← [Раздел 07](README.md) · [Главная](../README.md) # Сети и сегментация ## Цель Понять **сетевую сегментацию** в облаке и on-prem: VPC, subnets, firewall rules, и базовые принципы **defense in depth**, чтобы ограничить lateral movement после компромиса одного узла. ## Предварительно - [iam-least-privilege.md](iam-least-privilege.md). - IP, port, DNS, HTTPS — на уровне «сайт открывается по 443». ## Время ~30 минут чтения + нарисовать диagram 3-tier --- ## Зачем сегментация Без сегментации: злоумышленник в одном pod → сканирует всю сеть → database с flat access. **Segmentation** делит сеть на зоны с **разными trust levels** и фильтрует трафик между ними. ## Trust zones (типичная модель) ``` Internet │ [ DMZ ] / | \ [ Web tier ] [ API GW ] \ | / [ App tier ] │ [ Data tier ] DB, Redis ``` | Zone | Trust | Exposure | |------|-------|----------| | Public / DMZ | Low | Internet-facing LB | | Application | Medium | Internal only | | Data | High | No direct internet | ## VPC basics (cloud) **VPC** (Virtual Private Cloud) — изолированная виртуальная сеть. | Element | Role | |---------|------| | **VPC CIDR** | e.g. `10.0.0.0/16` | | **Public subnet** | Route to Internet Gateway | | **Private subnet** | No direct inbound from internet | | **NAT Gateway** | Outbound internet from private (updates) | **Rule:** databases в **private** subnets; только app tier connects. ## Firewall layers | Layer | Example | |-------|---------| | Cloud SG / NSG | Allow 443 from `0.0.0.0/0` to LB only | | NACL | Subnet-level stateless filter | | K8s NetworkPolicy | Pod-to-pod allow list | | WAF | HTTP L7 at edge | | Service mesh mTLS | Encrypt + auth east-west | Defense in depth — несколько слоёв, не один «mega firewall». ## Least privilege для сети Default posture evolution: | Stage | Posture | |-------|---------| | Legacy | Allow all internal | | Better | Deny cross-env (dev≠prod) | | Target | Default deny + explicit allow | ### Example allow rules | From | To | Port | Why | |------|-----|------|-----| | LB subnet | App pods | 8080 | HTTP internal | | App subnet | RDS | 5432 | Postgres | | CI runner | K8s API | 443 | Deploy only | | **Deny** | Internet | RDS 5432 | No public DB | ## Zero Trust (упрощённо) «Zero trust» ≠ «no firewall». Идея: - Never trust based on «inside corporate network» - Verify identity + device + context every request - Micro-segmentation + mTLS Для старта: **SSO + MFA + network policies + no flat VPC**. ## Kubernetes networking | Object | Purpose | |--------|---------| | **NetworkPolicy** | Ingress/egress pod rules | | **Ingress** | External → Service | | **Service** | Stable internal endpoint | Example intent: frontend pod may talk to `api:8080`; api may talk to `postgres:5432`; nothing else. Without NetworkPolicy many clusters = **flat** pod network. ## Egress control Outbound often forgotten: | Risk | Control | |------|---------| | Compromised pod calls C2 | Restrict egress to allowlist | | Data exfil to random S3 | VPC endpoint + IAM + egress firewall | | Crypto mining | Alert on unusual egress destinations | ## DNS and internal services - Private DNS zones for internal names - Avoid exposing admin panels on public DNS - Split-horizon: internal vs external resolution ## Common misconfigurations | Misconfig | Impact | |-----------|--------| | RDS `publicly accessible=true` | Internet DB scans | | `0.0.0.0/0` on SSH 22 | Brute force | | Flat K8s network | Lateral movement | | Debug port exposed via Service LoadBalancer | RCE surface | Scan: cloud config auditors, kube-bench, network policy default deny template. ## Segmentation checklist - [ ] Prod / staging / dev separate accounts or VPCs - [ ] DB no public IP - [ ] Admin access via bastion / SSO VPN, not open SSH - [ ] K8s NetworkPolicy default deny in namespace - [ ] Egress restricted or monitored - [ ] Logs flow from VPC flow logs / firewall ([logging](../08-runtime-monitoring/logging-audit-trail.md)) ## Diagram exercise Нарисуйте для `api.example.com`: 1. Internet → CDN/WAF → Ingress 2. API pods in private subnet 3. PostgreSQL private, SG only from API SG 4. Where would you place Redis? --- ## Самопроверка 1. Чем public subnet отличается от private? 2. Зачем NetworkPolicy если есть cloud security group? 3. Что такое lateral movement? 4. Почему `0.0.0.0/0` на port 22 — red flag? ## Дальше [Container hardening](container-hardening.md)