Network Security
Network Segmentationโ
Divide network into isolated zones. Limit blast radius of a breach.
Internet
โ
[WAF]
โ
DMZ (Demilitarized Zone)
โโ Load Balancers
โโ API Gateway
โ
[Firewall]
โ
Application Tier (private subnet)
โโ App Servers
โโ Worker Services
โ
[Firewall]
โ
Data Tier (most restricted)
โโ Databases (PostgreSQL, Redis)
โโ Message Queues
โโ Secrets Store (Vault)
Cloud Network (AWS VPC)โ
VPC: 10.0.0.0/16
Public Subnets (Load Balancer, NAT Gateway):
10.0.1.0/24 (us-east-1a)
10.0.2.0/24 (us-east-1b)
Private Subnets (Application Tier):
10.0.10.0/24 (us-east-1a)
10.0.11.0/24 (us-east-1b)
Data Subnets (no internet route):
10.0.20.0/24 (us-east-1a)
10.0.21.0/24 (us-east-1b)
Security Groups (Default Deny)โ
Application Server:
Inbound:
HTTPS (443) โ Load Balancer SG only
SSH (22) โ Bastion Host SG only
Outbound:
PostgreSQL (5432) โ DB Security Group only
Redis (6379) โ Cache Security Group only
HTTPS (443) โ 0.0.0.0/0 (external API calls)
Database:
Inbound:
PostgreSQL (5432) โ App Server SG only
Outbound: NONE
TLS Enforcementโ
server:
ssl:
enabled: true
protocol: TLS
enabled-protocols: TLSv1.3,TLSv1.2
ciphers:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# HSTS header โ browsers always use HTTPS
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Web Application Firewall (WAF)โ
Sits in front of your app. Filters malicious HTTP traffic before it reaches application code.
What WAF blocks:
- SQL injection and XSS payloads
- Known exploit signatures (CVEs, exploit kits)
- Bot traffic and scrapers
- Geographic IP blocking
- Rate limiting by IP
Internet โ CloudFront (CDN) โ WAF Rules โ Load Balancer โ App
# AWS WAF Terraform
resource "aws_wafv2_web_acl" "main" {
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 1
override_action { none {} }
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
}
rule {
name = "RateLimit"
priority = 2
action { block {} }
statement {
rate_based_statement {
limit = 2000
aggregate_key_type = "IP"
}
}
}
}
WAF vs Firewall:
- Firewall โ operates at L3/L4 (IP, port, protocol). Allows/blocks connections.
- WAF โ operates at L7 (HTTP). Inspects HTTP content, headers, and body for attacks.
DDoS Mitigationโ
| Layer | Attack Type | Example |
|---|---|---|
| L3/L4 | Volumetric | UDP flood, ICMP flood |
| L4 | Protocol | SYN flood exhausts TCP table |
| L7 | Slow HTTP | Slowloris holds connections open |
| L7 | HTTP flood | Overwhelms with HTTP requests |
Defense Layersโ
1. Upstream scrubbing (Cloudflare, AWS Shield) โ absorbs volumetric attacks at edge
2. Rate limiting per IP at CDN/WAF โ HTTP flood mitigation
3. Application-level rate limiting (Redis) โ per-user, per-endpoint
4. Auto-scaling + CDN offload โ absorb traffic spikes
5. Circuit breakers on downstream calls โ prevent cascade failure
# Slowloris defense โ aggressive timeouts
server:
tomcat:
connection-timeout: 5000 # 5s max to receive headers
keep-alive-timeout: 60000
max-connections: 10000
accept-count: 100
DNS Securityโ
DNSSEC โ Prevent Cache Poisoningโ
Normal DNS: api.example.com โ 1.2.3.4 (unverified)
DNSSEC: api.example.com โ 1.2.3.4 + digital signature
โ Client verifies signature โ tampering detected
DNS Rebinding Attackโ
1. Attacker controls attacker.com โ resolves to 1.2.3.4
2. Victim visits attacker.com โ JavaScript loaded
3. Attacker changes DNS TTL to 0, rebinds to 192.168.1.1 (victim's router)
4. JavaScript makes requests to 192.168.1.1 using attacker.com origin
โ Bypasses same-origin policy!
Defense: Validate Host header, use HTTPS, bind services to specific IPs.
Zero Trust Networkingโ
Traditional VPN Modelโ
Employee โ VPN โ "Inside" network โ Access ALL internal services
Problem: Once inside, lateral movement is trivial
Zero Trust Network Access (ZTNA)โ
Every access request:
1. Verified identity (MFA required)
2. Device health check (MDM compliance)
3. Least-privilege access to SPECIFIC app only
4. Continuous verification (not just at login)
5. All traffic encrypted โ even internal
mTLS โ Mutual TLSโ
Regular TLS: server proves identity to client. mTLS: both sides prove identity via certificates.
Service A โโ present cert โโโ Service B
verify each other
โ encrypted session โ
No API keys needed โ the certificate IS the identity
# Istio โ automatic mTLS for all pods
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
spec:
mtls:
mode: STRICT
# Spring Boot mTLS
server:
ssl:
client-auth: need
trust-store: classpath:truststore.p12
trust-store-password: ${TRUST_STORE_PASSWORD}
key-store: classpath:server-keystore.p12
key-store-password: ${KEY_STORE_PASSWORD}
SSH Hardeningโ
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no # Key-based only
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30
Protocol 2
Ciphers [email protected],[email protected]
Bastion Hostโ
Developer โ Internet โ Bastion Host (hardened, MFA, all sessions logged)
โ
Internal Servers (not directly accessible)
Interview Questionsโ
- What is network segmentation and why is it important?
- What is the difference between a WAF and a firewall?
- How do you defend against a DDoS attack? What layers of defense exist?
- What is the difference between TLS and mTLS?
- What is DNS cache poisoning and how does DNSSEC prevent it?
- What is the Zero Trust security model?
- What is a Slowloris attack and how do you defend against it?
- How do security groups differ from network ACLs in AWS?
- What is a bastion host and when would you use one?
- What is DNS rebinding and what defenses exist?