Communication and Network Security Reference Guide
CISSP Domain 4 · 3 topics · Concepts, real-world examples, and controls
Network architecture is the structural foundation of an organization’s security posture. Decisions made here — about segmentation, protocols, traffic flows, and monitoring — determine whether attackers who breach the perimeter can move laterally, exfiltrate data, or reach critical systems. The security properties of a network cannot be retrofitted after deployment; they must be designed in from the start.
OSI and TCP/IP models
The OSI and TCP/IP models provide reference frameworks for understanding where security controls operate and where attacks are launched. Every network security control operates at a specific layer — understanding which layer a threat targets determines which control is relevant.
| # | OSI layer | TCP/IP equivalent | Function | Attacks at this layer | Controls |
|---|---|---|---|---|---|
| 7 | Application | Application | User-facing protocols: HTTP, DNS, SMTP, FTP | SQL injectionXSSDNS poisoning | WAF, input validation, TLS, DNSSEC, application-layer firewalls |
| 6 | Presentation | Application | Data format, encryption, compression | SSL strippingEncoding attacks | TLS enforcement, HSTS, certificate pinning |
| 5 | Session | Application | Session establishment, maintenance, termination | Session hijackingReplay attacks | Session tokens with expiry, TLS session resumption controls, anti-replay nonces |
| 4 | Transport | Transport | End-to-end delivery, TCP/UDP, port numbers | SYN floodPort scanning | TLS, stateful firewall, SYN cookies, port filtering |
| 3 | Network | Internet | IP addressing, routing, packet forwarding | IP spoofingRoute hijackingICMP attacks | IPSec, ACLs, ingress/egress filtering, BGP security (RPKI) |
| 2 | Data link | Network access | MAC addressing, switching, frame delivery | ARP spoofingMAC floodingVLAN hopping | 802.1X port authentication, dynamic ARP inspection, port security, VLAN tagging controls |
| 1 | Physical | Network access | Cables, hubs, physical signals, bit transmission | WiretappingCable cuttingJamming | Physical access controls, fiber (no RF emissions), conduit protection, locked wiring closets |
IPv4 and IPv6
IPv4
32-bit addresses (~4.3 billion). Near-exhaustion driving IPv6 adoption. NAT (Network Address Translation) extends IPv4 by mapping multiple private addresses to one public IP — a side effect of which is implicit segmentation, since inbound connections to private addresses require explicit port forwarding.
IPv6
128-bit addresses. No NAT — every device gets a globally routable address, eliminating NAT as an implicit barrier. Security tools and firewalls must explicitly handle IPv6 traffic; many organizations have IPv6 enabled by default on endpoints but not monitored or filtered, creating a blind spot attackers exploit by tunneling traffic over IPv6.
Address types
Unicast — one to one. Broadcast — one to all (IPv4 only; eliminated in IPv6). Multicast — one to a defined group. Anycast — one to nearest in a group (used by CDNs and DNS root servers for geographic routing and resilience).
🌐 Real-world example — IPv6 blind spot
In multiple enterprise breach investigations, attackers tunneled C2 (command-and-control) traffic over IPv6 after finding that the organization’s DLP and network monitoring tools only inspected IPv4 traffic. Windows enables IPv6 by default; many older security appliances and SIEMs were deployed before IPv6 was a practical concern. The attacker exploited a dual-stack environment where security controls had a protocol-level gap. Security teams must explicitly verify that all monitoring tools inspect both IPv4 and IPv6 traffic — the assumption of coverage is insufficient.
