Network Segmentation

🔥 Vibe Prompt

"Design a segmented network: DMZ, application, database, management zones with firewall rules."

Network Zones

Internet
   ↓
[Firewall] → DMZ (Web servers, load balancers)
                 ↓
              [Firewall] → App Zone (API servers)
                              ↓
                           [Firewall] → DB Zone (databases)
                                              ↓
                                        [Firewall] → Management (bastion, monitoring)

Firewall Rules

# Internet → DMZ
- Allow: 80 (HTTP), 443 (HTTPS) from 0.0.0.0/0
- Deny: all else

# DMZ → App Zone
- Allow: 8000-8100 (API) from DMZ subnet
- Deny: all else

# App Zone → DB Zone
- Allow: 5432 (Postgres), 6379 (Redis) from App subnet
- Deny: all else

# Management → All
- Allow: 22 (SSH) from Jump subnet (your IP only)
- Allow: 9090 (Prometheus) from Jump subnet

Zero Trust Network

- No implicit trust based on network location
- Every request must authenticate
- Micro-segmentation (per-service firewall)
- Encrypt all traffic (even internal)
- Continuous verification

AWS Security Groups (Micro-segmentation)

resource "aws_security_group" "api" {
  name = "api-sg"
  vpc_id = aws_vpc.main.id
}

resource "aws_security_group_rule" "api_from_alb" {
  type = "ingress"
  from_port = 8000
  to_port = 8000
  protocol = "tcp"
  source_security_group_id = aws_security_group.alb.id
  security_group_id = aws_security_group.api.id
}

resource "aws_security_group_rule" "db_from_api" {
  type = "ingress"
  from_port = 5432
  to_port = 5432
  protocol = "tcp"
  source_security_group_id = aws_security_group.api.id
  security_group_id = aws_security_group.db.id
}

Network Security Best Practices

| Practice | Purpose | |----------|---------| | Default deny | Minimize attack surface | | Least privilege | Only necessary ports | | Micro-segmentation | Limit blast radius | | Encrypt in transit | Prevent sniffing | | Flow logs | Detect anomalies | | IDS/IPS | Block known attacks |

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


網路分割:把你的網路切成安全區塊

網路分割是資安的第一道防線。就像一棟大樓有不同安全等級的區域。

常見的網路分割

| 分割方式 | 效果 | |:--------|:----| | VLAN | 不同 VLAN 不能直接通訊 | | 防火牆規則 | 精細控制流量 | | DMZ | 對外服務與內部網路隔離 | | Zero Trust | 不信任任何裝置,每次都驗證 |

DMZ 架構

網際網路 → [防火牆] → [DMZ: Web Server] → [內部防火牆] → [資料庫]

這種架構確保即使 Web Server 被攻破,攻擊者也無法直接存取資料庫。

下一章預告:Web 安全實戰

下一章的 OWASP WebGoat 帶你進入應用層——實際操作 SQL Injection、XSS 等攻擊。

會員專屬免費教學

本章節為註冊會員專屬的免費開放內容!請先登入或註冊會員,即可立即解鎖閱讀。

立即登入 / 註冊