Fundamentals
T1040, T1046Network Security Basics
A foundational guide to network security for SOC analysts — firewall types, ACLs, security zones, egress filtering, and network segmentation. Covers the concepts analysts need to interpret firewall logs and assess network controls.
View on Graph
What Network Security Controls Are and Why Analysts Need to Understand Them
- Network security controls are the gatekeepers between users, systems, and the internet. They enforce what traffic is allowed, what is blocked, what is logged, and what is inspected.
- Every SOC analyst reads firewall logs, triages IDS alerts, and interprets network telemetry daily. Understanding the control that generated the log is the difference between “the firewall blocked something” and “the firewall blocked a C2 callback on a port that should not be open.”
- This article covers the core network security concepts every analyst needs: firewalls (stateful vs stateless), ACLs (standard vs extended), security zones (trusted vs untrusted), egress filtering, and network segmentation strategies.
Firewall Types — Stateful vs Stateless vs Next-Gen
Stateless (Packet Filter) Firewalls
The simplest type. Inspects each packet in isolation — no knowledge of connection state.
| Characteristic | Detail |
|---|---|
| What it checks | Source IP, destination IP, source port, destination port, protocol, TCP flags |
| State awareness | None — each packet is assessed independently |
| Performance | Very fast — no state table to maintain |
| Security | Low — cannot detect state-based attacks (e.g., SYN floods that complete the handshake abnormally) |
| Examples | Standard IPtables rules, early Cisco ACLs, basic router filters |
| Best for | Simple permit/deny rules at network edges |
Stateful Firewalls
Tracks the state of active connections. If a packet is part of an established connection, it is automatically allowed without re-evaluating rules.
| Characteristic | Detail |
|---|---|
| What it checks | Same as stateless + connection state (NEW, ESTABLISHED, RELATED, INVALID) |
| State awareness | Full — maintains a state table per connection |
| Performance | Moderate — maintained flow table is bounded (can be DoS target) |
| Security | High — drops packets that arrive without matching state (e.g., unsolicited SYN-ACK) |
| Examples | IPtables conntrack, Windows Firewall, pfSense, Cisco ASA, Palo Alto |
| Best for | Most internal and perimeter deployments |
Next-Generation Firewalls (NGFW)
Stateful inspection plus application-layer awareness — inspects packet payloads, not just headers.
| Characteristic | Detail |
|---|---|
| What it checks | Everything stateful checks + application protocol, file type, SSL/TLS decryption, user identity, threat intelligence feeds |
| State awareness | Full + application state |
| Performance | Slower — deep packet inspection is CPU-intensive |
| Security | Highest — can identify and block specific applications, malware downloads, and C2 protocols even on non-standard ports |
| Examples | Palo Alto, Fortinet FortiGate, Check Point, Cisco Firepower |
| Best for | Perimeter defense, data center east-west traffic, cloud egress |
ACLs — Access Control Lists
ACLs are ordered lists of permit/deny rules applied to network interfaces. Every packet is evaluated against the rule list top-to-bottom until a match is found.
Standard vs Extended ACLs
| Feature | Standard ACL | Extended ACL |
|---|---|---|
| Match source only | Yes (source IP) | No |
| Match source + destination + port | No | Yes |
| Example | access-list 10 permit 192.168.1.0 0.0.0.255 | access-list 100 permit tcp 10.0.0.0 0.255.255.255 any eq 443 |
| Placement | Close to the destination (because it doesn’t filter by destination) | Close to the source (early filtering) |
| Wildcard mask | Required | Required |
ACL Wildcard Masks vs Subnet Masks
Do not confuse wildcard masks with subnet masks. Wildcard masks are inverted subnet masks:
| Subnet | Subnet Mask | Wildcard Mask | What It Matches |
|---|---|---|---|
/24 | 255.255.255.0 | 0.0.0.255 | 192.168.1.0-255 |
/16 | 255.255.0.0 | 0.0.255.255 | 192.168.0.0-255.255 |
| Single host | 255.255.255.255 | 0.0.0.0 | That exact IP only |
| Any | 0.0.0.0 | 255.255.255.255 | Everything (any) |
The implicit deny rule: Every ACL ends with an implicit deny all — even if not explicitly configured. If traffic does not match any rule, it is dropped. This is the most common reason analysts see blocked traffic that appears to match no rule.
