The network as the foundation of your security architecture
Your corporate network is the lifeline of your IT infrastructure. Every email, every database query, every cloud connection and every print job runs across the network. If an attacker penetrates the network and can move freely within it, everything else becomes secondary — no matter how good your password policy is, no matter how up-to-date your antivirus scanners are. That is why a well-designed network architecture with clear segmentation, strict access rules and comprehensive monitoring is the foundation of any serious security strategy. This topic page guides you through all relevant aspects of network security.
Network segmentation: closing the hatches
If your entire organization operates on a single, flat network, an attacker can move freely after the initial breach. A compromised workstation PC then potentially has access to the accounting server, the production controls and the executive file shares. Network segmentation eliminates this condition by dividing the network into logical zones and controlling traffic between these zones through firewalls.
For mid-market companies, a pragmatic segmentation approach is recommended: at minimum, separate workstations from servers, guest Wi-Fi from the corporate network, the production environment from office IT, and management interfaces from production systems. Modern switches with VLAN capabilities make this technically straightforward, and most business firewalls support inter-VLAN routing with granular rules. Our article on network segmentation for SMEs provides a concrete implementation plan with the most important zones and rule sets.
Firewall: more than a box on the line
The firewall remains the central security element at the network perimeter. But a firewall that allows everything through and is never maintained is no better than no firewall at all. Modern next-generation firewalls offer deep packet inspection, application awareness, TLS decryption and integration with threat intelligence feeds. What matters, however, is not the feature list but the configuration. A clean firewall configuration follows the principle of "deny all, permit by exception": everything is forbidden, and only explicitly allowed traffic is permitted.
Regular reviews of firewall rules are mandatory. In many organizations, hundreds of rules accumulate over the years that nobody remembers the purpose of. Orphaned rules open unnecessary attack surfaces. Our article on firewall configuration for SMEs shows you how to build and maintain a clean rule base.
Securing DNS, Wi-Fi and email
Beyond core segmentation, there are additional infrastructure areas that deserve special attention. DNS security is frequently underestimated, even though DNS plays a role in virtually every cyberattack — whether as an attack vector (DNS spoofing, DNS exfiltration) or as a detection mechanism (suspicious DNS queries). Wi-Fi security is a perennial topic, especially since many organizations could technically use WPA2-Enterprise with RADIUS authentication but stick with a shared password out of convenience.
Email security deserves its own mention because email remains the most common attack vector. SPF, DKIM and DMARC are three DNS-based mechanisms that together provide effective protection against email spoofing. Yet many mid-market companies have not even configured an SPF record. Our article on SPF, DKIM and DMARC explains the relationships and walks you through the setup.
Zero Trust: the network of the future
The classic perimeter model — where everything inside the network is considered trustworthy and only the edge is protected — is outdated. At the latest with remote work, cloud services and mobile devices, there is no longer a clearly defined perimeter. Zero Trust reverses the approach: trust nobody, verify everything. Every access request is authenticated, authorized and encrypted, regardless of whether it originates from inside or outside the network.
For mid-market companies, Zero Trust is not a big-bang project but a gradual journey. You can start with Conditional Access in Entra ID, refine network segmentation, introduce microsegmentation and progressively implement identity-based access controls.
Logging and monitoring: seeing what happens
You can only protect what you can see. A well-thought-out logging and monitoring strategy is indispensable for detecting attacks early, investigating incidents and meeting compliance requirements. Centralized log collection, event correlation and automated alerting rules form the foundation. Our article on logging strategy shows you which sources to connect, how long you need to retain logs and how to filter the relevant signals from the flood of data.
