On top of the many network devices that any enterprise should have today, there are a selection of network security tools and devices that can help you defend your network. While networking security tools have traditionally been implemented as on-prem network security hardware or virtual appliances, in recent years many vendors and business customers have transitioned to cloud based solutions. While most security solutions are available as proprietary solutions, there are some open-source options out there. Below is a list of the most common network security device types that can help you secure your network against the growing threat landscape.
Firewall
Firewalls serve as a primary safeguard security tool for medium or large enterprises. Most people are familiar with the perimeter firewall that protects the network from the Internet. A firewall can exist as a distinct system or be integrated into other devices such as routers or servers. Available in both hardware and software formats, some firewalls are specially designed as appliances to distinctly separate two networks.
Their primary function is to filter out undesired network traffic, ensuring unwanted intrusions don’t breach an organization’s systems. The firewall’s behavior is governed by specific policies based on one of two approaches.
- Allow listing: Only the traffic explicitly listed as safe is permitted, while all else is blocked.
- Block listing: All traffic is allowed unless it’s specifically marked as harmful.
Firewalls evolved over time and now they are commonly referred to as next-generation firewalls, the third generation of firewalls. Previous generations can be grouped as packet-filtering firewalls or stateful packet-filtering firewalls. Variations of firewalls are proxy firewalls and web application firewalls.
Packet-filtering firewall (1st generation)
A packet-filtering firewall provides basic firewall functionality. It has filters that compare incoming and outgoing packets against a standard set of rules to decide whether to allow them to pass through. In most cases, the ruleset (sometimes called an access list) is predefined, based on a variety of metrics. Packet filtering occurs at Layer 3 and Layer 4 of the OSI model. Here are the common filtering options for rule establishment:
- Source IP Address: This indicates the origin of the packet. Traffic can be permitted or denied based on this address, enabling the blocking of malicious sources or botnets.
- Destination IP Address: This represents the final destination of the packet. While unicast packets are targeted at individual machines, multicast or broadcast packets aim for multiple devices. By shaping rules around these addresses, specific devices can be protected from excessive traffic or unauthorized access.
- Protocol Type: Packets carry information about the protocol they’re using within their headers. This can range from standard data-bearing IP packets to specific ones like ICMP, ARP, RARP, BOOTP, and DHCP. Rules using this criteria ensures that traffic of certain protocols can be selectively allowed or blocked.
The main advantage of packet-filtering firewalls is the speed at which the firewall operations are achieved since most of the work takes place at Layer 3 or below, negating the need for intricate application-level insight. Typically positioned at the forefront of an organization’s security infrastructure, these firewalls excel in thwarting denial-of-service (DoS) attacks targeting vital internal systems.
These are not without limitations, however. Since their operations are restricted to OSI Layer 3 or below, they can’t scrutinize application-level data, leaving a window open for application-specific threats to penetrate sensitive internal networks. Their defenses can also be circumvented by attackers who spoof network IP addresses, given that some legacy or basic firewall models fail to recognize spoofed IP or ARP addresses. While packet-filtering firewalls offer robust defense against broad DoS attacks, they may falter against more specialized, targeted threats.
Stateful packet-filtering firewall (2nd generation)
Stateful packet-filtering firewalls operate at Layer 4, tracking connection pairs through four parameters:
- The source address
- The source port
- The destination address
- The destination port
Stateful inspection techniques employ a dynamic memory that stores the state tables of the incoming and established connections. Any time an external host requests a connection to your internal host, the connection parameters are written to the state tables. Basic rules can be set to block packets with port numbers above 1023 for instance. Stateful firewalls do have their drawbacks. They are not as flexible or as robust as regular packet-filtering firewalls. Incorporating a dynamic state table and other features into the firewall makes the architecture more complex, which directly slows the speed of operation. This appears to users as a decrease in network performance speed. Furthermore, they can’t fully inspect higher-layer protocols or application services. In contrast, stateful firewalls offer enhanced security across all network levels, crucial for connectionless protocols like UDP and ICMP.
