Security · Network Security

Network Security

Firewalls, segmentation, DDoS and zero trust — controlling who can reach what, and surviving it when they do.

Security Basics → Interview
01

Firewalls & the Default-Deny Rule

A firewall filters traffic against rules on IP, port and protocol. The one principle that matters: default deny — block everything, then allow only what’s needed. An allowlist fails safe (a forgotten service stays closed); a denylist fails open (a forgotten port stays exposed).

TypeOperates onExample
Stateless (ACL)Individual packetsRouter ACL: drop inbound to :22 except from the office
StatefulConnection stateAllow replies to connections we initiated
Application / WAFL7 contentBlock requests matching SQLi/XSS patterns
Cloud security groups are stateful default-deny firewalls per instance. The most common cloud breach starts with one rule opening a database port to 0.0.0.0/0 “temporarily”.
02

Segmentation & the DMZ

Flat networks are a gift to attackers: one foothold reaches everything. Segmentation splits the network into zones with controlled crossings, so a breach in one doesn’t become a breach in all — the same blast-radius logic as least privilege, at the network layer.

Internet DMZ web server Private zone app servers database FW

The DMZ holds internet-facing services (web servers); the database lives in a private zone reachable only from the app tier, never from the internet. If the web server falls, the attacker still faces another firewall before the data.

03

DDoS & Volumetric Defense

DDoS attacks availability by drowning you in traffic from many sources. Volumetric floods (raw bandwidth), protocol floods (SYN floods exhausting connection tables), and application-layer floods (expensive requests) each need different mitigation.

LayerAttackMitigation
VolumetricUDP/amplification floodsUpstream scrubbing, CDN/Anycast absorption
ProtocolSYN floodSYN cookies, connection rate limits
ApplicationHTTP request floodsRate limiting, CAPTCHAs, WAF, caching
You can’t out-buy a large botnet on your own — volumetric defense means fronting with a provider (Cloudflare, CDN Anycast) whose capacity dwarfs the attack. Design assuming absorption upstream, not heroics at your origin.
04

Zero Trust — “Never Trust, Always Verify”

The old model trusted anything inside the perimeter — fatal once an attacker gets in (or with remote work, where “inside” barely exists). Zero trust drops the trusted network: every request is authenticated, authorized and encrypted regardless of origin, as if it came from the open internet. Identity becomes the perimeter.

Zero-trust principles
  • Authenticate + authorize every request
  • Encrypt service-to-service (mTLS)
  • Least-privilege, short-lived credentials
  • Assume breach — log and verify continuously
Perimeter model’s fatal flaw
  • “Inside” is implicitly trusted
  • One foothold = lateral movement everywhere
  • VPN access ≈ full network access
  • Remote work erased the perimeter anyway
05

Interview Questions

Why default-deny over default-allow?

Allowlists fail safe: anything you forgot stays blocked. Denylists fail open: anything you forgot stays exposed, and you can never enumerate all bad traffic. Same reason allowlists beat blocklists everywhere in security.

What does network segmentation buy you?

Containment. A flat network means one compromised host reaches everything; segments with controlled crossings limit lateral movement, so a breached web tier still can’t directly touch the database. Blast-radius reduction at the network layer.

Why can’t you just absorb a volumetric DDoS at your origin?

A large botnet’s aggregate bandwidth exceeds any single origin’s. Mitigation means fronting with providers whose Anycast/CDN capacity is orders of magnitude larger, scrubbing traffic upstream before it reaches you.

What problem does zero trust solve that perimeter security doesn’t?

Perimeter trust collapses the moment an attacker is inside — or when “inside” stops existing (cloud, remote work, SaaS). Zero trust removes implicit network trust: every request proves identity and authorization, so a foothold grants no free lateral movement.

Quick Quiz

1. The core firewall principle is…
2. A stateful firewall tracks…
3. A database should typically live in…
4. SYN cookies defend against…
5. Zero trust treats internal requests as…