Network security - Protecting your infrastructure against cyberthreats

A conventional firewall is limited to filtering IP addresses, ports and protocols. It blocks or authorizes traffic according to static rules, but cannot analyze the content of communications in detail. A next-generation firewall (NGFW) adds advanced features such as deep packet inspection (DPI), application filtering, intrusion prevention (IPS), malware detection and user control. It can also analyze encrypted traffic and apply identity-based security policies. This approach offers far more comprehensive protection, adapted to today's hybrid and cloud environments.

Micro-segmentation consists in finely dividing the network into isolated segments, down to application and server level. Unlike conventional segmentation, it enables precise control of flows between resources, even within the same datacenter or cloud.
In the event of an intrusion, the attacker is limited to a reduced segment and cannot move laterally through the entire network. This considerably reduces the impact of a compromise. Micro-segmentation is particularly relevant for protecting critical environments, such as R&D, finance or industrial production.

The tiering model is an approach that divides the network into different levels of sensitivity: for example, the user level (client workstations), the server level (business applications) and the administration level (privileged accounts and systems). Each level is isolated, and flows between them are strictly controlled. Unlike conventional segmentation based on technical zones, the tiering model is based on a logic of roles and privileges. This greatly limits the risk of lateral movement when a workstation is compromised. An attacker who takes control of a user workstation will not be able to go directly to critical servers or administrator accounts, and this method is now considered best practice by ANSSI and Microsoft. Combined with micro-segmentation, it offers granular, hierarchical protection that reinforces overall network resilience.

With the development of teleworking, securing remote access has become a major challenge. Setting up an encrypted VPN is the first step, as it ensures the confidentiality of communications between the user and the information system. However, a VPN alone is no longer enough: it must be complemented by multi-factor authentication (MFA), conditional access rules (exclusion if the device is compromised or non-compliant) and continuous traffic monitoring. This approach considerably reduces the risks associated with uncontrolled connections and protects against attacks on remote terminals.

An EDR (Endpoint Detection and Response) monitors endpoints (computers, servers, mobiles) to detect and block suspicious behavior. By contrast, an NDR (Network Detection and Response) solution focuses on network traffic. It continuously analyzes flows to identify anomalies, such as massive data transfers to the outside world, or communications with malicious command servers.
The two approaches are complementary: EDR protects endpoints, while NDR secures the network infrastructure as a whole. Integrated together in a SOC or SIEM, they offer global visibility and rapid response to attacks.

‍

Distributed denial of service (DDoS) attacks aim to saturate your servers or Internet links by generating massive traffic. A conventional firewall is not designed to absorb this volume. DDoS protection relies on specialized mitigation solutions, capable of identifying malicious traffic and filtering it upstream. These services are often offered in cloud mode, with absorption capacities in excess of several hundred Gbps. They guarantee the availability of your critical applications, even in the event of a massive attack.