Proxy firewall
Proxy firewalls operate at the Application layer of the OSI model and are positioned between a remote user and a server. They mask the identities of both entities, ensuring that each party only recognizes the proxy. This setup offers robust protection between public and private networks. By working at the application level, proxy firewalls can effectively guard sensitive applications. They support enhanced authentication methods, like passwords and biometrics, bolstering security. Additionally, users can customize these firewalls to filter specific packets, such as potentially harmful EXE files. They often include detailed logging to audit server connections. However, the trade-off for this high-level security is speed and cost due to the extensive data processing at the application level.
Web application firewall (WAF)
Web application firewalls (WAFs) are designed to shield web applications by implementing specific rules for HTTP interactions. With online applications requiring certain ports to remain open, they become susceptible to targeted website attacks like cross-site scripting (XSS) and SQL injection. Unlike proxy firewalls that primarily defend clients, WAFs focus on server protection. A standout feature of WAFs is their capability to identify the onset of distributed denial of service (DDoS) attacks, manage the traffic surge, and pinpoint the attack’s origin.
Intrusion detection system (IDS)
The primary purpose of an Intrusion Detection System (IDS) is to bolster cybersecurity by promptly identifying unauthorized activities or malicious entities within a network. This early detection allows for swift removal of the threat, minimizing potential breaches or disruptions. By logging these events, IDS aids in refining defense mechanisms against subsequent similar threats.
Despite the presence of robust protective measures, network intrusions are bound to occur. An IDS ensures that such security lapses are instantly communicated to administrators, facilitating immediate action. Additionally, IDS deployment helps spotlight potential vulnerabilities, offering insights into areas attackers might exploit. The primary types of intrusion detection systems are:
• Host-based IDS (HIDS)
• Network-based IDS (NIDS)
• Intrusion Prevention System (IPS)
A proactive IDS investment often translates to reduced costs, especially when compared to the expenses and legal ramifications following a successful attack.
Host-based intrusion detection systems
Host-based IDSs monitor specific hosts to detect and respond to suspicious activities and attacks. Attackers typically target systems holding sensitive data that can be readily exploited. They may try to install scanning programs and exploit other vulnerabilities that can record user activity on a particular host. Host-based IDS tools can offer policy management, data analytics, and forensics at the host level. Because attackers mainly focus on operating system vulnerabilities to break into hosts, in most cases, the host-based IDS is integrated into the operating systems that the host is running.
Network-based intrusion detection systems
A network-based Intrusion detection system acts as a watchdog for the network, providing an additional layer of security by analyzing traffic for signs of potential threats. By continuously monitoring network traffic, NIDS can identify suspicious patterns or signatures that indicate unauthorized or malicious activity. Once detected, it can alert system administrators or other security tools in real-time. While NIDS systems have difficulty working with encrypted traffic, they can still analyze packet metadata such as source and destination IP addresses, port numbers, and the volume and patterns of traffic. While this doesn’t provide full visibility into the encrypted content, it can sometimes indicate malicious or anomalous activity. A NIDS can also log relevant data that can be used for forensic analysis or as evidence in the event of a security breach.
Intrusion prevention system (IPS)
An Intrusion Prevention System (IPS) is a network security tool designed to identify and block potential threats in real-time. It continually monitors network traffic and detects suspicious activities or known malicious patterns. Once a threat is identified the IPS takes immediate action such as dropping malicious packets, blocking traffic, or alerting administrators to prevent potential breaches or attacks on the network. Unlike its counterpart, the Intrusion Detection System (IDS), which only detects and alerts, the IPS actively intervenes to prevent intrusions. Modern IPS solutions often combine multiple techniques and technologies such as:
- Signature-Based Detection that identifies malicious activity by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences in malware.
- Anomaly-Based Detection that establishes a baseline of “normal” behaviors of network traffic. Any traffic deviating from this baseline is considered suspicious and can be flagged or blocked.
- Heuristic-Based Detection that uses algorithms to analyze the traffic’s behavior. It’s particularly useful for detecting previously unknown threats or new variants of known threats.
