Network Security

Moving beyond the "Hard Outer Shell, Soft Chewy Center" model.

1. Zero Trust Architecture (ZTA)

Traditional security trusted everything inside the VPN. ZTA trusts nothing.

graph LR
    subgraph "Legacy Perception"
    A[Internet] -->|Firewall| B[Internal Network]
    B -->|Trusted| C[Database]
    B -->|Trusted| D[File Server]
    end
    
    subgraph "Zero Trust Reality"
    E[User Identity] -->|MFA/Device Check| F[Policy Engine]
    F -->|Conditional Access| G[App Segment]
    G -->|Micro-tunnel| H[Resource]
    end

• Core Principles:
  1. Verify Explicitly: Authenticate and authorize based on all available data points (User identity, location, device health, data classification).
  2. Use Least Privilege Access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA).
  3. Assume Breach: Segment access by network, user, devices, and app awareness.

2. Micro-segmentation & Firewall Rules

Instead of one flat network (10.0.0.0/8), every workload is isolated.

Example: Firewall Policy (Palo Alto Style)

• East-West Control: Preventing lateral movement. If the Web Server (DMZ) is compromised, it should ONLY be able to talk to the SQL Server on port 1433, not RDP into the Domain Controller.

3. Next-Generation Firewalls (NGFW)

Packet filtering (L3/L4) is dead. You need L7 visibility.

• App-ID: Identifying traffic as "Skype" or "BitTorrent" regardless of port (e.g., blocking SSH running on port 443).
• User-ID: Linking IP addresses to Active Directory users. "Bob in HR can access Facebook, but Alice in Finance cannot."
• SSL Decryption: Inspecting encrypted traffic.

  [!IMPORTANT] 90%+ of modern malware uses encrypted channels (HTTPS). If you are not decrypting SSL at the gateway, you are blind to the payload.