Cloud & Infrastructure Security
Network Security & Segmentation
4 min read
Network security remains fundamental to any security architecture. This lesson covers segmentation strategies, firewall concepts, and common interview scenarios.
Network Segmentation Strategies
Traditional vs Micro-segmentation
Traditional Segmentation:
┌─────────────────────────────────────────────────────────────┐
│ Corporate Network │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ VLAN 10 │ │ VLAN 20 │ │ VLAN 30 │ │
│ │ (Users) │ │ (Servers) │ │ (Database) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ └──────────────┴──────────────┘ │
│ Firewall Rules │
└─────────────────────────────────────────────────────────────┘
Micro-segmentation:
┌─────────────────────────────────────────────────────────────┐
│ Environment │
│ ┌───────┐ ┌───────┐ ┌───────┐ ┌───────┐ ┌───────┐ │
│ │ App A │ │ App B │ │ App C │ │ DB A │ │ DB B │ │
│ └───┬───┘ └───┬───┘ └───┬───┘ └───┬───┘ └───┬───┘ │
│ │ │ │ │ │ │
│ Individual policies per workload with explicit allow rules │
└─────────────────────────────────────────────────────────────┘
Segmentation Models
| Model | Description | Use Case |
|---|---|---|
| Perimeter | Single firewall at network edge | Legacy environments |
| VLAN-based | VLANs separate traffic types | Traditional enterprise |
| Zone-based | Trust zones with inter-zone rules | Multi-tier applications |
| Micro-segmentation | Per-workload policies | Cloud-native, Zero Trust |
Firewall Concepts
Firewall Types
| Type | OSI Layer | Capabilities |
|---|---|---|
| Packet Filter | 3-4 | IP, port filtering |
| Stateful | 3-4 | Connection tracking |
| Application (WAF) | 7 | HTTP/HTTPS inspection |
| Next-Gen (NGFW) | 3-7 | DPI, IPS, application awareness |
Security Group Rules (AWS Example)
{
"SecurityGroupRules": [
{
"Description": "Allow HTTPS from load balancer",
"IpProtocol": "tcp",
"FromPort": 443,
"ToPort": 443,
"SourceSecurityGroupId": "sg-loadbalancer"
},
{
"Description": "Allow SSH from bastion only",
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"SourceSecurityGroupId": "sg-bastion"
}
]
}
Interview Question
Q: "Explain the difference between Security Groups and NACLs in AWS."
Answer:
| Aspect | Security Groups | NACLs |
|---|---|---|
| Level | Instance/ENI | Subnet |
| State | Stateful (return traffic allowed) | Stateless (explicit rules both ways) |
| Rules | Allow only | Allow and Deny |
| Evaluation | All rules evaluated | Rules evaluated in order |
| Default | Deny all inbound | Allow all |
| Use Case | Primary access control | Additional layer, subnet-wide blocks |
Network Attack Scenarios
Man-in-the-Middle (MITM)
Normal Flow:
Client ────────────────────────────────▶ Server
MITM Attack:
Client ────────▶ Attacker ────────▶ Server
Intercept Forward
& Modify (or drop)
Prevention:
- TLS everywhere (HSTS)
- Certificate pinning for mobile apps
- Mutual TLS (mTLS) for service-to-service
- Network segmentation
ARP Spoofing
# Detection: Monitor for duplicate IP-MAC mappings
def detect_arp_spoofing(arp_cache):
ip_to_macs = {}
for entry in arp_cache:
ip = entry['ip']
mac = entry['mac']
if ip in ip_to_macs and ip_to_macs[ip] != mac:
alert(f"Possible ARP spoofing: {ip} has multiple MACs")
ip_to_macs[ip] = mac
Prevention:
- Dynamic ARP inspection (DAI)
- Static ARP entries for critical systems
- Port security on switches
- VLAN segmentation
DNS Spoofing
Prevention:
- DNSSEC validation
- DNS over HTTPS (DoH) / DNS over TLS (DoT)
- Internal DNS servers
- DNS query logging and monitoring
DDoS Protection
Attack Types
| Type | Target | Mitigation |
|---|---|---|
| Volumetric | Bandwidth | CDN, scrubbing centers |
| Protocol | Connection state | SYN cookies, rate limiting |
| Application | L7 resources | WAF, request validation |
Defense in Depth
┌─────────────────────┐
│ CDN / Edge │ ← Absorb volumetric
│ (CloudFlare, etc) │
└─────────┬───────────┘
│
┌─────────┴───────────┐
│ Load Balancer │ ← Rate limiting
│ + WAF │ ← L7 filtering
└─────────┬───────────┘
│
┌─────────┴───────────┐
│ Application │ ← Request validation
│ Servers │ ← Auto-scaling
└─────────────────────┘
Network Monitoring
What to Log
| Source | Critical Events |
|---|---|
| Firewall | Denied connections, rule changes |
| DNS | Queries to suspicious domains |
| Proxy | Blocked requests, unusual User-Agents |
| IDS/IPS | Signature matches, anomalies |
| Flow Data | Unusual traffic patterns, data exfiltration |
Network Security Interview Scenario
Q: "A user reports they can't access an internal application. How do you troubleshoot?"
Structured Response:
1. VERIFY THE PROBLEM
└── Can other users access it?
└── What error do they see?
2. CHECK NETWORK PATH
└── Can user ping the server?
└── Is DNS resolving correctly?
└── What does traceroute show?
3. CHECK SECURITY CONTROLS
└── Security group rules
└── NACLs on subnet
└── Host-based firewall
└── Application-level auth
4. CHECK APPLICATION
└── Is the service running?
└── Are there error logs?
└── Is there a certificate issue?
5. DOCUMENT AND RESOLVE
└── Root cause analysis
└── Fix and verify
└── Update runbooks if needed
Cloud Network Security
VPC Design Best Practices
┌────────────────────────────────────────────────────────────────┐
│ VPC (10.0.0.0/16) │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────────────┐ │
│ │ Public Subnet (AZ-1) │ │ Public Subnet (AZ-2) │ │
│ │ 10.0.1.0/24 │ │ 10.0.2.0/24 │ │
│ │ ├── ALB │ │ ├── ALB │ │
│ │ └── NAT Gateway │ │ └── NAT Gateway │ │
│ └─────────────────────────┘ └─────────────────────────────┘ │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────────────┐ │
│ │ Private Subnet (AZ-1) │ │ Private Subnet (AZ-2) │ │
│ │ 10.0.10.0/24 │ │ 10.0.20.0/24 │ │
│ │ └── Application tier │ │ └── Application tier │ │
│ └─────────────────────────┘ └─────────────────────────────┘ │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────────────┐ │
│ │ Data Subnet (AZ-1) │ │ Data Subnet (AZ-2) │ │
│ │ 10.0.100.0/24 │ │ 10.0.200.0/24 │ │
│ │ └── RDS (no internet) │ │ └── RDS (no internet) │ │
│ └─────────────────────────┘ └─────────────────────────────┘ │
└────────────────────────────────────────────────────────────────┘
Interview Tip: When discussing network security, always mention defense in depth - multiple layers of protection ensure that if one fails, others still provide protection.
In the next module, we'll cover detection, response, and GRC. :::