BeginnerNetwork Security

Use multiple DNS providers simultaneously to eliminate single points of failure

The Dyn DDoS attack in 2016 knocked Twitter, Netflix, Reddit, GitHub, and hundreds of other major services offline for most of a day — because they all relied on Dyn as their sole DNS provider. When Dyn's infrastructure was overwhelmed, those domains became unreachable for anyone using an unaware resolver. Configure your authoritative DNS with at least two independent providers simultaneously. Both Cloudflare and AWS Route 53, for example, offer distinct infrastructure and BGP paths. Traffic will route to whichever provider responds first, ensuring availability if one is attacked.

Tags

DNS redundancyDDoSavailabilitymulti-providerDyn

More in Network Security

All guides
intermediatefeatured

Segment OT and ICS networks completely from corporate IT

The 2015 Ukraine power grid attack succeeded because the attackers could reach SCADA industrial control systems from the corporate network they had infiltrated via phishing emails. The Target breach succeeded because POS systems were on the same network segment as a compromised HVAC vendor's access point. Operational technology (OT) and industrial control systems (ICS) must be completely isolated from corporate IT networks with no routable path between them. If monitoring requires connectivity, use unidirectional data diodes. Any device that can read a corporate email must never be able to reach a centrifuge controller, power substation relay, or manufacturing system.

See: Ukraine Power Grid AttackNetwork Security
advanced

Adopt zero-trust architecture: verify every request regardless of network origin

The SolarWinds attack compromised the trust that internal network location implies authorisation. Once inside a network via a malicious software update, the attackers moved freely because internal systems implicitly trusted each other. Zero-trust architecture removes that assumption: every request, regardless of whether it originates from inside or outside the network perimeter, must be authenticated, authorised, and continuously validated. Implement micro-segmentation, require MFA for all internal application access, enforce device health checks before granting access, and log all east-west traffic.

See: SolarWinds Supply ChainNetwork Security
beginner

Place IoT and smart devices on isolated VLANs with no access to production systems

An internet-connected fish tank thermometer at a casino served as the entry point for attackers who reached the high-roller customer database. The thermometer was on the corporate network with a routable path to internal systems. Every IoT device — smart TVs, HVAC controllers, IP cameras, building management systems, even fish tank sensors — must be on a dedicated VLAN that has no access to any system containing sensitive data. The VLAN should permit only the specific outbound internet traffic the device requires for its function. Treat every IoT device as untrusted by default.

See: Casino Fish Tank IoT HackNetwork Security