Secure protocols
| Protocol | What it does | Key security properties | Common deployment / gotchas |
|---|---|---|---|
| TLS 1.3 | Transport encryption for web, email, and application traffic. Successor to SSL (deprecated) and TLS 1.0/1.1/1.2 (deprecated in most contexts). | Forward secrecy (mandatory)0-RTT handshakeReduced cipher suite (only AEAD) | 0-RTT mode introduces replay attack risk — should not be used for non-idempotent requests. Ensure TLS 1.0/1.1 disabled on all endpoints. Certificate management automation (Let’s Encrypt, ACME) prevents expiry. |
| IPSec | Network-layer encryption and authentication. Operates at Layer 3 — transparently protects all traffic between endpoints regardless of application. | AH (authentication only)ESP (encryption + auth)Tunnel / Transport modes | Tunnel mode encrypts entire packet (used for VPNs between gateways). Transport mode encrypts payload only (used between endpoints). IKEv2 (Internet Key Exchange) is the current standard for IPSec key negotiation. |
| SSH | Encrypted remote terminal access and file transfer (SCP, SFTP). Replaces Telnet and FTP which transmit credentials in cleartext. | Public key auth (preferred)Host key verificationPort forwarding/tunneling | SSH keys must be inventoried and rotated — abandoned keys are a persistent attack vector. Disable password auth; enforce key-based auth. SSH tunneling can bypass firewall controls — monitor for unexpected tunneling. Privileged access management (PAM) should govern SSH to production systems. |
| DNSSEC | Cryptographic signing of DNS records to prevent DNS spoofing and cache poisoning. Verifies the authenticity of DNS responses. | Digital signatures on recordsChain of trust to root | DNSSEC validates DNS data integrity but does not encrypt DNS queries (use DNS over HTTPS/DoH or DNS over TLS/DoT for privacy). Key rollover is operationally complex and a frequent source of outages. |
| HTTPS / HSTS | HTTP over TLS. HSTS (HTTP Strict Transport Security) instructs browsers to always use HTTPS — preventing SSL stripping attacks. | HSTS preloadingCertificate transparency | HSTS max-age must be set to at least 1 year for preloading. includeSubDomains must be set if subdomains exist. HSTS preload list inclusion prevents first-visit attacks. |
Network segmentation
Segmentation limits the blast radius of a breach by preventing lateral movement between network zones. An attacker who breaches a user workstation in a flat network can reach every other system — servers, databases, OT systems — without crossing any security boundary. In a segmented network, the same attacker is contained to the zone they entered.
Physical segmentation
Separate physical infrastructure for different security zones. Air-gapped networks have no physical connection to other networks. Provides the strongest isolation — no software misconfiguration can bridge the gap.
Use for: classified systems, OT/ICS networks, payment processing environments that must be completely isolated.
VLANs
Logical segmentation at Layer 2. Different VLANs share physical infrastructure but traffic is isolated by tagging. Inter-VLAN routing requires an explicit routing decision — a firewall can enforce policy at that boundary.
Risk: VLAN hopping via double-tagging. Mitigate by disabling DTP, setting native VLAN to unused ID, and pruning unnecessary VLANs from trunks.
VPNs
Creates encrypted tunnels over untrusted networks. Site-to-site VPNs connect office networks; client VPNs extend secure access to remote users. Split tunneling — sending only corporate traffic through VPN — introduces risk of bridging attacker access from the local network.
Full-tunnel VPN prevents split-tunneling risk. Zero Trust Network Access (ZTNA) is replacing VPNs for remote access — provides per-application access without network-level exposure.
Micro-segmentation
Granular network policies applied at the workload level — individual VMs, containers, or processes. East-west traffic (between workloads in the same data center) is inspected and controlled, not just north-south (in/out of the perimeter). Enforced by distributed firewalls or SDN policy engines.
Real-world: VMware NSX, Illumio, Guardicore enforce per-workload policies. Stops lateral movement even when perimeter is breached — the attacker cannot reach adjacent workloads.
DMZ (Demilitarized zone)
A network zone between the internet and the internal network, housing publicly accessible services (web servers, email gateways, DNS). Traffic from the internet reaches the DMZ but cannot directly reach the internal network — must traverse a second firewall.
A compromised DMZ server is a serious incident but does not immediately grant access to internal systems. The inner firewall is the critical boundary.
Zero trust segmentation
Identity-centric access control replaces network-zone trust. No implicit trust based on network location. Every access request evaluated: who is the user, what device, what context, what resource? Least-privilege access granted per session.
Implemented through ZTNA solutions (Zscaler, Cloudflare Access, Google BeyondCorp). Eliminates VPN-style network access in favor of application-level access with continuous verification.
