When the network loop becomes a management task
Network security becomes a topic at the CIO, CISO and operations manager level when the business depends on public services, personal accounts, APIs, branches, remote access, contractors, clouds and integrations. An error in one firewall rule, a forgotten test endpoint, or an outdated VPN gateway can not be a technical detail, but can cause downtime, a leak, an incident with clients, or problems during testing.
This page is useful for companies where the network has already become more complex than a single diagram in Visio: banks, retail, industry, telecom, e-commerce, CII, distributed offices, groups of companies, organizations with a web/API perimeter and teams that want to understand not only what products to buy, but also what security architecture they are putting together.
What should become clear after diagnosis
Good network security diagnostics answer practical questions: what resources are visible from the Internet, what services should be published, what rules are out of date, where there is no owner, what channels require cryptographic protection, what events are monitored, and where the architecture interferes with the business instead of protecting it.
External surface
Domains, IP addresses, web applications, APIs, VPN gateways, remote access, cloud endpoints, partner channels and test resources.
Rules and access rights
Firewall policies, user groups, service accounts, NAT, routing, legacy access rights and exceptions that no one has reviewed for a long time.
Segmentation and DMZ
Boundaries between the Internet, DMZ, office, data center, cloud, industrial segments, test environments and critical business systems.
Monitoring and response
What events does SIEM/SOC see, where NDR/IDS/IPS are needed, how vulnerabilities are prioritized and who is responsible for actions in the event of an incident.
The perimeter is no longer a line on the diagram
The classic approach “we trust on the inside, we filter on the outside” has stopped working. Users connect from different places, services live in clouds and data centers, APIs are open to partners and mobile applications, and attacks often occur not only from outside to inside, but also between internal segments. Therefore, network security must be designed as a system of trust, access, logging, and ongoing auditing.
In world practice, this transition is described through Zero Trust: do not issue trust based on being on the network, but check the user, device, context, resource and action. For RESTART, this is not a fashionable slogan, but an engineering principle: fewer implicit permissions, more clear zones, verifiable rules, logs, owners and response scripts.
Protection environments
| environment | What do we protect? | What we design |
|---|---|---|
| Internet perimeter | Public addresses, DNS, web, API, VPN, mail and service gateways. | NGFW, WAF, AntiDDoS, Bot Protection, external scanning, publishing rules and logging. |
| Remote access | Employees, contractors, administrators, branches and service connections. | VPN/CIPF, MFA, ZTNA, PAM for privileged access, device control and minimum rights. |
| Internal network | Data centers, offices, ERP, 1C, DWH, service desk, domain infrastructure, test environments. | Segmentation, internetwork rules, IDS/IPS, NDR, east-west traffic control, events in SIEM/SOC. |
| Adjustable segments | ISPDn, CII, GIS, banking and industrial environments. | Threat model, FSTEC/industry requirements, certified information protection equipment, HLD/LLD, operating regulations and evidence for inspections. |
Terms without fog
NGFW
Next-Generation Firewall: A next-generation firewall that looks not only at addresses and ports, but also at applications, users, traffic categories, threats and security policies.
WAF
Web Application Firewall: protects web applications and APIs from typical attacks at the HTTP level, business logic, request parameters and application vulnerabilities.
AntiDDoS
Protection against distributed denial of service attacks, when they try to overload a public service with traffic or malicious requests.
VPN and CIPF
VPN builds a secure communication channel. CIPF is a means of cryptographic information protection that is used when regulatory requirements for encryption and trusted cryptography are needed.
DMZ
Demilitarized Zone: a dedicated zone for public services between the Internet and the internal network, so that compromising a web resource does not open a direct path to critical systems.
IDS/IPS and NDR
IDS/IPS detect or block suspicious traffic activity. NDR analyzes network behavior and helps find lateral movements, anomalies and signs of compromise.
SIEM and SOC
SIEM collects and correlates security events. SOC is a process and team for monitoring, investigating and responding to incidents.
ZTNA and SASE
ZTNA provides access to applications based on Zero Trust principles. SASE integrates networking and security functions for distributed infrastructure and users.
How RESTART works with network security
Survey
We collect a map of resources, flows, rules, users, integrations, external surface, regulatory requirements and operational pain points.
Architecture
We prepare HLD/LLD: security zones, target solution classes, access scenarios, logging, integration with SIEM/SOC and rules migration plan.
Pilot
We check NGFW, WAF, AntiDDoS, VPN/CIPF, NDR or protected access on a limited environment to see the restrictions before procurement and industrial implementation.
