Network & Infrastructure Security Intermediate

Firewalls filter traffic by rules (allow/deny by port, IP, protocol). Network segmentation divides networks into zones (DMZ, internal, management) so a breach in one cannot freely reach others. Default-deny inbound is the safe baseline.

A VPN creates an encrypted tunnel over untrusted networks. Pair it with MFA and device posture checks. Modern Zero Trust Network Access verifies identity and context per-request instead of trusting the whole network once connected.

An IDS detects suspicious activity and alerts; an IPS can block it inline. Centralise logs in a SIEM, alert on anomalies, and keep tamper-evident records. Detection without response is incomplete — define an incident response plan.

• Close unused ports and services (reduce attack surface).
• Apply security patches on a defined cadence.
• Use strong, unique admin credentials and key-based SSH.
• Encrypt management traffic; disable legacy protocols (Telnet, SMBv1).
• Run regular vulnerability scans and penetration tests (with authorisation).