🌐 Real-world example — flat network
The 2013 Target breach is the definitive flat-network case study. An attacker compromised a third-party HVAC vendor’s credentials and gained access to Target’s vendor portal. Because Target’s network was insufficiently segmented, the attacker could pivot from the vendor access zone to the POS (point of sale) network — a path that should have required crossing multiple security boundaries with explicit authorization. 40 million credit card numbers were exfiltrated. Network segmentation between vendor access, corporate IT, and POS systems — with explicit firewall rules and monitoring at each boundary — would have contained the breach to the vendor access zone.
Traffic flows: north-south vs east-west
North-south traffic
Traffic entering or leaving the data center or network perimeter — between the internet and internal systems. Traditional perimeter security (firewalls, IPS, DLP) focuses on this flow. Most organizations have well-developed north-south controls.
East-west traffic
Traffic between systems within the data center or network — server to server, workload to workload. Most lateral movement in breaches exploits uncontrolled east-west paths. Many organizations have minimal east-west inspection. Micro-segmentation directly addresses this gap.
Wireless networks
| Technology | Frequency / Range | Security risks | Mitigations |
|---|---|---|---|
| Wi-Fi (802.11) | 2.4 / 5 / 6 GHz · up to ~300m | Evil twin APs, WPA2 KRACK vulnerability, deauth attacks, rogue APs, WPS brute force, eavesdropping on open networks | WPA3 (Enterprise)802.1X/EAP authDisable WPSRogue AP detection |
| Bluetooth | 2.4 GHz · ~10–100m | BlueBorne (2017 — 8 zero-days, no pairing required), Bluesnarfing (unauthorized data access), Bluejacking (unsolicited messages), BIAS attacks on legacy pairing | Disable when not in useUse BT 5.xNon-discoverable modePatch firmware |
| Zigbee | 2.4 GHz · ~10–100m · low power | Weak encryption in legacy deployments, insecure key exchange, susceptible to replay attacks, limited authentication between devices | Network isolationUpdated firmwareMonitor RF environment |
| Satellite | Various · global coverage | High latency introduces timing attack windows; signal interception at scale (NSA SATCOM programs); jamming by adversaries; unencrypted legacy satellite links (Viasat KA-SAT hack, 2022) | End-to-end encryptionVPN over satelliteAnti-jam antennas |
| 5G Cellular | Sub-6 GHz / mmWave · varies | IMSI catchers (stingrays) still possible in some 5G deployments; network slicing isolation failures; roaming security; supply chain risk in 5G infrastructure (Huawei concerns) | End-to-end app encryptionTrusted supplier programsNetwork slicing controls |
Software-Defined Networking (SDN) and Virtual Private Cloud (VPC)
SDN
Separates the control plane (decisions about where traffic goes) from the data plane (actually moving traffic). A centralized SDN controller programs forwarding rules across network devices via APIs. Security benefit: network policies can be changed programmatically, enabling rapid response. Security risk: the SDN controller is a high-value target — its compromise gives an attacker control of the entire network’s routing.
VPC (Virtual Private Cloud)
A logically isolated network within a public cloud environment. VPC provides network segmentation in the cloud: subnets, security groups (stateful firewall rules per instance), NACLs (stateless ACLs per subnet), and VPC peering. Security groups default-deny inbound — the correct default. NACLs are stateless — return traffic must be explicitly permitted.
Network Functions Virtualization (NFV)
Running network functions (firewall, IDS/IPS, load balancer, NAT) as software on commodity hardware rather than dedicated appliances. Reduces cost and increases flexibility. Security consideration: software-based network functions share the same attack surface as other VMs — they must be patched, hardened, and isolated like any other workload.
SD-WAN
Software-defined management of wide-area network connections — using multiple links (MPLS, broadband, LTE) with intelligent routing and security policy enforcement. Branch offices connect directly to cloud applications without backhauling through a central hub. Security must be enforced at each branch edge — SASE architectures address this by delivering security as a cloud service co-located with the SD-WAN edge.
Content Delivery Networks (CDN) and edge networks
CDNs distribute content across geographically distributed edge nodes — serving users from the nearest point of presence rather than the origin server. Security benefits: DDoS mitigation at the edge before traffic reaches the origin, TLS termination, Web Application Firewall capabilities, and bot management. Security risks: CDN misconfiguration can expose origin servers; cache poisoning can serve malicious content to users; CDN providers are a significant third-party dependency whose compromise affects all customers simultaneously.
