Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Why do you need a network security checklist? Your business faces threats on many fronts, and the more users, devices, and applications you add, the more vulnerable your network becomes. Whether your business is small or large, consider your network security requirements. Then follow our five-step network security checklist to create a holistic security solution to prevent breaches and address issues quickly.

Start with these five steps:

1. Stop threats at the edge.

To prevent threats from getting in, your business must deploy a strong frontline defense at the edge of the network. Traditional firewalls are no longer sufficient.

However, next-generation firewalls (NGFWs) integrate Advanced Malware Protection (AMP), Next-Generation Intrusion Prevention System (NGIPS), Application Visibility Control (AVC), and URL filtering. With these capabilities, NGFWs protect organizations from modern threats.

Advanced threats

Inevitably, advanced malware and threats may evade initial detection. By deploying AMP, you gain malware protection for the network and know exactly where threats are at any given time. Adding NGIPS on the firewall can stop sophisticated network threats and exploit attempts. A next-generation firewall with AMP and NGIPS offers the most effective multilayer network security that sees and stops advanced threats.

  • Advanced Malware Protection improves detection capabilities, providing protection before, during, and after an attack. Before an attack, AMP uses an expansive database of global threat knowledge to strengthen defenses and block threats outright, before they get in. During an attack, AMP can automatically block malicious threats. Finally, AMP monitors all your internal files, detecting and removing malicious files that may have breached. In addition, AMP allows your network to see how the file evaded detection, so the network can be prepared in the future.
  • Next-Generation Intrusion Prevention Systems provide extensive, superior network visibility, comprehensive application and user awareness, and advanced threat protection against network intrusions and exploits. By providing contextual awareness to threats, an NGIPS can tie information about your network environment to specific threats, so you know which threats matter to you. In addition, an NGIPS combats malware by identifying files and file types as they traverse your network.

2. Protect users where they work.

Today over 50% of employees are mobile. As the way companies work changes, IT must change as well. A network security checklist must account for all the different locations and uses that employees demand in a business network.


When your business adds a branch, you must change your IT security strategy. Technologies such as software-defined WAN and secure Internet gateways can benefit multisite businesses.

  • Software-defined WAN (SD-WAN) is a new approach to network connectivity that lowers operational costs and improves resource usage for multisite deployments. With SD-WAN, network administrators can manage bandwidth more efficiently and provide high-level performance without sacrificing security or data privacy. SD-WAN allows smaller remote sites to connect over low-cost Internet links secured by VPN.
  • Secure Internet gateways (SIGs) provide powerful, overarching cloud security. Because 70% of attacks are distinct to the organization, businesses need a cloud security strategy that identifies attacks previously used on other organizations before they are launched on their organization. A cloud security strategy can deliver security at the DNS and IP layers, so you can defend against phishing, malware, and ransomware a step earlier. When security is integrated with the cloud, an attack on one location can be identified and immediately prevented at every other branch.


For mobile security, technologies like a secure Internet gateway and a virtual private network are crucial.

  • Virtual private networks (VPNs) give workers an encrypted connection over the Internet to their corporate network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to work remotely.


When accounting for branch and mobile connections, you strictly account for the physical location for your employees. How your employees work is crucial, too. Two critical components of network security include email security and cloud application security.

  • Email security. Email is both the most important business communication tool and the leading attack vector for security breaches. According to the Cisco 2017 Midyear Cybersecurity Report, attackers turn to email as the primary way to spread ransomware and other malware. Proper email security includes advanced threat-protection capabilities that detect, block, and remediate threats faster; prevent data loss; and secure important information in transit with end-to-end encryption.
  • Cloud application security. With an increase in cloud applications, your network needs a cloud-access security broker (CASB). A CASB is a tool that functions as a gateway between on-premises infrastructure and cloud applications (such as Salesforce and Dropbox). A CASB identifies malicious cloud-based applications and protects against breaches with a cloud-data loss-prevention (DLP) engine.


After you set up an infrastructure to stop threats at the edge and protect your users where they work, your business must create a system to control who gets on your network. To control network access, you need good visibility, so you can set system guidelines and use network analytics.


Traffic is shifting away from the center of the network, thanks to growth of cloud applications, mobile devices, and new branches. You cannot control who accesses your network if you cannot see them. A security solution must give you real-time monitoring of network traffic and the ability to instantly address potential threats. At the same time, your solution needs to provide all this information in a user-friendly interface.

3. Set system guidelines.

Setting system guidelines can create strict automated boundaries to control who accesses your network.

  • Software-Defined Access (SD-Access) is a great way to control access. Several studies have shown that over $60 billion is being spent on IT operations in house and outsourced. SD-Access powers policy-based automation from the edge to the cloud. By automating, SD-Access facilitates network deployment and streamlines network operations. As a result, administrators can quickly enable or disable network access for any user or device, to any application, without compromising security.
  • Encrypted Traffic Analytics. Advanced analytics provide you and your network feedback on current systems. Analytics can improve the functionality of technologies such as NGIPS and AMP for Networks. Also, analytics are crucial in handling encryption. Encryption technology offers greater privacy and security for businesses that use the Internet to communicate and transact business online. Mobile, cloud, and web applications rely on well-implemented encryption mechanisms. However, threat actors have leveraged these same benefits of encryption to evade detection. Decrypting all network traffic for inspection is costly. By using Encrypted Threat Analytics, your network can combat malware by quickly scanning items for specific details that have been flagged as attributes of malware. This helps prevent malware without slowing down your system with a long decryption process.

4. Simplify network segmentation.

No matter what you do, breaches are never 100% preventable. When a breach does happen, the threat can move laterally if you have not segmented your network. Segmentation divides your network, so the threat can be easily isolated. But segmentation must not be overly complicated: network segmentation must be sufficient yet simple.

  • Set and enforce security policies. Segmentation is really about enforcing consistent policy and access control across different boundaries. By creating a set security plan filled with specific policies, your IT department can automate processes that exhaust bandwidth.
  • Define application and network access guidelines. Your IT department must put application and network-access guidelines in to place. In addition to SD-Access, departments can use application whitelisting, which limits the applications that are accessible for a specific device.
  • Microsegment the data center. After automating policies and access guidelines, your IT department must simplify microsegmentation in the data center. Microsegmentation creates secure zones in the data center to isolate certain workloads. When boundaries are defined, a breach to one zone is not a breach risk for the entire data center.

5. Find and control problems fast.

Finally, your IT department must be able to find and control problems fast. Breaches will happen. The steps in this checklist will reduce the likelihood, but no security defenses are completely impenetrable. You must have a system and strategy in place to find and control problems across the network. While many businesses deploy products from 15-20 vendors, it can help reduce the discovery time if the products integrate seamlessly. Interoperability of your products is a key component to consider when purchasing solutions.