Network & Infrastructure Security 🌐🧱

Building a secure distributed system requires more than just encrypting data and checking passwords. You must also protect the infrastructure—the virtual walls, paths, and gates that connect your services.

📉 Why Network Security Matters

As systems move to the cloud, the "attack surface" grows. Security is no longer just about keeping people out; it's about controlling movement inside.

• External Threats: DDoS attacks, unauthorized intrusions, and IP spoofing.
• Internal Risks: Misconfigured servers or compromised nodes allowing "lateral movement" (attackers moving from a weak service to a critical database).
• Cloud Exposure: Mismanaged VPCs or open ports can accidentally expose private data to the entire internet.

🛡️ Perimeter Defense: Firewalls & Proxies

1. Firewalls

The first line of defense. They filter incoming and outgoing traffic based on specific rules (IP address, Port, Protocol).

• Network-based: Protects entire networks (e.g., AWS NACLs).
• Host-based: Installed on individual servers (e.g., iptables, ufw).
• Cloud Firewalls: Managed services (e.g., AWS WAF, Security Groups) that scale automatically.

2. Reverse Proxies

A server that sits in front of your backend servers and routes client requests.

• Security Benefits: Masks the identity and internal IP of your backend servers.
• Examples: NGINX, HAProxy, AWS Application Load Balancer (ALB).

🚦 Traffic Control: Rate Limiting & Throttling

Protect your APIs and backend systems from abuse, whether intentional (DDoS) or accidental (a "noisy neighbor" service).

• Rate Limiting: Setting a cap on how many requests a user or IP can make in a given timeframe (e.g., 100 requests per minute).
• Throttling: Gracefully slowing down requests when the system is under heavy load to prevent total failure.
• IP Filtering: Using "Allow Lists" or "Block Lists" to control access based on geography or known malicious IPs.

🏗️ Network Security Perimeter

A typical secure architecture involves multiple layers of defense. The first layer is the perimeter, which includes firewalls and reverse proxies.

🔐 The Zero Trust Security Model

Traditional security used the "Castle and Moat" approach: once you're inside the network, you're trusted. Zero Trust flips this: "Never trust, always verify."

Core Principles:

• Verify Every Request: Every service-to-service call must be authenticated and authorized, even if they're in the same network.
• Least Privilege: Users and services only get the exact permissions they need.
• Assume Breach: Design the system as if an attacker is already inside.
• mTLS (Mutual TLS): Ensuring that both the client and server verify each other's certificates.

☁️ Securing Specialized Workloads

1. Cloud Environments

Follow the Shared Responsibility Model. The cloud provider (AWS/GCP) secures the "cloud" (physical hardware, global infra), while YOU secure everything "in" the cloud (OS, Data, IAM).

2. Serverless (Lambda/Functions)

• Focus on strict IAM roles.
• Set function timeouts and limit API Gateway access to prevent runaway costs or attacks.

3. Containerized Workloads (Docker/K8s)

• Image Scanning: Automatically check containers for known vulnerabilities before deployment.
• Runtime Hardening: Use tools like Falco or OPA (Open Policy Agent) to detect suspicious behavior in real-time.

4. Microservices & Service Mesh

• Use a Service Mesh (like Istio or Linkerd) to manage mTLS, fine-grained access policies, and observability across hundreds of services without writing custom code in every app.

Interview Questions - Network & Infrastructure Security 💡

1. What is the difference between a firewall and a reverse proxy?

Answer:

• Firewall: A network security device that monitors and controls traffic based on predetermined rules (IPs, ports, protocols). It typically works at the network layer to block unauthorized access.
• Reverse Proxy: A server that routes client requests to backend servers. It masks backend identities and adds features like load balancing, caching, and SSL termination.
• Key Distinction: Firewalls focus on traffic filtering at the network level; Reverse Proxies focus on traffic routing and management at the application level.

2. How does rate limiting protect your backend services?

Answer: It prevents overloads and abuse by capping incoming requests. This protects against:

• DDoS Attacks: Flooding the service with requests.
• API Abuse: Intentional or accidental spikes in usage.
• Techniques: Fixed Window (cap per time block), Token Bucket (steady allowance with burst support), and Exponential Backoff (increasing delays during load).

3. Explain the Zero Trust security model and its importance.

Answer: Zero Trust follows the principle of "Never Trust, Always Verify."

• Core Pillars: Identity & Access Management (IAM), Least Privilege access, and Micro-segmentation (isolating critical resources).
• Importance: It mitigates lateral movement by attackers and is essential for cloud/hybrid environments where a simple "perimeter" no longer exists.

4. How would you secure a containerized workload in Kubernetes?

Answer:

• Image Security: Use minimal base images (Alpine) and scan for vulnerabilities (Trivy/Clair).
• RBAC: Enforce Least Privilege for users and service accounts.
• Pod Security: Restrict root access and privilege escalation via Pod Security Admission.
• Network Policies: Explicitly define which pods can talk to each other.
• Secrets: Use Kubernetes Secrets (and ideally an external vault) for sensitive data.

5. What are some common OWASP Top 10 vulnerabilities and their mitigations?

Answer:

• Injection (SQLi): Use prepared statements and parameterized queries.
• Broken Auth: Enforce MFA and secure password storage (Hash + Salt).
• Sensitive Data Exposure: Encrypt data in transit (TLS) and at rest (AES).
• Broken Access Control: Implement robust RBAC and check permissions on every request.
• XSS: Sanitize user inputs and use Content Security Policies (CSP).

6. How does a service mesh help enforce security in microservices?

Answer: It provides a dedicated infrastructure layer for:

• mTLS: Automatic encryption and mutual authentication for all service-to-service traffic.
• Policy Enforcement: Centralized control over who can talk to whom.
• Observability: Detailed logging and monitoring of all internal interactions.
• Resilience: Rate limiting and circuit breaking.

7. What's the role of IAM in cloud security?

Answer: IAM is the backbone of cloud security, governing how identities (users/systems) access resources.

• Authentication: Verifying who is making the request (MFA/Passwords).
• Authorization: Granting specific permissions via granular policies.
• Least Privilege: Ensuring entities only have the access they absolutely need.
• Audit Trails: Providing a log of every action taken in the environment.

Next up? Integrating security into the lifecycle — Security in the SDLC