Network Segmentation
🔥 Vibe Prompt
"Design a segmented network: DMZ, application, database, management zones with firewall rules."
Network Zones
Internet
↓
[Firewall] → DMZ (Web servers, load balancers)
↓
[Firewall] → App Zone (API servers)
↓
[Firewall] → DB Zone (databases)
↓
[Firewall] → Management (bastion, monitoring)
Firewall Rules
# Internet → DMZ
- Allow: 80 (HTTP), 443 (HTTPS) from 0.0.0.0/0
- Deny: all else
# DMZ → App Zone
- Allow: 8000-8100 (API) from DMZ subnet
- Deny: all else
# App Zone → DB Zone
- Allow: 5432 (Postgres), 6379 (Redis) from App subnet
- Deny: all else
# Management → All
- Allow: 22 (SSH) from Jump subnet (your IP only)
- Allow: 9090 (Prometheus) from Jump subnet
Zero Trust Network
- No implicit trust based on network location
- Every request must authenticate
- Micro-segmentation (per-service firewall)
- Encrypt all traffic (even internal)
- Continuous verification
AWS Security Groups (Micro-segmentation)
resource "aws_security_group" "api" {
name = "api-sg"
vpc_id = aws_vpc.main.id
}
resource "aws_security_group_rule" "api_from_alb" {
type = "ingress"
from_port = 8000
to_port = 8000
protocol = "tcp"
source_security_group_id = aws_security_group.alb.id
security_group_id = aws_security_group.api.id
}
resource "aws_security_group_rule" "db_from_api" {
type = "ingress"
from_port = 5432
to_port = 5432
protocol = "tcp"
source_security_group_id = aws_security_group.api.id
security_group_id = aws_security_group.db.id
}
Network Security Best Practices
| Practice | Purpose | |----------|---------| | Default deny | Minimize attack surface | | Least privilege | Only necessary ports | | Micro-segmentation | Limit blast radius | | Encrypt in transit | Prevent sniffing | | Flow logs | Detect anomalies | | IDS/IPS | Block known attacks |
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
網路分割:把你的網路切成安全區塊
網路分割是資安的第一道防線。就像一棟大樓有不同安全等級的區域。
常見的網路分割
| 分割方式 | 效果 | |:--------|:----| | VLAN | 不同 VLAN 不能直接通訊 | | 防火牆規則 | 精細控制流量 | | DMZ | 對外服務與內部網路隔離 | | Zero Trust | 不信任任何裝置,每次都驗證 |
DMZ 架構
網際網路 → [防火牆] → [DMZ: Web Server] → [內部防火牆] → [資料庫]
這種架構確保即使 Web Server 被攻破,攻擊者也無法直接存取資料庫。
下一章預告:Web 安全實戰
下一章的 OWASP WebGoat 帶你進入應用層——實際操作 SQL Injection、XSS 等攻擊。