🌐 Real-world example — CDN as attack surface
In 2021, a misconfiguration at Fastly — a major CDN provider — caused approximately 85% of the internet to become unreachable for approximately one hour when a single customer triggered a bug that caused Fastly’s network to fail. Sites affected included Amazon, Reddit, The Guardian, UK government websites, and Twitch. No attack occurred — a single customer configuration change exposed a latent software bug. The incident demonstrated that CDN dependencies create systemic concentration risk: security and availability are inseparable when a single CDN provider serves a significant fraction of the internet.
Performance metrics and monitoring
Bandwidth
Maximum data transmission capacity of a network link. Security relevance: bandwidth exhaustion is the mechanism of volumetric DDoS attacks. Baseline bandwidth usage enables anomaly detection — sudden spikes may indicate data exfiltration or botnet C2 traffic.
Latency
Time for a packet to travel from source to destination. Security relevance: unusual latency increases can indicate traffic inspection bottlenecks or routing anomalies. Timing side-channels in cryptographic implementations exploit latency variations.
Jitter
Variation in latency over time. Affects real-time communications (VoIP, video conferencing). Security relevance: high jitter can indicate network congestion caused by DDoS traffic, or packet injection attacks on real-time communications.
Throughput
Actual data transfer rate achieved, as opposed to theoretical bandwidth capacity. Security tools that inspect traffic in-line (IPS, DLP, SSL inspection) reduce throughput — must be sized appropriately or they become bottlenecks that are bypassed.
Signal-to-noise ratio
In wireless networks, the ratio of useful signal to background interference. Low SNR degrades connection quality and can indicate RF jamming or an adversarial signal disruption attack. Security teams monitoring wireless environments should track SNR baselines.
Secure network components
Network security is not purely about software configuration — it depends on physical infrastructure resilience, transmission media integrity, and the controls applied at network access points and endpoints. Each layer of network components introduces specific vulnerabilities that must be explicitly addressed.
Network Access Control (NAC)
NAC enforces security policy compliance as a precondition for network access — a device that doesn’t meet the policy (missing patches, no endpoint security agent, unrecognized MAC address) is placed in a quarantine VLAN with limited access until remediated. NAC is the enforcement mechanism for the principle that the network should only be accessible to known, compliant, authenticated devices.
802.1X port authentication
The IEEE standard for port-based network access control. Requires devices to authenticate (via RADIUS/EAP) before the switch port is enabled. Unauthenticated devices are blocked at Layer 2 — they cannot send any network traffic except authentication messages.
Deployed via: switch port configuration + RADIUS server + certificates or credentials on endpoints. Agentless via MAC Authentication Bypass for devices that cannot run 802.1X supplicants (printers, IoT).
Posture assessment
Beyond authentication — NAC checks device health before granting access. Is the OS patched? Is endpoint protection running and updated? Is disk encryption enabled? Devices failing posture assessment are quarantined.
Real-world: Cisco ISE, Forescout, Aruba ClearPass provide posture assessment. Guests are placed on a separate SSID/VLAN with internet-only access — no corporate network visibility.
Virtual NAC
NAC functionality applied to virtual environments and cloud workloads — enforcing that only authorized, compliant VMs or containers can communicate on internal network segments. Particularly relevant for cloud VPCs and SDN environments.
Cloud equivalent: VPC security groups (AWS), Network Security Groups (Azure) — enforcing that only specific instances on specific ports can communicate.
Transmission media security
Copper (UTP/STP)
Susceptible to electromagnetic eavesdropping (TEMPEST attacks), physical tapping, and crosstalk. Shielded Twisted Pair (STP) reduces signal emanation. Conduit routing and physical access controls are the primary protections. Signal injection attacks can be conducted without physically cutting cable.
Fiber optic
No electromagnetic emissions — passive tapping is not feasible without physical access and light-splitting equipment (which is detectable by optical power loss monitoring). Preferred for high-sensitivity environments and long-distance backbone connections. Expensive and less flexible than copper for last-mile connections.
Wireless / RF
Propagates beyond physical boundaries — an attacker in a parking lot can receive signals from corporate wireless networks. RF signal leakage from wired connections (TEMPEST) can also be exploited. TEMPEST-rated shielding (Faraday cages, EMI shielding) is required for high-classification environments.
