Network Security Architecture
Design defense-in-depth network security. Covers zero trust networking, network segmentation, firewall policies, WAF configuration, DDoS protection, and network monitoring.
The network perimeter is dead. Attackers don’t break through firewalls — they phish credentials, exploit APIs, and move laterally through flat networks. Zero trust networking assumes every request is potentially hostile, regardless of where it originates. This guide covers practical network security architecture for modern cloud-native applications.
Zero Trust Architecture
Traditional (Castle & Moat) Zero Trust
┌─────────────────────────┐ ┌─────────────────────────┐
│ Trust boundary = network│ │ Trust boundary = every │
│ │ │ request │
│ ┌─────┐ ┌─────┐ │ │ │
│ │ App │──│ DB │ trusted│ │ ┌─────┐ ┌─────┐ │
│ └─────┘ └─────┘ │ │ │ App │──│ DB │ verify │
│ │ │ └──┬──┘ └──┬──┘ every │
│ Inside = trusted │ │ │mTLS │mTLS req │
│ Outside = untrusted │ │ │auth │auth │
└─────────────────────────┘ └─────────────────────────┘Network Segmentation
| Zone | Contains | Access |
|---|---|---|
| DMZ | Load balancers, WAF, CDN | Public internet |
| Web tier | Application servers, API gateways | From DMZ only |
| App tier | Business logic services | From web tier only |
| Data tier | Databases, caches, queues | From app tier only |
| Management | Bastion, CI/CD, monitoring | Admin VPN only |
AWS Security Groups Example
# Web tier: only accepts traffic from ALB
resource "aws_security_group" "web" {
ingress {
from_port = 8080
to_port = 8080
security_groups = [aws_security_group.alb.id]
}
}
# Data tier: only accepts traffic from app tier
resource "aws_security_group" "database" {
ingress {
from_port = 5432
to_port = 5432
security_groups = [aws_security_group.app.id]
}
# No egress to internet
}WAF Rules
| Rule Category | What It Blocks | Example |
|---|---|---|
| SQL injection | ' OR 1=1 -- in parameters | OWASP CRS rule 942100 |
| XSS | <script> in user input | OWASP CRS rule 941100 |
| Rate limiting | Brute force, scraping | > 100 req/min from single IP |
| Geo-blocking | Traffic from embargoed countries | Block by country code |
| Bot management | Automated abuse | Challenge suspicious user agents |
| Custom | Application-specific | Block /admin from non-VPN IPs |
Anti-Patterns
| Anti-Pattern | Problem | Fix |
|---|---|---|
| Flat network | Compromised host can reach everything | Network segmentation with security groups |
| Allow all egress | Exfiltration of data undetected | Restrict egress, allow only needed destinations |
| IP-based trust | IPs can be spoofed, change | Identity-based auth (mTLS, service mesh) |
| No network monitoring | Attacks undetected for months | VPC flow logs, IDS/IPS, anomaly detection |
| WAF in monitor-only mode forever | Rules never enforced | Start in monitor, then enforce within 30 days |
Checklist
- Network segmented: DMZ, web, app, data, management tiers
- Security groups: least privilege, no
0.0.0.0/0ingress - Egress restricted: only allow required outbound traffic
- WAF deployed on all public endpoints
- DDoS protection: AWS Shield / Cloudflare / similar
- mTLS between internal services
- VPC flow logs: enabled, monitored for anomalies
- DNS security: DNSSEC, DNS filtering
- No public-facing databases or admin interfaces
:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For network security consulting, visit garnetgrid.com. :::
