--- name: network-security-architecture description: Design and implement network security architecture including firewalls, WAF, network segmentation, micro-segmentation, DDoS protection, and network monitoring. Use when architecting network security, implementing segmentation, configuring firewalls, or deploying DDoS mitigation. Triggers on phrases like "network security", "firewall", "WAF", "web application firewall", "network segmentation", "micro-segmentation", "DDoS protection", "VPC design", "security groups", "network ACL", "Zero Trust Network", "NGFW", "IDS/IPS", "network monitoring", "packet capture", "flow logs". --- # Network Security Architecture Design and implement network security architecture including firewalls, WAF, network segmentation, DDoS protection, and network monitoring. ## Workflow ### 1. Network Segmentation Design ``` NETWORK SEGMENTATION ARCHITECTURE ═══════════════════════════════════════ VPC/Network Design (AWS Example): ═══════════════════════════════════════ VPC CIDR: 10.0.0.0/16 Availability Zone A (10.0.0.0/20): → Public Subnet (10.0.0.0/24): ALB, NAT GW, Bastion → Private App (10.0.1.0/24): Application servers → Private DB (10.0.2.0/24): Databases (no internet) → Private Mgmt (10.0.3.0/24): Monitoring, logging Availability Zone B (10.0.4.0/20): → Public Subnet (10.0.4.0/24): ALB, NAT GW → Private App (10.0.5.0/24): Application servers → Private DB (10.0.6.0/24): Databases → Private Mgmt (10.0.7.0/24): Monitoring SEGMENTATION BOUNDARIES: ═══════════════════════════════════════ Zone Inbound Outbound Security Level ──────────────────────────────────────────────────────────────────────────── Public Internet (443,80) → Private App (8080) HIGH (WAF + ALB) Private App ← Public (8080) → Private DB (5432) MEDIUM (SG only) Private DB ← Private App (5432) None (no internet) CRITICAL Private Mgmt ← All private → Internet (out) LOW (monitoring) MICRO-SEGMENTATION (Kubernetes): ═══════════════════════════════════════ Network Policy (Calico): → Default deny all ingress/egress → Allow specific pod-to-pod communication → L4-L7 visibility (application-aware) → Tag-based policies (not IP-based) Example policy: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-api-to-db spec: podSelector: {matchLabels: {app: api-gateway}} policyTypes: [Ingress, Egress] ingress: - from: [{podSelector: {matchLabels: {app: web-frontend}}}] ports: [{port: 8080, protocol: TCP}] egress: - to: [{podSelector: {matchLabels: {app: postgres}}}] ports: [{port: 5432, protocol: TCP}] ``` ### 2. Firewall Configuration ``` FIREWALL RULES MANAGEMENT ═══════════════════════════════════════ Security Group Rules (AWS): ═══════════════════════════════════════ SG Name Direction Port Protocol Source/Dest Purpose ───────────────────────────────────────────────────────────────────────────── sg-alb Inbound 443 TCP 0.0.0.0/0 HTTPS from internet sg-alb Inbound 80 TCP 0.0.0.0/0 HTTP (redirect) sg-alb Outbound 8080 TCP sg-app-servers To app tier sg-app-servers Inbound 8080 TCP sg-alb From ALB sg-app-servers Inbound 9090 TCP sg-monitoring Metrics sg-app-servers Outbound 5432 TCP sg-databases To database sg-app-servers Outbound 6379 TCP sg-redis To cache sg-databases Inbound 5432 TCP sg-app-servers From app sg-databases Inbound 5432 TCP sg-bastion From bastion (admin) sg-redis Inbound 6379 TCP sg-app-servers From app sg-bastion Inbound 22 TCP VPN CIDR SSH from VPN sg-bastion Inbound 22 TCP IP-whitelist SSH from office RULE BEST PRACTICES: ═══════════════════════════════════════ → No 0.0.0.0/0 inbound (except ALB on 443) → Use security group references (not CIDR) → Least privilege (only required ports) → No ALL traffic rules → Document purpose for each rule → Regular review (quarterly) → Alert on rule changes FIREWALL ANALYTICS: ═══════════════════════════════════════ → Unused rules: 15 rules with 0 traffic in 90 days → Review → Shadowed rules: 3 rules never triggered (covered by broader rule) → Rule hit rates: Top 20 rules handle 80% of traffic ``` ### 3. WAF Configuration ``` WEB APPLICATION FIREWALL (WAF) ═══════════════════════════════════════ WAF Rules (AWS WAF / Cloudflare): ═══════════════════════════════════════ Rule Set Action Priority Description ──────────────────────────────────────────────────────────────────── AWS Managed Rules Block 1 Common rule set (OWASP) SQL Injection Block 2 Detect SQLi patterns XSS Block 3 Detect cross-site scripting Rate-based Block 4 >2000 requests/IP/5min Geo-match Block 5 Block high-risk countries Bot control Challenge 6 CAPTCHA for suspicious bots Custom: Header check Block 7 Require security headers RATE LIMITING (WAF): ═══════════════════════════════════════ → Threshold: 2,000 requests per IP per 5 minutes → Action: Block for 30 minutes → Exclusions: Known good IPs (CDN, monitoring) → Logging: All blocked requests logged DDoS PROTECTION: ═══════════════════════════════════════ → AWS Shield Standard (automatic, included) → AWS Shield Advanced ($3,000/mo + usage): · DDoS mitigation (automated) · DDoS response team (24/7) · Cost protection (up to $200K) · WAF integration Layers: → Volumetric (SYN flood, UDP flood): Mitigated at edge → Protocol (SYN flood, fragment): Mitigated by Shield → Application (HTTP flood): Mitigated by WAF + rate limiting ``` ### 4. Network Monitoring ``` NETWORK MONITORING ═══════════════════════════════════════ Tools: ═══════════════════════════════════════ → VPC Flow Logs: Capture all traffic metadata → Network Traffic Analyzer: Real-time analysis → IDS/IPS: Suricata, Snort, AWS GuardDuty → Packet capture: tcpdump, Wireshark → NetFlow: Flow-based analysis Flow Log Analysis: ═══════════════════════════════════════ → Anomaly detection: Unusual traffic patterns → Threat detection: Known bad IPs/ports → Compliance: Data egress monitoring → Troubleshooting: Connectivity issues ALERT RULES: ═══════════════════════════════════════ Alert Condition Severity ───────────────────────────────────────────────────────────────────── Port scan detected >100 unique ports from IP P2 Data exfiltration >1GB outbound to new IP P1 Cryptominer Connection to known pool P2 C2 communication Beacon pattern detected P1 DDoS attempt >10K requests/sec P1 Brute force >50 failed SSH attempts P2 Lateral movement Unusual internal traffic P2 DNS tunneling Unusual DNS query patterns P2 ``` ### 5. Network Security Assessment ``` NETWORK SECURITY POSTURE ASSESSMENT ═══════════════════════════════════════ Assessment Results: ═══════════════════════════════════════ Control Status Finding Score ─────────────────────────────────────────────────────────────────────── Network segmentation ✓ PASS Properly segmented 9/10 Firewall rules ⚠ WARN 15 unused rules 7/10 WAF coverage ✓ PASS All internet-facing 9/10 DDoS protection ✓ PASS Shield Advanced active 9/10 Encryption in transit ✓ PASS TLS 1.3 everywhere 10/10 VPN for remote access ✓ PASS AWS Client VPN 8/10 Bastion host ✓ PASS SSM Session Manager 9/10 VPC peering security ⚠ WARN 1 over-privileged 7/10 Flow logging ✓ PASS All VPCs enabled 9/10 IDS/IPS ⚠ WARN No NGFW in prod 6/10 ─────────────────────────────────────────────────────────────────────── OVERALL SCORE: 8.3/10 REMEDIATION: ═══════════════════════════════════════ Priority 1: Review and remove 15 unused firewall rules Priority 2: Reduce VPC peering privileges Priority 3: Evaluate NGFW deployment for production ``` ## Edge Cases - **Hybrid cloud**: On-prem to cloud connectivity (Direct Connect, VPN) - **Multi-cloud**: Cross-cloud network security - **Compliance**: PCI-DSS network segmentation requirements - **Air-gapped**: No internet connectivity - **IoT**: Device-to-cloud network security ## Integration Points - **Cloud**: AWS Security Hub, Azure Firewall, GCP Cloud Armor - **Monitoring**: GuardDuty, Security Center, Cloud Security Scanner - **SIEM**: Splunk, Sentinel, Elasticsearch - **DNS**: Route53, Cloudflare, AWS Route 53 Resolver - **VPN**: AWS Client VPN, OpenVPN, WireGuard ## Output ### Network Security Status ``` NETWORK SECURITY STATUS — Q4 2024 ═══════════════════════════════════════ Overall score: 8.3/10 Segmentation: Properly implemented WAF: Active on all internet-facing endpoints DDoS: Shield Advanced (automated mitigation) Firewall rules: 120 active, 15 unused (review pending) Flow logs: Enabled on all VPCs Threats detected (last 30 days): 3 (all mitigated) ```