- Sandboxing quarantines suspicious files or payloads where they can be executed in a safe environment to observe their behavior without risking the broader network.
- Machine Learning & Artificial Intelligence are used in advanced IPS solutions to better identify and adapt to evolving threats.
Implementing an IPS on an effective scale can be costly so businesses should carefully assess their IT risks before investing in one. It is important to have an in-depth understanding before deploying an IPS to reduce false positives and understand the impact on your workloads. It is always recommended to run IPS and active response technologies in test mode for a while to thoroughly understand their behavior.
Wireless intrusion prevention and detection system (WIDPS)
A Wireless Intrusion Prevention and Detection System (WIDPS) is a security solution designed specifically for wireless networks. It monitors the radio spectrum for the presence of unauthorized access points (often called rogue APs) and clients and identifies potential attacks or intrusions on the wireless infrastructure. A WIDPS compares the list of MAC addresses of all connected wireless access points on a network against the list of authorized ones and alerts an IT staff when a mismatch is found. Once a threat is detected, the WIDPS can take proactive measures to neutralize it, either by alerting administrators or by actively blocking or disconnecting the malicious device. This ensures that the wireless environment remains secure and free from unauthorized access, safeguarding sensitive data and maintaining network integrity. In addition to providing a dedicated layer of security for wireless LANS, a WIDPS can be used to monitor network performance and discover access points with configuration errors. A WIDPS operates at the Data Link layer level of the OSI model.
Next-Generation Firewall (3rd generation)
A next-gen firewall typically encompasses the functionalities of almost all of the previously mentioned solutions. Their features include:
- Packet filtering
- Port Address Translation (PAT)
- Network Addres Translation (NAT)
- Virtual Private Network (VPN)
- URL-blocking
- SSL- and SSH verification
- Deep Packet Inspection (DPI)
- Intrusion Prevention
- Reputation-based malware detection
- Application awareness
As these feature are interacting with each other, a next-gen firewall is able to block malware before it even enters the infrastructure. In addition, logs from a 3rd-gen firewall are helpful in forensic investigations and to detect intrusions.
Unified threat management (UTM)
A unified threat management (UTM) system consolidates various security functions into one device to streamline the task of security management. Instead of managing separate systems from multiple vendors, administrators can oversee security using a single interface, often referred to as a single pane of glass. This facilitates easier management, reporting, and maintenance. This integrated approach has made UTMs increasingly popular rather than managing multiple disparate systems. Typical UTM features include:
• Network firewall
• Intrusion detection and prevention
• Gateway anti-virus
• Proxy firewall functionality
• Deep packet analysis
• Web content filtering and proxy
• Data loss prevention (DLP)
• Security event and information management (SIEM)
• Virtual private network (VPN) capabilities
Consolidating all these functionalities into a single unit does have its downsides as it creates a potential single point of vulnerability and commits all these tools to a sole vendor. Given that many consider vendor diversification a security best practice, it’s important to weigh the risks before adopting a UTM system.
Network access control (NAC)
Network Access Control (NAC) is a security solution that governs device access to network resources. Its primary objective is to guarantee that only devices and users that adhere to your security policy can connect to the network. Before granting network access, NAC evaluates the device’s security configurations against a predefined policy, such as ensuring the device runs updated antivirus software and the most recent security patches. Devices meeting these criteria are permitted network access, while non-compliant ones are either quarantined or redirected to a guest network until they meet the necessary security requirements. By doing so, NAC mitigates the risk of unauthorized access and enhances adherence to regulatory standards by ensuring that only compliant devices can interact with sensitive information.
Proxy server
Proxy servers act as negotiators for requests from client software seeking resources from other servers. A client connects to the proxy server and requests some service (for example, a website); the proxy server evaluates the request and then allows or denies it. Most proxy servers act as forward proxies and are used to retrieve data on behalf of the clients they serve. If a proxy server is accessible by any user on the internet, then it is said to be an “open” proxy server. A variation is the reverse proxy, also known as a “surrogate.” This is an internal-facing server used as a front-end to control (and protect) access to a server on a private network. The reverse scenario is used for tasks like load-balancing, authentication, decryption, and caching. Responses from the proxy server are returned as if they came directly from the original server, so the client has no knowledge of the original servers. Proxy servers are typically used for traffic filtering (web filters) and performance improvement (load balancers). Web application firewalls (described earlier) can be classified as reverse proxy servers.
