Network Security Hardening

We audit existing security groups and firewall rules — most organizations have rules that were 'temporary' three years ago. Rules get rewritten with least-privilege: explicit allow for required traffic, deny everything else. Security groups reference other groups (not CIDR ranges) so rules stay valid as IPs change. iptables/nftables on individual hosts add a second layer. All rules are managed as code via Terraform.

Production, staging, and development get separate network segments with controlled cross-segment access. Database subnets have no internet access — only application subnets can reach them. Management networks are isolated from production traffic. Kubernetes namespaces get NetworkPolicies that enforce pod-to-pod communication rules. Segmentation limits blast radius — a compromised web server can't reach the database directly.

We deploy network-level IDS (Suricata or Zeek) on key network boundaries. Rules detect port scanning, known exploit signatures, and anomalous traffic patterns. VPC Flow Logs feed into analysis tools for visibility into traffic patterns and unauthorized connection attempts. Alert rules distinguish between noise (port scans from the internet) and signal (lateral movement inside the network).

All inter-service communication uses TLS — internal services get certificates from a private CA (cert-manager with a self-signed root, or Vault PKI). Mutual TLS (mTLS) via service mesh ensures both client and server authenticate. Database connections use TLS with certificate verification. SSH keys get rotated and managed centrally. We eliminate plaintext protocols from your production network.