IT AI Skill
Network Security Architecture
Design and implement network security architecture including firewalls, WAF, network segmentation, micro-segmentation, DDoS protection, and network monitoring. Use when architecting network security, implementing segmentation, configuring firewalls, or depl...
Network Security Architecture
Design and implement network security architecture including firewalls, WAF, network segmentation, DDoS protection, and network monitoring.
Workflow
1. Network Segmentation Design
NETWORK SEGMENTATION ARCHITECTURE
═══════════════════════════════════════
VPC/Network Design (AWS Example):
═══════════════════════════════════════
VPC CIDR: 10.0.0.0/16
Availability Zone A (10.0.0.0/20):
→ Public Subnet (10.0.0.0/24): ALB, NAT GW, Bastion
→ Private App (10.0.1.0/24): Application servers
→ Private DB (10.0.2.0/24): Databases (no internet)
→ Private Mgmt (10.0.3.0/24): Monitoring, logging
Availability Zone B (10.0.4.0/20):
→ Public Subnet (10.0.4.0/24): ALB, NAT GW
→ Private App (10.0.5.0/24): Application servers
→ Private DB (10.0.6.0/24): Databases
→ Private Mgmt (10.0.7.0/24): Monitoring
SEGMENTATION BOUNDARIES:
═══════════════════════════════════════
Zone Inbound Outbound Security Level
────────────────────────────────────────────────────────────────────────────
Public Internet (443,80) → Private App (8080) HIGH (WAF + ALB)
Private App ← Public (8080) → Private DB (5432) MEDIUM (SG only)
Private DB ← Private App (5432) None (no internet) CRITICAL
Private Mgmt ← All private → Internet (out) LOW (monitoring)
MICRO-SEGMENTATION (Kubernetes):
═══════════════════════════════════════
Network Policy (Calico):
→ Default deny all ingress/egress
→ Allow specific pod-to-pod communication
→ L4-L7 visibility (application-aware)
→ Tag-based policies (not IP-based)
Example policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-to-db
spec:
podSelector: {matchLabels: {app: api-gateway}}
policyTypes: [Ingress, Egress]
ingress:
- from: [{podSelector: {matchLabels: {app: web-frontend}}}]
ports: [{port: 8080, protocol: TCP}]
egress:
- to: [{podSelector: {matchLabels: {app: postgres}}}]
ports: [{port: 5432, protocol: TCP}]2. Firewall Configuration
FIREWALL RULES MANAGEMENT
═══════════════════════════════════════
Security Group Rules (AWS):
═══════════════════════════════════════
SG Name Direction Port Protocol Source/Dest Purpose
─────────────────────────────────────────────────────────────────────────────
sg-alb Inbound 443 TCP 0.0.0.0/0 HTTPS from internet
sg-alb Inbound 80 TCP 0.0.0.0/0 HTTP (redirect)
sg-alb Outbound 8080 TCP sg-app-servers To app tier
sg-app-servers Inbound 8080 TCP sg-alb From ALB
sg-app-servers Inbound 9090 TCP sg-monitoring Metrics
sg-app-servers Outbound 5432 TCP sg-databases To database
sg-app-servers Outbound 6379 TCP sg-redis To cache
sg-databases Inbound 5432 TCP sg-app-servers From app
sg-databases Inbound 5432 TCP sg-bastion From bastion (admin)
sg-redis Inbound 6379 TCP sg-app-servers From app
sg-bastion Inbound 22 TCP VPN CIDR SSH from VPN
sg-bastion Inbound 22 TCP IP-whitelist SSH from office
RULE BEST PRACTICES:
═══════════════════════════════════════
→ No 0.0.0.0/0 inbound (except ALB on 443)
→ Use security group references (not CIDR)
→ Least privilege (only required ports)
→ No ALL traffic rules
→ Document purpose for each rule
→ Regular review (quarterly)
→ Alert on rule changes
FIREWALL ANALYTICS:
═══════════════════════════════════════
→ Unused rules: 15 rules with 0 traffic in 90 days → Review
→ Shadowed rules: 3 rules never triggered (covered by broader rule)
→ Rule hit rates: Top 20 rules handle 80% of traffic3. WAF Configuration
WEB APPLICATION FIREWALL (WAF)
═══════════════════════════════════════
WAF Rules (AWS WAF / Cloudflare):
═══════════════════════════════════════
Rule Set Action Priority Description
────────────────────────────────────────────────────────────────────
AWS Managed Rules Block 1 Common rule set (OWASP)