Web filter
Web filters prevent users’ browsers from loading certain pages of websites that may pose a potential threat. URL filtering involves blocking websites (or sections of websites) based on the URL and, restricting access to specified websites or web-based applications. Advanced web filters can also filter designated search words or web content that may be deemed inappropriate. An organization may implement a web filter appliance on prem to block malicious internet web sites of for any device connecting to the Internet. Another approach is to install a client on all enterprise mobile endpoints that runs in the background that sends the address of the website being visited to the cloud where the web filter compares it against a maintained list of phishing and malware sites. If a match is found, a blocking web page appears and encourages the user cannot continue to the site. Web filter admins can customize the list of blocked sites as needed to accommodate a user’s legitimate request, although any modifications should be tested first.
Email Filtering
Traditionally known as SPAM filtering, email filtering is critical for any organization as email remains the primary delivery agent of ransomware and other malware attacks. Conventional approaches to email filtering used techniques such as signature-based detection, domain and IP block lists, and content analysis. Such methods are often insufficient today to stop advanced email attacks. Modern email filtering solutions now incorporate heuristic analysis, machine learning, and sand boxing. Another technique is Bayesian filtering that analyzes the probability that an email is spam based on its content and user. Businesses can also apply data loss prevention (DLP) policies to prevent users from including personal identifiable information (PII) in email. Email filtering must be on the list of security devices and tools for any organization that utilizes email.
Endpoint Protection
Endpoint Protection used to be known as antivirus software as it specifically targeted the signatures of known viruses and prevented them from infecting the host device. Antivirus software has evolved into what is now known as endpoint protection. Think of an endpoint protection solution as a type of UTM mentioned earlier in the article that consolidates multiple host-based security functions to protect it. Some sort of endpoint protection is critical for any computing device that connects to the Internet. At its core, an endpoint solution today detects, quarantines, and removes various forms of malicious software, including viruses, worms, trojans, ransomware, and spyware at the host level. Some solutions may also include basic web filtering and local firewall protection. More advanced solutions may also utilize behavioral analysis that looks for any unusual behavior of files or processes. To maximize the effectiveness of any endpoint protection application it is critical that it is updated regularly so that it has the latest threat defenses.
Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) is a security solution designed specifically to focus on endpoints, such as Windows computers, mobile devices, and Linux servers. EDR tools continuously monitor and gather data from endpoints, providing visibility, detection, investigation, and response capabilities to protect networks against threats that traditional antivirus solutions might miss. Instead of just relying on traditional signature-based threat detection, EDR employs behavioral analytics to detect anomalies. If an action or pattern doesn’t align with the established baseline of normal activity it can trigger an alert. EDR solutions often incorporate threat intelligence feeds, which provide real-time information about emerging threats and tactics used by adversaries, and many take automated actions based on predefined rules. For example, if a suspicious file is detected on an endpoint, the EDR solution can automatically quarantine it or disconnect the affected endpoint from the network. By combining real-time endpoint data collection with advanced analytics, EDR provides a more comprehensive and proactive approach to threat detection and response than simple endpoint protection.
Network Detection and Response (NDR)
Network Detection and Response (NDR) is a proactive security approach that emphasizes the monitoring, detection, and response to threats within network traffic. Instead of just relying on traditional defenses like firewalls, NDR delves deeper into understanding the intricacies of network behaviors and communication patterns.
NDR tools can be used to analyze network traffic in real time. Once a potential threat or suspicious activity is identified, an alert can be sent to the security team through a visual dashboard that provides an overview of the detected issue. Beyond just detection, the system provides detailed forensic tools enabling deep dives into raw data for a comprehensive analysis. Some NDRs also come equipped with response functionalities and can isolate a device showing signs of compromise or block communication with a suspicious IP address.