Implementation
We set up policies, transfer rules, connect events, train operation, describe regulations and leave a clear development backlog.
Guidelines for Russian and global practice
For enterprise architecture, it is useful to look at network security as part of an overall risk management system. NIST Cybersecurity Framework 2.0 helps to associate protection with the functions govern, identify, protect, detect, respond and recover. NIST SP 800-207 Zero Trust Architecture sets a benchmark for access without implicit trust in the network. CIS Control 12 identifies network infrastructure management as a separate control domain.
Useful for practical prioritization CISA Known Exploited Vulnerabilities, MITRE ATT&CK on enemy infrastructure techniques and OWASP API Security Top 10 for public APIs. The Russian environment takes into account the requirements of FSTEC, BDU FSTEC, if applicable FSTEC order No. 239 for significant CII facilities, requirements for firewalls and industry standards, including the banking environment GOST R 57580.
How AI helps
AI should not automatically change network rules, but it is useful as an assistant to engineers and CISOs. It can find duplicates and conflicts in firewall rules, group outdated permissions, highlight risky combinations like open admin access, correlate vulnerabilities with CISA KEV and external surface, explain chains of events in SIEM and prepare draft HLD/LLD or operational checklists.
An important condition: the AI assistant must operate within a secure loop, with access only to agreed data, logging and human verification. Then AI speeds up analysis, but does not replace the architectural solution, change management and operational responsibility.
What does the business get?
Less risk of downtime
Public services, VPN, API and critical channels receive clear protection, monitoring and an action plan in case of an incident.
Faster change
New services are published according to the rules, and not through manual exceptions, which then are not reviewed by anyone for years.
Verifiable architecture
For audit, procurement and operation there is HLD/LLD, zone map, rules, owners, events, regulations and development roadmap.
Connection between information security and business
Perimeter protection is explained through service availability, customer experience, regulation, risk of leaks and cost of downtime.
First step
It is rational to start with diagnostics of the perimeter and network architecture for 10-15 working days. At this stage, RESTART looks at the external surface, web/API, VPN, DMZ, firewall rules, segmentation, SIEM events, vulnerabilities, contractor access, branches, cloud endpoints and regulated segments.
The result of the first stage is a map of the network environment, a list of critical risks, quick wins, requirements for NGFW/WAF/AntiDDoS/VPN/CIPF or NDR, a pilot plan, architectural restrictions and a roadmap for implementation without stopping the business.
Partners for Perimeter, VPN, WAF and AntiDDoS
For the network and web perimeter, RESTART can combine the products UserGate, Security Code, InfoTEX, ServicePipe, Positive Technologies, Garda and Confident. This allows you to close NGFW, VPN/CIPF, GOST TLS, WAF, AntiDDoS, Bot Protection, API protection, segmentation, firewalling and secure remote access.
UserGate
NGFW, SUMMA, SIEM, LogAn, Client, SecaaS
Security code
regulatory information security, NGFW, VPN, endpoint, virtualization
InfoTEX
CIPF, VPN, crypto gateways, HSM, PKI, CII
ServicePipe
AntiDDoS, Bot Protection, Cloud WAF, web/API protection
Positive Technologies
VM, SIEM, AppSec, NDR, WAF, cyber resilience
Garda
DLP, DBF, Data Masking, NDR, WAF, Anti-DDoS
Confidential
NSD, trusted download, VI, WAF, regulatory projects
Partners are listed as the technology backbone of the solution class. The specific composition of products, versions, licenses, certificates and delivery conditions are confirmed before the project.
Frequently asked questions
How is NGFW different from a regular firewall?
A regular firewall often works with addresses, ports and basic filtering. NGFW adds insight into applications, users, traffic categories, threats, IPS features, and more nuanced security policies.
When is a WAF needed?
When there is a public web application, personal account, API, partner portal or e-commerce. WAF does not replace secure development, but it reduces the risk of exploiting web/API vulnerabilities and helps with virtual patching.
What to do with historical rules?
They cannot simply be removed en masse. We need inventory, owners, traffic analysis, pilot shutdown, change window and rollback plan. RESTART helps turn a chaotic set of rules into a manageable access model.
How to connect network security with SOC?
Even at the HLD/LLD stage, it is necessary to determine which events from NGFW, WAF, VPN, NDR, IDS/IPS and AntiDDoS go to SIEM, what correlations are needed and who responds to the incident.
Can I start without purchasing groceries?
Yes. Often the first step is to audit the perimeter, rules and architecture. It shows which risks are covered by settings, which require a pilot, and where new technology is really needed.
Let's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
