How to place security controls by layer

Module 16 closed with a repeatable troubleshooting method. This module applies the same layered thinking to security, asking a different question: at which layer does a given threat actually do its damage? Placing a control at the wrong layer is not neutral; it either fails to intercept the threat, or it intercepts benign traffic and creates friction that leads engineers to disable it.

A port scanner operates at Layer 3 and 4: it sends IP packets to discover open TCP or UDP ports. Blocking it with a Layer 7 Web Application Firewall (WAF) is ineffective because the WAF only parses HTTP. A SQL injection attack arrives inside an HTTP request at Layer 7. Blocking it with an IP-layer ACL is impossible because the ACL has no visibility into the payload. The threat layer determines the defence layer.

Defence in depth does not mean placing every control type at every layer. It means placing the most effective control at the layer where the risk forms, and supplementing with adjacent controls that catch what slips through. The goal is complementary coverage, not redundant blocking.

Layer 2 threats include rogue device attachment, ARP (Address Resolution Protocol) spoofing, MAC (Media Access Control) address flooding, and VLAN hopping. These attacks work below the IP layer, which means Layer 3 firewalls have no visibility into them at all.

Port security on a managed switch limits how many MAC addresses can be learned on a given port, and can shut the port down if an unknown device connects. This is a simple but effective control against rogue hardware. 802.1X (IEEE 802.1X-2020) is the port-based network access control standard: a supplicant (the device) must authenticate to an authenticator (the switch port) using credentials verified by an authentication server before any network traffic is forwarded.

The practical limitation of Layer 2 controls is their scope: they protect the local broadcast domain only. A VLAN boundary is also a Layer 2 boundary. Traffic crossing a router is already at Layer 3 and beyond the reach of Layer 2 controls. For a distributed network, 802.1X must be deployed at every edge port to be effective.

Layer 3 controls operate on IP source and destination addresses. Access Control Lists (ACLs) on routers and Layer 3 switches can permit or deny packets based on source IP, destination IP, and protocol. They are stateless: each packet is evaluated independently, with no memory of what came before. Stateless ACLs are fast and scale well, but they cannot reason about connection state.

Stateful firewalls add Layer 4 awareness. A stateful firewall tracks the state of TCP connections: it knows whether a packet belongs to an established session, is initiating a new one, or appears out of context. A return packet (ACK from server to client) is allowed automatically because the firewall knows the corresponding outbound SYN was permitted. Without state tracking, you would need separate rules for every direction of every permitted flow.

The weakness of Layer 3 and 4 controls is that they have no view of application content. A firewall permitting TCP port 443 cannot distinguish between legitimate HTTPS and a command-and-control channel tunnelled over HTTPS. That distinction requires Layer 7 inspection.

Layer 7 controls inspect the content of application protocols. A Web Application Firewall (WAF) parses HTTP requests and responses, looking for SQL injection payloads, cross-site scripting (XSS) patterns, malformed headers, and other attack signatures. It can block a request that arrives on a permitted IP address over a permitted port because its decision is based on payload content, not transport characteristics.

An Intrusion Detection System (IDS) observes traffic and raises alerts; an Intrusion Prevention System (IPS) can also block it inline. Both operate on signatures (known attack patterns) and anomaly detection (deviations from a baseline). An IDS is a sensor; an IPS is a sensor with an enforcement action attached. Deploying an IPS inline on a path with high-volume legitimate traffic requires careful tuning: a false positive that blocks legitimate requests is an availability incident, not a security win.

Deep Packet Inspection (DPI) is a general term for any control that parses above Layer 4. It comes with a computational cost and a privacy consideration: the inspecting device must be able to read the payload. On TLS-encrypted sessions, this requires TLS interception (sometimes called SSL inspection), which has legal and trust implications that must be addressed before deployment.

Zero trust is a security model, not a product. The NIST SP 800-207 definition states that "no implicit trust is granted to assets or user accounts based solely on their physical or network location." A device inside the corporate network perimeter is not trusted by virtue of being inside. Every access request, regardless of source, is authenticated, authorised, and verified against policy before being granted.

Microsegmentation extends this to east-west (internal) traffic. In a microsegmented environment, workloads can only communicate with the specific other workloads they are authorised to reach, even if they are on the same physical host or subnet. This contains lateral movement: if one workload is compromised, the blast radius is limited by what that workload is permitted to reach from its own segment.

The SolarWinds breach illustrated the cost of absent east-west controls. Once the implant was present, it could use the Orion server's existing network permissions to reach Active Directory, internal APIs, and sensitive data stores. Microsegmentation and least-privilege network access would have restricted that reach regardless of whether the initial compromise was detected.