Network Security
Firewalls, segmentation, DDoS and zero trust — controlling who can reach what, and surviving it when they do.
Firewalls & the Default-Deny Rule
A firewall filters traffic against rules on IP, port and protocol. The one principle that matters: default deny — block everything, then allow only what’s needed. An allowlist fails safe (a forgotten service stays closed); a denylist fails open (a forgotten port stays exposed).
| Type | Operates on | Example |
|---|---|---|
| Stateless (ACL) | Individual packets | Router ACL: drop inbound to :22 except from the office |
| Stateful | Connection state | Allow replies to connections we initiated |
| Application / WAF | L7 content | Block requests matching SQLi/XSS patterns |
0.0.0.0/0 “temporarily”.Segmentation & the DMZ
Flat networks are a gift to attackers: one foothold reaches everything. Segmentation splits the network into zones with controlled crossings, so a breach in one doesn’t become a breach in all — the same blast-radius logic as least privilege, at the network layer.
The DMZ holds internet-facing services (web servers); the database lives in a private zone reachable only from the app tier, never from the internet. If the web server falls, the attacker still faces another firewall before the data.
DDoS & Volumetric Defense
DDoS attacks availability by drowning you in traffic from many sources. Volumetric floods (raw bandwidth), protocol floods (SYN floods exhausting connection tables), and application-layer floods (expensive requests) each need different mitigation.
| Layer | Attack | Mitigation |
|---|---|---|
| Volumetric | UDP/amplification floods | Upstream scrubbing, CDN/Anycast absorption |
| Protocol | SYN flood | SYN cookies, connection rate limits |
| Application | HTTP request floods | Rate limiting, CAPTCHAs, WAF, caching |
Zero Trust — “Never Trust, Always Verify”
The old model trusted anything inside the perimeter — fatal once an attacker gets in (or with remote work, where “inside” barely exists). Zero trust drops the trusted network: every request is authenticated, authorized and encrypted regardless of origin, as if it came from the open internet. Identity becomes the perimeter.
- Authenticate + authorize every request
- Encrypt service-to-service (mTLS)
- Least-privilege, short-lived credentials
- Assume breach — log and verify continuously
- “Inside” is implicitly trusted
- One foothold = lateral movement everywhere
- VPN access ≈ full network access
- Remote work erased the perimeter anyway
Interview Questions
Why default-deny over default-allow?
Allowlists fail safe: anything you forgot stays blocked. Denylists fail open: anything you forgot stays exposed, and you can never enumerate all bad traffic. Same reason allowlists beat blocklists everywhere in security.
What does network segmentation buy you?
Containment. A flat network means one compromised host reaches everything; segments with controlled crossings limit lateral movement, so a breached web tier still can’t directly touch the database. Blast-radius reduction at the network layer.
Why can’t you just absorb a volumetric DDoS at your origin?
A large botnet’s aggregate bandwidth exceeds any single origin’s. Mitigation means fronting with providers whose Anycast/CDN capacity is orders of magnitude larger, scrubbing traffic upstream before it reaches you.
What problem does zero trust solve that perimeter security doesn’t?
Perimeter trust collapses the moment an attacker is inside — or when “inside” stops existing (cloud, remote work, SaaS). Zero trust removes implicit network trust: every request proves identity and authorization, so a foothold grants no free lateral movement.