Power line / coax
Power Line Communication (PLC) uses electrical wiring to carry data — convenient for building automation and smart grid but introduces the risk that data can be intercepted on the power line or that malicious signals can be injected. Shared infrastructure with no inherent access control.
Endpoint security
Every device connecting to a network is a potential entry point. Endpoint security provides the host-based controls that complement network controls — detecting threats that have already crossed the network perimeter.
EDR (Endpoint Detection and Response)
Continuous monitoring and recording of endpoint activity — process execution, file system changes, network connections, registry modifications. Detects behavioral anomalies indicating compromise. Enables rapid investigation and automated response (process termination, network isolation).
Real-world: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne. EDR replaced traditional AV as the primary endpoint control — signature-based AV cannot detect modern fileless malware and living-off-the-land attacks.
Host-based firewall
Enforces network access policy at the endpoint — controls which processes can initiate or accept connections, regardless of network-level controls. Essential for zero trust architectures where network-level trust is removed. Prevents lateral movement even within the same VLAN.
Windows Defender Firewall, iptables/nftables on Linux. Host-based firewall rules should be managed centrally via Group Policy or endpoint management platforms — not left to individual users.
Full-disk encryption (FDE)
Encrypts the entire drive — protecting data if the device is lost or stolen. BitLocker (Windows) and FileVault (macOS) use the TPM to seal the encryption key to the system’s boot state. Requires authentication before the OS loads. Essential for mobile devices and laptops.
A stolen laptop with BitLocker + TPM is an unreadable encrypted drive to any attacker. Without FDE, pulling the drive and mounting it in another system exposes all data. FDE is the single highest-impact control for laptop theft — the most common cause of healthcare and financial data breaches involving physical devices.
Application allowlisting
Only explicitly permitted applications can execute — all others are blocked regardless of signature or behavior. The strongest possible defense against malware execution. Operationally challenging in environments where software changes frequently but highly effective in static environments (POS systems, ATMs, ICS workstations).
Application allowlisting on ATMs and POS terminals is PCI-DSS recommended practice. In 2016, Bangladesh Bank used an unallowlisted SWIFT terminal — attackers installed malware on it to submit fraudulent transfer instructions. Allowlisting would have blocked the malware execution entirely.
🌐 Real-world example — endpoint as initial access
The 2021 Kaseya VSA ransomware attack exploited a zero-day in Kaseya’s remote monitoring and management software to deploy REvil ransomware through MSPs to approximately 1,500 downstream businesses simultaneously. The attack succeeded because: (1) Kaseya VSA agents ran with SYSTEM privileges on managed endpoints, (2) the VSA update mechanism was trusted and not inspected by EDR tools, and (3) many endpoints had no application control to prevent the ransomware binary from executing. EDR tools with behavioral detection caught the attack on endpoints with modern security tooling; endpoints without EDR were fully encrypted within minutes.
Implement secure communication channels according to design
Every communication channel — voice, video, remote access, inter-site data links, third-party connections — is a potential attack surface. Secure communication channel design applies the principle that all data in transit must be authenticated, encrypted, and monitored, regardless of whether the underlying network is trusted.
Voice, video, and collaboration
Select a topic to see its specific security considerations.
Voice over IP (VoIP)
VoIP transmits voice communications over IP networks — exposing voice traffic to the same threats as any IP network. Unlike traditional PSTN calls, VoIP traffic can be intercepted, replayed, injected, and analyzed without physical access to telecommunications infrastructure. Key protocols: SIP (Session Initiation Protocol) for call setup; RTP (Real-time Transport Protocol) for media streams.
Key vulnerabilities
Eavesdropping (unencrypted RTP streams are trivially captured), caller ID spoofing (SIP INVITE messages have no authentication by default), vishing (voice phishing using spoofed numbers), toll fraud (unauthorized calls charged to the organization), and denial of service via SIP flooding.
Mitigations
SRTP (Secure Real-time Transport Protocol) for media encryption; TLS for SIP signaling; VoIP traffic on separate VLAN with QoS; SBC (Session Border Controller) at the perimeter to inspect and authenticate SIP traffic; disable unused SIP features and accounts; strong authentication for VoIP management interfaces.