SQL Injection Block 2 Detect SQLi patterns
XSS Block 3 Detect cross-site scripting
Rate-based Block 4 >2000 requests/IP/5min
Geo-match Block 5 Block high-risk countries
Bot control Challenge 6 CAPTCHA for suspicious bots
Custom: Header check Block 7 Require security headers
RATE LIMITING (WAF):
═══════════════════════════════════════
→ Threshold: 2,000 requests per IP per 5 minutes
→ Action: Block for 30 minutes
→ Exclusions: Known good IPs (CDN, monitoring)
→ Logging: All blocked requests logged
DDoS PROTECTION:
═══════════════════════════════════════
→ AWS Shield Standard (automatic, included)
→ AWS Shield Advanced ($3,000/mo + usage):
· DDoS mitigation (automated)
· DDoS response team (24/7)
· Cost protection (up to $200K)
· WAF integration
Layers:
→ Volumetric (SYN flood, UDP flood): Mitigated at edge
→ Protocol (SYN flood, fragment): Mitigated by Shield
→ Application (HTTP flood): Mitigated by WAF + rate limiting4. Network Monitoring
NETWORK MONITORING
═══════════════════════════════════════
Tools:
═══════════════════════════════════════
→ VPC Flow Logs: Capture all traffic metadata
→ Network Traffic Analyzer: Real-time analysis
→ IDS/IPS: Suricata, Snort, AWS GuardDuty
→ Packet capture: tcpdump, Wireshark
→ NetFlow: Flow-based analysis
Flow Log Analysis:
═══════════════════════════════════════
→ Anomaly detection: Unusual traffic patterns
→ Threat detection: Known bad IPs/ports
→ Compliance: Data egress monitoring
→ Troubleshooting: Connectivity issues
ALERT RULES:
═══════════════════════════════════════
Alert Condition Severity
─────────────────────────────────────────────────────────────────────
Port scan detected >100 unique ports from IP P2
Data exfiltration >1GB outbound to new IP P1
Cryptominer Connection to known pool P2
C2 communication Beacon pattern detected P1
DDoS attempt >10K requests/sec P1
Brute force >50 failed SSH attempts P2
Lateral movement Unusual internal traffic P2
DNS tunneling Unusual DNS query patterns P25. Network Security Assessment
NETWORK SECURITY POSTURE ASSESSMENT
═══════════════════════════════════════
Assessment Results:
═══════════════════════════════════════
Control Status Finding Score
───────────────────────────────────────────────────────────────────────
Network segmentation ✓ PASS Properly segmented 9/10
Firewall rules ⚠ WARN 15 unused rules 7/10
WAF coverage ✓ PASS All internet-facing 9/10
DDoS protection ✓ PASS Shield Advanced active 9/10
Encryption in transit ✓ PASS TLS 1.3 everywhere 10/10
VPN for remote access ✓ PASS AWS Client VPN 8/10
Bastion host ✓ PASS SSM Session Manager 9/10
VPC peering security ⚠ WARN 1 over-privileged 7/10
Flow logging ✓ PASS All VPCs enabled 9/10
IDS/IPS ⚠ WARN No NGFW in prod 6/10
───────────────────────────────────────────────────────────────────────
OVERALL SCORE: 8.3/10
REMEDIATION:
═══════════════════════════════════════
Priority 1: Review and remove 15 unused firewall rules
Priority 2: Reduce VPC peering privileges
Priority 3: Evaluate NGFW deployment for productionEdge Cases
- Hybrid cloud: On-prem to cloud connectivity (Direct Connect, VPN)
- Multi-cloud: Cross-cloud network security
- Compliance: PCI-DSS network segmentation requirements
- Air-gapped: No internet connectivity
- IoT: Device-to-cloud network security
Integration Points
- Cloud: AWS Security Hub, Azure Firewall, GCP Cloud Armor
- Monitoring: GuardDuty, Security Center, Cloud Security Scanner
- SIEM: Splunk, Sentinel, Elasticsearch
- DNS: Route53, Cloudflare, AWS Route 53 Resolver
- VPN: AWS Client VPN, OpenVPN, WireGuard
Output
Network Security Status
NETWORK SECURITY STATUS — Q4 2024
═══════════════════════════════════════
Overall score: 8.3/10
Segmentation: Properly implemented
WAF: Active on all internet-facing endpoints
DDoS: Shield Advanced (automated mitigation)
Firewall rules: 120 active, 15 unused (review pending)
Flow logs: Enabled on all VPCs
Threats detected (last 30 days): 3 (all mitigated)