Advanced NDR solutions often employ machine learning to enhance anomaly detection, which allows them to become more adaptive and precise as they continue to monitor the network. To further bolster their detection capabilities, these solutions typically integrate with threat intelligence feeds. This integration allows for a more effective correlation between network behavior and known malicious indicators or strategies used by threat actors.
Security Information and Event Management (SIEM)
A Security Information and Even management (SIEM) solution is an integrated solution that provides visibility into an organization’s vast IT estate. The SIEM collects and aggregates vast amounts of log and event data from numerous sources, processes this data, and then identifies and reports on anomalies and potential security incidents. These sources can include a wide array of disparate devices such as servers, network appliances, firewalls, and multiple types of cybersecurity devices. Advanced SIEM solutions also incorporate user and entity behavior analytics (UEBA) and threat intelligence feeds to enhance detection capabilities. SIEMs play a critical role in large enterprises comprised of multiple sites, edge computing locations and multiple clouds as it would be almost impossible to have security people actively monitoring every location. A SIEM sends alert information to either a centralized internal cybersecurity team or to a third-party security operations center (SOC). SIEMs have become an indispensable tool today for modern enterprises with large complex architectures.
Extended Detection and Response
Extended Detection and Response (XDR) is an emerging cybersecurity solution that provides a more integrated and holistic approach to threat detection and response than traditional solutions that typically operate in silos. On the surface, XDR has many commonalities with a SIEM, but there are stark differences. Unlike a SIEM solution that integrates with a wide range of third-party systems, XDR primarily integrates with its own set of products usually supplied by a single vendor. This deeper level of integration with specific data sources allows it greater in-depth analysis of certain types of data. While a SIEM focuses on keeping security teams informed of detected threats, an XDR system can initiate remediation responses to those threats, sometimes in automated fashion. XDR is a cloud-native solution that is delivered as a service, so it is easy to scale and customers benefit from its continuous updates and support.
Conclusion
That is a comprehensive list of most of the cyber security device types that you will find in networks today. While different members of the cybersecurity community may have different opinions on them, all perform a critical function. Some of these tools such as firewalls and endpoint protection can be found in nearly every network today regardless of size. Others, such as XDR, are only common amongst Fortune 1000 companies. Before implementing any new security device, always perform an IT security risk assessment to help assess your accepted level of risk. The lower your risk tolerance, the more security you will need to invest in.
Frequently Asked Questions
What is a network security device?
A network security device is a specialized piece of hardware, virtual appliance or software application designed to protect computer networks from threats and unauthorized access while ensuring data integrity, confidentiality, and availability. These devices monitor, detect, and take corrective actions against security threats to networked systems and host devices. Examples can include a traditional firewall that protects the network perimeter or an intrusion detection system (IDS) that monitors network traffic for suspicious activity and sends alerts when potentially malicious activity or code is detected.
What are the different types of network device security?
There are many types of network security devices on the market today and each one performs a different function. Examples include hardware and virtual firewalls, IDS/IPS solutions, web filtering, email security solutions, proxy servers, endpoint protection, SIEMs, and XDR. All these security tools collectively play a part in a well-designed multi-layer security strategy.
What is an example of a network security hardware?
Most organizations have a firewall appliance that guards the network perimeter. The firewall has multiple interfaces with each one servicing an isolated zone. The connection to the organization’s internet router will plug into one interface while their LAN plugs into another. Other interfaces could connect to other zones that host critical servers or web accessible applications (referred to as the DMZ). Another example could be a web filter appliance that filters all outgoing web traffic through it before it gets to the internet router.
What is the best security for a home network?
Most home networks need only worry about their endpoint devices so a comprehensive endpoint protection application should be installed on all desktops, laptops and tablets that connect to the network. These all-in-one security packages will often include firewall protection and basic web filtering amongst other security functions.
What are the different types of network device security?
While there are multiple ways to categorize the various network security components, some of the more common network security device types include firewalls, access control, intrusion detection and prevention, filtering solutions and endpoint protection.