Real-world example
In 2013, hackers compromised SIP credentials for multiple companies and placed approximately $50 million in international toll calls over a single weekend — a classic toll fraud attack. The organizations discovered the fraud when they received phone bills orders of magnitude larger than normal. SIP account lockout after failed authentication attempts and anomaly detection on call volume would have triggered alerts within hours rather than discovering the fraud on the monthly bill.
Video conferencing
The COVID-19 pandemic accelerated adoption of video conferencing platforms — and simultaneously expanded the attack surface. Video conferences often include highly sensitive discussions; unauthorized access (meeting bombing) exposes confidential information; and the use of consumer-grade platforms for sensitive government or commercial discussions creates compliance and security risks.
Key vulnerabilities
Meeting bombing (unauthorized participants joining unsecured meetings), screen sharing of sensitive content to unauthorized parties, recording without consent, malicious software installed via meeting client updates, credential theft targeting video conference accounts, and data residency issues for recordings stored in cloud platforms.
Mitigations
End-to-end encryption for all meetings (verify the platform supports E2EE — many advertise “encryption” that only covers transport, not E2E); waiting rooms and admission controls; unique meeting IDs per meeting; password-protected meetings; disable unnecessary features (file transfer, annotation); enterprise platforms with contractual data processing agreements; separate platforms for classified discussions.
Real-world example
In April 2020, Zoombombing became widespread — attackers found publicly shared Zoom meeting links (often posted on social media) and joined meetings to display offensive content. In some cases, attackers joined sensitive corporate strategy meetings that had been shared via company Slack channels indexed by search engines. The lesson: meeting links are credentials and must be treated with the same confidentiality as passwords. Waiting rooms and per-meeting passwords prevent uninvited access even if the link is exposed.
Collaboration platforms (Teams, Slack, etc.)
Modern collaboration platforms consolidate messaging, file sharing, video, and workflow integration into a single platform — creating a highly sensitive data repository that contains strategy discussions, customer data, code snippets, credentials (frequently shared in chat “temporarily”), and sensitive files. Compromise of a collaboration platform account often provides more useful intelligence than email access.
Key vulnerabilities
Phishing via platform-native messaging (more trusted than email), malicious file sharing through platform channels, third-party app integrations with excessive permissions, sensitive data (including credentials) shared informally in channels, insider threat via message export, and former employee access not revoked promptly.
Mitigations
MFA enforced for all accounts; DLP integration to detect sensitive data in messages; third-party app permission reviews; channel and workspace data retention policies; immediate account deactivation on employee departure; data classification applied to files shared in channels; guest access controls for external collaborators; audit logging of all platform activity.
Real-world example
The 2022 Uber breach began when an attacker purchased corporate network credentials on the dark web, then used social engineering (pretending to be Uber IT security) to convince an employee to approve an MFA push notification. Once authenticated, the attacker found network admin credentials in a PowerShell script stored in an internal network share — but also discovered that an internal Slack channel contained additional privileged credentials shared informally between engineers. Sensitive credentials stored in collaboration platforms are among the most common findings in enterprise penetration tests.
Remote access
VPN (legacy model)
Creates an encrypted tunnel granting network-level access. Traditional model: VPN = full network access. Security problem: a compromised VPN credential grants lateral movement across the entire internal network. Split tunneling allows local network traffic to bypass VPN inspection — bridging untrusted local networks to corporate resources.
ZTNA (Zero Trust Network Access)
Application-level access replacing network-level VPN access. Users authenticate and are granted access to specific applications — not the whole network. Device posture is verified before each session. The internal network is never exposed. Lateral movement is architecturally impossible — the user’s device never has a route to internal systems it is not authorized to access.
Privileged Access Workstations (PAW)
Dedicated, hardened workstations used exclusively for administrative tasks. No internet browsing, no email, no general applications — only administrative tools. Prevents credential theft via drive-by downloads on the admin’s general-purpose workstation from compromising privileged access.
Jump servers / Bastion hosts
A hardened, closely monitored intermediate host through which all administrative access to internal systems must pass. All sessions are logged and recorded. No direct SSH or RDP to production systems — all connections proxy through the jump server with MFA, session recording, and command logging.
