delivery. Malware, including ransomware, arriving over the network through phishing links, malicious downloads, or exposed services. Secure gateways and IDS/IPS target this at the entry point.
The through-line: almost every one of these behaviors generates network traffic a defender can see, if the monitoring is in place to see it.
Network security monitoring: where the SOC actually works
Controls block. Monitoring catches what the controls miss, and on a real network something always gets through. Network security monitoring (NSM) is the practice of collecting and analyzing network traffic to detect and investigate intrusions, and it is where a lot of day-to-day blue team work happens.
The data comes in a few forms. Full packet capture records the actual contents of traffic for deep investigation. Flow data (NetFlow and similar) records who talked to whom, when, and how much, without the payload, which scales far better for spotting anomalies. IDS alerts from Suricata or Snort flag known-bad patterns. Zeek turns raw traffic into rich connection logs that an analyst can hunt through. Network Detection and Response (NDR) tools layer behavioral analytics on top to surface the unusual.
That telemetry rarely lives alone. It is shipped to a SIEM, where network events are correlated with endpoint and identity data so an analyst can see a full attack chain instead of a single isolated alert. When an alert turns into a confirmed intrusion, it moves into incident response, and the same network evidence, the pcaps, the flows, the connection logs, becomes the record investigators reconstruct the attack from. Proactive threat hunting works the same data from the other direction, looking for the intrusion before an alert ever fires.
This is the part of network security that vendor glossaries tend to skip, and it is the part that defines blue team careers. The firewall and the segmentation plan are configuration. Reading a packet capture and recognizing C2 beaconing in a sea of normal traffic is a skill.
Network security best practices
These are the network security controls that actually reduce risk, ordered by how much they move it.
1. Segment the network. Separate users, servers, and sensitive systems into zones with controlled paths between them. This single step is what turns a full compromise into a contained one, and it is the control Target lacked.
2. Default-deny at the boundary and between zones. Allow only the traffic that is explicitly needed, inbound and east-west, and deny the rest. An open default is an attacker's open road.
3. Monitor east-west, not just the perimeter. Most intrusions are caught by what happens after the entry, not at it. Capture and inspect internal traffic, not only the connections crossing the edge.
4. Encrypt data in transit. Use TLS and VPNs so that traffic intercepted on the wire is useless. Encryption is the control that limits the damage of eavesdropping and man-in-the-middle attacks.
5. Control what connects. Use NAC to keep unmanaged and non-compliant devices off the network and to place every device in its correct segment.
6. Patch and inventory network devices. Firewalls, routers, switches, and VPN gateways are themselves targets. An unpatched VPN appliance is a common entry point. You cannot defend or patch what you have not inventoried.
7. Centralize logs and correlate. Send firewall, IDS, and flow data to a SIEM so events from across the network can be correlated and investigated together.
8. Adopt Zero Trust. Move from location-based trust to per-request verification and least privilege, especially for remote and cloud access.
Getting started with network security
If you are building network security skills, the path is hands-on and the work is in the traffic.
- Learn TCP/IP cold. You cannot analyze what you do not understand. Know how the protocols work, what a normal handshake looks like, and how DNS, HTTP, and TLS behave on the wire.
- Read packet captures. Open real traffic in Wireshark and learn to tell normal from suspicious. Spotting C2 beaconing or a data transfer to an odd host starts with knowing what ordinary traffic looks like.
- Run an IDS and Zeek. Stand up Suricata or Snort and Zeek against captured traffic, and work through the alerts and connection logs they produce.
- Build a small lab. Segment a home network, generate traffic, capture it, and watch how an attack looks from the network side.
- Trace a real intrusion. Follow an attack from initial access through lateral movement to exfiltration using network evidence. Seeing the whole chain teaches what each control is defending against.
The bottom line
Network security is the discipline of controlling and watching the terrain an attacker has to cross. A breach is a process, foothold, movement, reach, and every step of it touches the network, which is exactly where a prepared defender gets to see and stop it. The controls, firewalls, segmentation, access control, encryption, and monitoring, exist to decide what is allowed, contain what gets through, and surface what is moving.
Zero Trust is the direction the discipline is heading as the perimeter dissolves, but the constraint, as always, is the analyst who can read traffic and tell an intruder from ordinary noise. If you want to build that, work real intrusions from network evidence.
Frequently asked questions
Network segmentation divides a network into separate zones with controlled paths between them, so a compromise in one zone cannot reach the rest. It matters because it limits the blast radius of a breach. A flat network lets one foothold reach everything, as the 2013 Target breach showed, while a segmented network confines an attacker to the zone they landed in.
No. A firewall controls traffic at a boundary, but it does not stop an attacker who is already inside, does not catch threats hidden in encrypted or allowed traffic, and does not monitor movement between internal systems. Effective network security layers a firewall with segmentation, access control, encryption, and monitoring so that no single failure exposes the whole network.
Start by learning TCP/IP and how common protocols behave on the wire, then practice reading packet captures in Wireshark until you can tell normal traffic from suspicious. Learn an IDS such as Suricata and a tool like Zeek, then trace real intrusions through network evidence in hands-on labs to build the detection and analysis skills employers test for.
Network security is the practice of protecting a network and the data that moves across it from unauthorized access and attacks. It combines controls that decide which traffic and devices are allowed, such as firewalls and access control, with monitoring that detects intrusions that get through. The aim is to control connections, contain any breach to a small area, and see what is happening on the network.
The core types are perimeter controls (firewalls and next-generation firewalls), intrusion detection and prevention (IDS/IPS), network access control (NAC), network segmentation and microsegmentation, secure remote access (VPN and ZTNA), secure web and email gateways, data loss prevention (DLP), and network monitoring or NDR. Most networks layer several of these together as defense in depth.
Cybersecurity is the whole discipline of protecting systems, data, and people from digital threats. Network security is one domain within it, focused specifically on the network: the traffic moving across it and the systems connected to it. Endpoint security, cloud security, and application security are sibling domains that cover other layers.