Network Security in Depth

At GCSE you met a firewall as a guard on the door and antivirus as a patrol inside. That is a fine start, but a real organisation — a bank, a hospital, a school — cannot bet everything on a single guard. Guards get tired, doors get propped open, and clever attackers find the one gap nobody was watching. So the professionals never ask "what is our security?" as if it were one thing. They ask "what are our layers?"

The governing idea of this page is defence in depth: protect a network with several independent controls stacked one behind another, so that when one is breached — and you must assume one will be — the attacker still faces the next, and the next. No single control is trusted to be perfect, because none is. Security is not a wall; it is an onion.

We will walk that onion from the outside in — firewalls and segmentation at the boundary, encryption on the wire, authentication and access control at every door inside, intrusion detection watching the corridors, secure Wi‑Fi at the edges, and monitoring and logging tying it all together — and then face the layer no technology can protect: the people.

The onion: layers around what matters

Picture the thing you actually care about — the customer database, the patient records, the exam papers — sitting right at the centre. Every layer you add is one more thing an attacker must defeat in turn to reach it. Step through the rings from the outside in:

The power of this arrangement is multiplication, not addition. If the firewall stops 99% of attacks and network authentication independently stops 99% of what slips past, then to reach the core an attack must beat both — only 1% of 1% survives. Each honest layer shrinks the surviving threat again. That is why adding a mediocre extra layer is often worth more than perfecting one you already have: it closes a different door.

Layer 1 — Firewalls: from packet filtering to stateful inspection

A firewall filters traffic crossing a boundary against a ruleset. At A‑level you are expected to know that firewalls are not all equally clever — they come in generations.

Higher still sit application-layer firewalls (or proxies) that understand the traffic inside the packets — spotting that "port 443 traffic" is actually a malformed request trying to exploit a web server. The lesson for a layered design: a firewall filters connections, and even a stateful one waves through anything that obeys the rules. It is a strong first ring, never the last.

Layer 2 — Segmentation and the DMZ

A single flat network is a gift to an attacker: breach one machine and you can reach every other. Segmentation divides the network into zones with firewalls between them, so a compromise in one zone does not automatically spread to the rest. The classic pattern is the DMZ (demilitarised zone) — a buffer network for the servers that must face the public internet (web, mail, DNS), kept firmly separate from the private internal LAN.

Two firewalls sandwich the DMZ. The outer one lets the internet reach the public servers but nothing deeper. The inner one is far stricter: it lets internal users out and permits only tightly controlled traffic from the DMZ inward. Now if an attacker hijacks the public web server — the most exposed machine you own — they land in the DMZ, not on the network with your payroll and patient records. They have breached a layer and still hit another wall. That is defence in depth made concrete.

The name is borrowed from a military buffer zone — a strip of neutral ground between two hostile territories where neither side keeps its main forces. A network DMZ is the same idea: a no‑man's‑land between the wild internet and your trusted interior, holding only the machines that have to be reachable from outside, and never your crown jewels. Anything in the DMZ is treated as semi‑trusted at best, on the assumption it might one day be captured.

Layer 3 — Encryption in transit: TLS/HTTPS and VPNs

Firewalls decide who may talk to whom; they do nothing to protect a conversation that is allowed but overheard. On a shared medium — public Wi‑Fi, a rented data-centre link, the wider internet — data can be intercepted. Encryption makes the intercepted copy useless, and two forms of it matter on a network:

Both defend data in transit. Note what they do not do: encryption keeps a message private, but it will happily deliver a private message to an imposter. Knowing the conversation is secret is worthless unless you also know who is on the other end — which is the next layer.

Layer 4 — Authentication and access control inside the network

Getting past the perimeter should not hand an attacker the keys to everything. Inside the network, every request to a resource is challenged. Two distinct ideas do this work (explored in full here):

This is the interior wall of the onion. It assumes the outer rings might already have failed — that the attacker is already inside — and still refuses to trust them without proof and still confines them to a narrow set of permissions. An attacker who is authenticated as nobody important, and authorised to touch almost nothing, has won very little.

Layer 5 — Intrusion detection and prevention (IDS / IPS)

Every layer so far is a barrier. But barriers are silent — they do not tell you an attack is under way. An Intrusion Detection System (IDS) is the burglar alarm: it watches network traffic and system activity for signs of attack and raises an alert. An Intrusion Prevention System (IPS) goes one step further and can act — dropping the malicious traffic or blocking the source automatically. The difference is a single word: an IDS detects and warns; an IPS detects and stops.

Both spot trouble in one of two ways, and A‑level expects the contrast:

An IDS/IPS is the layer that admits the others might fail and plans for it: rather than assuming the walls hold, it assumes something will get through and makes sure a human — or an automatic response — finds out fast.

Layer 6 — Securing the wireless edge: WPA and MAC filtering

A wired attacker needs physical access to a socket. A wireless network sprays its signal into the car park, so its edge needs its own protections.

Together with hiding nothing critical behind the SSID broadcast and changing default router passwords, these harden the most exposed doorway of a modern network — the one an attacker can attack from the pavement outside.

Layer 7 — Monitoring and logging: the layer that watches the layers

Every device — firewalls, servers, the IDS, the Wi‑Fi controller — writes logs: time‑stamped records of who connected, what was requested, what was allowed or denied. On their own these are scattered and unread. Organisations feed them into central monitoring (often a SIEM — Security Information and Event Management system) that correlates events across the whole network and looks for the story hidden in them.

Logging matters for three reasons, and none of them prevent an attack:

Monitoring is the nervous system running through the whole onion. It cannot stop anything by itself, but without it a breach can smoulder undetected for months — and you cannot defend against, or recover from, an attack you never knew happened.

Putting the onion together

Step back and the design is clear: no layer is asked to be perfect, because each assumes the ones outside it may have failed. The firewall thins the flood; segmentation contains whatever gets in; encryption denies eavesdroppers the payload; authentication and least privilege refuse to trust an intruder even inside; the IDS/IPS sounds the alarm and slams doors; secure Wi‑Fi and MAC filtering harden the wireless edge; and monitoring watches it all and remembers. Peel one layer and another lies beneath. That, and not any single clever product, is what network security actually is.

Two exam-and-real-life traps hide inside "defence in depth":