Network security protects the communication channels between systems. As organizations move to the cloud and adopt zero-trust architectures, traditional perimeter-based network security is giving way to more granular, identity-aware approaches. This article covers the foundational concepts every developer and security practitioner needs.


Firewalls


Firewalls filter network traffic based on pre-defined rules. They are the first line of defense in network security.


Packet Filtering Firewalls


Packet filtering firewalls inspect individual packets against rule sets. They examine source and destination IP addresses, ports, and protocols. They operate at layers 3 and 4 of the OSI model.



Rule table example:

Source IP     Dest IP      Port  Protocol  Action

10.0.1.0/24  10.0.2.0/24  443   TCP       Allow

0.0.0.0/0    10.0.1.5     22    TCP       Deny

Stateful Firewalls


Stateful firewalls maintain a connection table. They track the state of active connections and make decisions based on the connection state, not just individual packets. This allows them to permit return traffic for legitimate outbound connections while blocking unsolicited inbound traffic.


Next-Generation Firewalls (NGFW)


NGFWs combine traditional firewall capabilities with application-layer inspection, intrusion prevention, and threat intelligence. They can identify applications regardless of port or protocol and enforce policies based on user identity.



# iptables stateful rule example

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -j DROP

Virtual Private Networks (VPNs)


VPNs create encrypted tunnels between endpoints over untrusted networks. They extend a private network across a public network, allowing remote users and branch offices to access internal resources.


Site-to-Site VPN


Connects entire networks to each other, such as an office to a cloud VPC. AWS VPN, Azure VPN Gateway, and GCP Cloud VPN all implement IPsec tunnels.



# AWS CLI: create a VPN connection

aws ec2 create-vpn-connection \

  --customer-gateway-id cgw-123 \

  --vpn-gateway-id vgw-456 \

  --type ipsec.1

Remote Access VPN


Connects individual users to the corporate network. VPN clients include OpenVPN, WireGuard, and proprietary solutions like Palo Alto GlobalProtect.


VPN Limitations


VPNs are not a panacea. They grant broad network access, often violating least-privilege principles. If a VPN credential is compromised, the attacker gains full network access. Modern architectures increasingly replace VPNs with zero-trust network access (ZTNA) solutions.


Intrusion Detection and Prevention Systems (IDS/IPS)


IDS monitors network traffic for suspicious activity and generates alerts. IPS sits inline and actively blocks detected threats.


Detection Methods


  • **Signature-based**: Matches traffic against known attack patterns. Effective for known threats but misses zero-day attacks.
  • **Anomaly-based**: Establishes a baseline of normal traffic and alerts on deviations. Catches novel attacks but produces more false positives.
  • **Behavioral**: Analyzes traffic patterns over time. Detects slow, low-and-slow attacks that evade other methods.

    • Popular Tools


  • **Snort**: Open-source NIDS with a large rule set. Widely deployed for packet logging and real-time traffic analysis.
  • **Suricata**: High-performance IDS/IPS with GPU acceleration. Supports multi-threading and modern protocols like HTTP/2.
  • **Zeek (formerly Bro)**: Network analysis framework that produces detailed logs about connections, protocols, and files.

    • 
# Suricata configuration snippet

vars:

  address-groups:

    HOME_NET: "[10.0.0.0/8,172.16.0.0/12]"

    EXTERNAL_NET: "!$HOME_NET"



rule-files:

  - emerging-threats.rules

  - malware-cnc.rules



af-packet:

  - interface: eth0

    cluster-id: 99

    cluster-type: cluster_flow

    Zero-Trust Networking


    Zero trust assumes no implicit trust based on network location. Every access request must be authenticated, authorized, and encrypted.


    Core Principles


  • **Never trust, always verify**: Every request, whether from inside or outside the network, must be validated.

    • 2. **Assume breach**: Design the network as if attackers already have a foothold. Limit lateral movement.

    3. **Least privilege**: Grant the minimum access necessary for each user or service.


    Zero-Trust Implementation


  • **Micro-segmentation**: Divide the network into small, isolated zones. Each zone requires separate authentication.
  • **Identity-aware proxies**: Gateways that authenticate every request before forwarding traffic to internal services.
  • **BeyondCorp / Cloudflare Access**: Google's BeyondCorp model removes the VPN entirely. Access decisions are based on device identity, user identity, and context, not network location.

    • 
# Example: zero-trust access policy via proxy

policies:

  - name: "api-access"

    subject: "service:api-gateway"

    resource: "app:payment-service"

    condition:

      - attribute: "tls.client_cert.present"

        operator: "equals"

        value: true

      - attribute: "request.ip"

        operator: "in_cidr"

        value: "10.0.0.0/8"

    action: "allow"

    Network Segmentation and Micro-Segmentation


    Segmentation divides a network into smaller segments to limit attack propagation.


    Traditional Segmentation


    Uses VLANs and subnets to separate traffic. A web server resides in one subnet, a database server in another. Firewalls control traffic between subnets.


    
[Internet] -> [DMZ: Web Servers] -> [App Tier] -> [DB Tier]

    Micro-Segmentation


    Micro-segmentation takes segmentation to the individual workload level. In a cloud environment, every workload has its own security group that allows traffic only from specific sources on specific ports.


    
# AWS Security Group for a database instance

resource "aws_security_group" "db" {

  ingress {

    from_port       = 5432

    to_port         = 5432

    protocol        = "tcp"

    security_groups = [aws_security_group.app.id]

  }

  egress {

    from_port   = 0

    to_port     = 0

    protocol    = "-1"

    cidr_blocks = ["0.0.0.0/0"]

  }

}

    Micro-segmentation is essential in Kubernetes environments. Network policies control which pods can communicate.


    
# Kubernetes network policy

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

  name: api-allow

spec:

  podSelector:

    matchLabels:

      app: api

  ingress:

    - from:

        - podSelector:

            matchLabels:

              app: frontend

      ports:

        - port: 8080

    Conclusion


    Network security has evolved from simple perimeter firewalls to sophisticated zero-trust architectures. The fundamentals still matter: proper firewall rules, careful VPN use, intrusion detection, and network segmentation. But the trend is clear — the network boundary is disappearing, and security must follow the workload, not the perimeter.