Posted January 19Jan 19 You are reading Part 17 of the 57-part series: Harden and Secure Linux Servers. [Level 2]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.Network segmentation enhances security by isolating critical services and limiting unnecessary communication between different parts of your infrastructure. If an attacker gains access to one system, segmentation prevents them from easily reaching sensitive data or services.By separating workloads and restricting traffic, you reduce attack surfaces, minimize exposure, and improve overall security.1. Use Virtual Private Clouds (VPCs) and Subnets (For Cloud Environments)In AWS, Google Cloud, or Azure, create separate VPCs for different services (e.g., one for web servers, another for databases).Assign private subnets to sensitive resources so they are not publicly accessible.Use security groups and network ACLs to define which systems can communicate.2. Configure Firewalls to Control Traffic Between ServicesFirewalls can enforce segmentation by allowing only specific traffic between different zones.For UFW (Ubuntu/Debian Firewall):sudo ufw allow from 192.168.1.0/24 to any port 3306 # Allow MySQL access only from a trusted subnet sudo ufw allow from 192.168.2.0/24 to any port 22 # Allow SSH access only from a trusted subnet sudo ufw enable For Firewalld (CentOS/RHEL Firewall):sudo firewall-cmd --permanent --zone=internal --add-service=mysql sudo firewall-cmd --permanent --zone=external --remove-service=mysql sudo firewall-cmd --reload (This allows MySQL traffic only in the internal zone, blocking it externally.)3. Use iptables to Restrict Traffic (For On-Premise Linux Servers)You can define strict rules using iptables to allow only necessary connections.Example: Restrict SSH access to trusted IPs onlysudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j DROP (Only the IP 192.168.1.100 can access SSH; all others are blocked.)Example: Allow database access only from the application serversudo iptables -A INPUT -p tcp -s 192.168.1.200 --dport 3306 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 3306 -j DROP (Only 192.168.1.200 can connect to MySQL, blocking all other IPs.)4. Implement VLANs for Physical Network SegmentationIf using physical networking, VLANs (Virtual Local Area Networks) help separate different network segments at the switch level.Assign different VLANs for different teams (e.g., finance, development, IT).Use VLAN tagging to control traffic flow.Ensure VLANs cannot communicate directly unless explicitly allowed by firewall rules.Best Practices for Network Segmentation✅ Apply the principle of least privilege (PoLP) → Only allow necessary network connections.✅ Keep public-facing services isolated from internal services (e.g., separate web servers from databases).✅ Use logging and monitoring to detect unauthorized traffic attempts.✅ Regularly audit firewall rules to remove unnecessary access.✅ Combine segmentation with VPNs for secure internal communication.By implementing network segmentation, you limit the impact of security breaches, protect sensitive resources, and enhance overall security across your infrastructure.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.