Security Zones — Trusted, Untrusted, and DMZ
Network segmentation starts with security zones — logical groupings of systems with similar trust levels.
| Zone | Trust Level | What Lives There | Inbound Policy | Outbound Policy |
|---|---|---|---|---|
| Trusted (Internal) | High | Corporate users, internal servers, Active Directory | Restrict inbound from other zones | Permit outbound to internet (with inspection) |
| DMZ (Demilitarized) | Medium | Web servers, mail relays, VPN gateways, application proxies | Permit specific ports from internet (80, 443, SMTP) | Restrict outbound — only specific protocols to internal |
| Untrusted (Internet) | None | Everything outside | N/A | Default-deny inbound |
| Management | Highest | SSH/RDP jump hosts, monitoring servers, admin workstations | Only from dedicated admin IPs | Minimal — patching and logging only |
| Guest (BYOD) | Low | Guest WiFi, contractor laptops | None | Internet only — no internal access |
The cardinal rule of zone-based firewalls: Traffic between zones must be explicitly permitted. Nothing passes between zones by default — including traffic from Trusted to DMZ.
Egress Filtering — The Most Overlooked Security Control
Egress filtering controls outbound traffic from your network to the internet. Most organizations invest heavily in inbound filtering but leave outbound ports wide open — which is why C2 beacons on port 443 work so reliably.
Why Egress Filtering Matters
| Attack Phase | Without Egress Filtering | With Egress Filtering |
|---|---|---|
| C2 beaconing | Beacon easily reaches the attacker’s server on any port | Beacon is blocked unless it uses approved ports/protocols |
| Data exfiltration | Large outbound data transfer to an unknown IP | Blocked or flagged by security monitoring |
| DNS tunneling | DNS queries to exfiltrate data reach any DNS server | Only approved DNS resolvers are allowed — DNS tunneling traffic is blocked |
| Reverse shell | Attacker connects back to a listener on any port | Blocked if the port/protocol is not permitted |
Minimum Egress Profile (Recommended)
| Outbound Port | Protocol | Service | Rationale |
|---|---|---|---|
| 53 | TCP/UDP | DNS | Resolve domain names — restrict to approved DNS servers only |
| 80 | TCP | HTTP | Web traffic — ideally proxy all HTTP through an inspection proxy |
| 443 | TCP | HTTPS | Web traffic — inspect with CAs and TLS interception |
| 123 | UDP | NTP | Time synchronization |
| 22 | TCP | SSH | Outbound SSH — restrict to known admin IPs |
| 25 | TCP | SMTP | Email — restrict to authorized mail servers only |
Everything else should be blocked. If a business need exists, permit it with exceptions and log all matches.
Network Segmentation — Containment Through Architecture
Segmentation limits lateral movement by dividing the network into isolated segments. If an attacker compromises one segment, they cannot see or reach the others without traversing a firewall.
Common Segmentation Models
| Model | Description | Security Level | Complexity |
|---|---|---|---|
| Flat network | All hosts on the same subnet — any host can reach any other | Low | Minimal |
| VLAN separation | Layer 2 separation — hosts in different VLANs cannot communicate without a router | Medium | Moderate |
| Micro-segmentation | Each workload or application has its own security policy — enforced at the hypervisor, container network interface, or cloud security group | High | Significant |
| Zero Trust network | No implicit trust based on network location — every request is authenticated, authorized, and encrypted | Highest | High |
How Analysts Detect Segmentation Failures
SPL query — cross-segment traffic from user workstations to sensitive servers:
index=network sourcetype=firewall_log
| search src_ip=10.0.1.0/24 (users) AND dest_ip=10.0.100.0/24 (sensitive servers)
| stats count by src_ip, dest_ip, dest_port
| where count > 5
| eval alert = "Cross-segment traffic from user subnet to sensitive server — possible lateral movement"
| table _time, src_ip, dest_ip, dest_port, count, alertSPL query — hosts sending traffic to unusual ports:
index=network sourcetype=firewall_log action=allowed
| search NOT dest_port IN (53, 80, 443, 123, 22, 3389)
| stats count by src_ip, dest_ip, dest_port
| where count > 20
| eval alert = "Outbound traffic on non-standard port"
| table _time, src_ip, dest_ip, dest_port, count, alertLog Sources for Network Security Investigations
| Log Source | What It Reveals | Key Fields for Analysis |
|---|---|---|
| Firewall logs | Which traffic was allowed, denied, or dropped | src_ip, dest_ip, src_port, dest_port, action, rule_name |
| VPC Flow Logs | Traffic metadata in cloud environments | srcaddr, dstaddr, dstport, protocol, action, bytes, packets |
| DNS query logs | Which domains are being resolved and by which host | query_name, src_ip, response_ip, query_type |
| Proxy logs | HTTP/HTTPS traffic details — including full URL paths | url, method, status_code, user_agent, bytes, content_type |
| NetFlow/IPFIX | Summary of network conversations | src_ip:port, dest_ip:port, protocol, bytes, packets, duration |
Related
- Common Ports and Protocols — covers the common ports and protocols concepts
- Log Sources Overview — covers the log sources overview concepts
- Metasploit — detection and response for T1203 techniques
- Nmap — how nmap helps detect and analyze threats
- RITA — detection and response for T1071 techniques