Control what can talk to what. A default-deny firewall, segmentation, and encrypted traffic contain an attacker to one corner instead of the whole network.
Why: a host should accept only the connections it actually needs, so a default-deny firewall (block everything, then allow the specific required ports) minimizes exposure and stops opportunistic scanning. When: apply host firewalls everywhere, not just at the perimeter. Where: default-deny is the network expression of least privilege — the same principle as allowlists in the web-app-security course.
# Default-deny host firewall (ufw), then allow only what's needed:
ufw default deny incoming
ufw default allow outgoing
ufw allow from 10.0.0.0/24 to any port 22 # SSH only from the admin subnet
ufw allow 443/tcp # public HTTPS
ufw enable
# Block first, allow the known-good. Restrict management ports by source.Why: a flat network lets an attacker who lands anywhere reach everything, so segmentation splits it into zones (user, server, database, management) with controlled traffic between them — containing a breach to one segment. When: separate trust zones and restrict inter-zone traffic to what is required. Where: segmentation is what turns a single compromised host into a contained incident instead of a network-wide disaster (as in the DFIR lateral-movement story).
FLAT network: one foothold -> reach EVERYTHING (attacker's dream)
SEGMENTED: zones with controlled traffic between them
[ user VLAN ] --x-- [ server VLAN ] --x-- [ database VLAN ]
(only required ports pass between zones)
[ management ] isolated, reachable only via the jump host
Segmentation contains a breach to one zone. See the Network Engineer course.Why: unencrypted traffic can be sniffed for credentials and data and tampered with, so all sensitive traffic must use TLS/SSH and legacy plaintext protocols must be disabled. When: enforce HTTPS/TLS for services, SSH for admin, and turn off Telnet/FTP/HTTP for anything sensitive. Where: encryption defeats the man-in-the-middle and cleartext-credential findings that appear across the offensive and forensics courses.
DISABLE plaintext protocols, REQUIRE encrypted equivalents:
Telnet -> SSH
FTP -> SFTP / FTPS
HTTP -> HTTPS (TLS), with HSTS
LDAP -> LDAPS
SNMP v1/2 -> SNMPv3 (auth + encryption)
Enforce strong TLS (modern versions + ciphers only). Cleartext creds on
the wire are a gift to anyone who can sniff the traffic.