Network Security
Network security in system design refers to the strategies, practices, and technologies implemented to protect the integrity, confidentiality, and availability of data as it travels across networks — between clients, services, databases, and external systems.
When designing a system, network security focuses on preventing unauthorized access, data breaches, and attacks (like DDoS, MITM, etc.) by embedding security controls at every network layer.
Key Goals of Network Security
| Goal | Description |
|---|---|
| Confidentiality | Ensure data is only accessible to authorized users/systems |
| Integrity | Ensure data is not altered or tampered with during transmission |
| Availability | Ensure the network and services are available when needed |
| Authentication | Verify the identity of users and systems |
| Access Control | Define and enforce rules for who can access what resources |
Network Security Layers
- Perimeter Security: Firewalls, API gateways, VPNs
- Transport Security: TLS/SSL encryption
- Application-Level Security: Authentication tokens, input validation
- Internal Network Segmentation: VPCs, subnets, private IP spaces
- Monitoring & Logging: Intrusion Detection/Prevention Systems (IDS/IPS), log analyzers
Security Mechanisms
| Mechanism | Purpose |
|---|---|
| TLS/SSL | Encrypt data in transit (e.g., HTTPS) |
| Firewall | Allow or deny network traffic based on rules |
| API Gateway | Enforces rate limiting, auth, logging, and routing |
| IDS/IPS | Detects and blocks suspicious activities |
| VPN | Secure communication over public networks |
| WAF (Web Application Firewall) | Filters traffic to web apps, blocks SQLi, XSS |
| Network Segmentation | Separates sensitive services into private subnets |
| Reverse Proxy | Hides backend services and adds a security buffer |
Example of Network Security
Design a secure system for a healthcare provider that includes:
- Patient mobile app
- Doctor portal
- Backend services for scheduling, medical records
- Database storing patient data
[Internet]
│
┌───────▼────────┐
│ API Gateway │ ← WAF + TLS + Rate Limit
└───────▲────────┘
│
┌─────────┴────────────┐
│ Load Balancer │ ← DDoS protection
└───────▲──────────────┘
│
┌─────────────┴─────────────┐
│ Backend Services │ ← Private subnet (not exposed to public)
│ ┌───────────────────────┐ │
│ │ Scheduling Service │ │
│ │ Medical Record Service │ │
│ └───────────────────────┘ │
└─────────────▲─────────────┘
│
┌────────┴────────┐
│ Database (DB) │ ← Encrypted, private access only
└─────────────────┘
[Authentication Server]
↕ Token-based Auth (OAuth2)
[Monitoring System]
↕ Network logs, alerts, anomaly detection
Network Security Design Decisions
| Decision | Explanation |
|---|---|
| TLS Everywhere | Ensures data in transit (medical records, credentials) is encrypted |
| Private Subnets | Backend and DB are hidden from public internet |
| Firewall Rules | Only API Gateway and Auth Server can access backend services |
| WAF on API Gateway | Blocks SQL injection, XSS, bad bots |
| DDoS Protection on Load Balancer | Protects from high-volume attack attempts |
| VPN Access for Admins | Secure remote access to internal systems |
| Monitoring & Alerts | Detects intrusions or unusual traffic in real time |
Common Network Security Threats
| Threat | Example | Mitigation |
|---|---|---|
| Man-in-the-Middle (MITM) | Intercepting login data | Use HTTPS (TLS) |
| DDoS | Flooding system with traffic | Use rate limiting, load balancing, CDNs |
| SQL Injection over API | Malicious query strings | Use WAF, input validation |
| Unauthorized Access | Direct DB access from web | VPCs, IAM, firewall rules |
| Data Leakage | Sensitive data in logs | Mask PII, encrypt logs, RBAC |
Best Practices for Network Security
- Use HTTPS by default on all endpoints.
- Segment the network using VPCs and subnets.
- Block all unused ports and protocols.
- Use IAM roles instead of hardcoded credentials.
- Monitor continuously and set up automated alerts.
- Design systems with a zero-trust mindset.