🌐 Real-world example — VPN as attack surface
In 2021, the Colonial Pipeline attack began with a compromised VPN account. The account had been inactive for years (orphaned credential) and did not require MFA. The VPN granted the attacker direct access to Colonial’s IT network, from which they deployed DarkSide ransomware. The $4.4M ransom payment and subsequent fuel shortage across the US east coast resulted from a single orphaned VPN account without MFA. VPN accounts must be: inventoried, tied to active employees, required to use MFA, and audited for activity. An inactive VPN account is an unlocked door into the internal network.
Third-party connectivity
Third-party connections — to telecom providers, hardware support vendors, managed service providers, and SaaS platforms — are among the most exploited attack vectors in enterprise breaches. The organization cannot control the security of the third party’s environment; it can only control the access the third party has to its own systems.
Least-privilege third-party access
Third parties should receive only the minimum access required for their specific function — for the duration it is needed. Time-limited credentials that expire automatically prevent abandoned access from persisting indefinitely. Vendor accounts should not have persistent always-on access unless operationally required.
Dedicated connectivity
Where possible, third-party connections should use dedicated network paths rather than shared internet connections. MPLS circuits or dedicated VPNs to specific vendors limit the blast radius if the vendor’s environment is compromised — the attacker cannot pivot from the vendor into other parts of the organization’s network.
Monitoring and logging
All third-party access sessions must be logged with session recording, command logging, and alerting on anomalous activity. Privileged access management (PAM) solutions (CyberArk, BeyondTrust) provide session recording for all vendor connections — creating an auditable record of every action taken during each support session.
Contractual security requirements
Third-party connectivity must be governed by contracts specifying security requirements: minimum encryption standards, incident notification timelines, right-to-audit clauses, and liability for breaches caused by the vendor’s credentials. A vendor whose credentials are compromised and used to breach the customer must bear documented accountability.
🌐 Real-world example — third-party connectivity
The 2013 Target breach: the initial access vector was credentials stolen from Fazio Mechanical, a third-party HVAC vendor with access to Target’s vendor portal for electronic billing and project management. Fazio used free antivirus software (Malwarebytes free version, not a commercial endpoint security product) and had no managed security controls. Their credentials were stolen via Citadel malware delivered by phishing. Target had no minimum security requirements for vendors, no MFA on the vendor portal, and no session monitoring. Contractual security requirements, vendor security assessments, and MFA on the vendor portal would each individually have prevented the initial access that led to a $292 million loss.
The network security chain
Every gap in this chain is where an attacker gains entry, moves laterally, or exfiltrates data without detection.
Design for segmentation from the start
Flat networks amplify every breach. VLANs, DMZ, micro-segmentation, and zero trust architecture limit blast radius before an attacker arrives.
Apply controls at every OSI layer
Layer 7 WAF does not protect Layer 2. Layer 3 firewall does not protect Layer 7. Controls must match the layer where threats operate.
Encrypt all traffic — inside and outside
TLS 1.3 in transit. IPSec for network-layer encryption. No assumption that internal traffic is safe — east-west traffic must be treated as hostile.
Enforce NAC and endpoint compliance
Only authenticated, posture-compliant devices get network access. 802.1X, EDR, FDE, and application controls at every endpoint.
Control wireless networks as hostile
WPA3 Enterprise, 802.1X, rogue AP detection. Bluetooth and IoT on isolated segments. Never assume RF boundaries correspond to physical boundaries.
Replace VPN with ZTNA for remote access
VPN grants network access. ZTNA grants application access. Compromised VPN credential = network-wide lateral movement. Compromised ZTNA credential = access to one application.
Govern all third-party connections
Time-limited credentials, MFA, session recording, contractual security requirements, and right-to-audit. Third parties are trusted insiders until they are not.
Monitor east-west traffic continuously
NDR (Network Detection and Response) for behavioral anomaly detection. SIEM correlation across network, endpoint, and identity logs. Lateral movement is invisible without east-west visibility.
By profession, a CloudSecurity Consultant; by passion, a storyteller. Through SunExplains, I explain security in simple, relatable terms — connecting technology, trust, and everyday life.
Leave a Reply