mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
This commit is contained in:
+80
@@ -0,0 +1,80 @@
|
||||
# API Reference: Implementing Network Segmentation with Firewall Zones
|
||||
|
||||
## Zone Trust Levels
|
||||
|
||||
| Zone | Trust Level | Typical VLANs | Default Policy |
|
||||
|------|-------------|---------------|----------------|
|
||||
| Internet | 0 (Untrusted) | N/A | Deny all inbound |
|
||||
| DMZ | 1 (Low) | 10-19 | Permit specific inbound services |
|
||||
| Guest | 1 (Low) | 50-59 | Internet-only, deny internal |
|
||||
| Corporate | 3 (Medium) | 100-199 | Permit outbound, restricted inbound |
|
||||
| Server/DC | 4 (High) | 200-299 | Strict ACL, limited admin |
|
||||
| PCI CDE | 5 (Critical) | 300-309 | PCI DSS compliant isolation |
|
||||
| Management | 5 (Critical) | 900-909 | Jump box only |
|
||||
| OT/SCADA | 5 (Critical) | 400-409 | Air-gapped or strictly firewalled |
|
||||
|
||||
## Palo Alto Zone-Based CLI
|
||||
|
||||
```bash
|
||||
# Create security zone
|
||||
set network zone trust network layer3 ethernet1/2
|
||||
set network zone untrust network layer3 ethernet1/1
|
||||
set network zone dmz network layer3 ethernet1/3
|
||||
|
||||
# Inter-zone security policy
|
||||
set rulebase security rules Allow-Corp-to-DMZ from trust to dmz \
|
||||
application web-browsing action allow log-end yes
|
||||
|
||||
# Default deny rule
|
||||
set rulebase security rules Deny-All from any to any application any action deny log-start yes
|
||||
```
|
||||
|
||||
## Cisco ASA Zone Commands
|
||||
|
||||
```bash
|
||||
# Define nameif and security level
|
||||
interface GigabitEthernet0/0
|
||||
nameif outside
|
||||
security-level 0
|
||||
interface GigabitEthernet0/1
|
||||
nameif inside
|
||||
security-level 100
|
||||
interface GigabitEthernet0/2
|
||||
nameif dmz
|
||||
security-level 50
|
||||
|
||||
# ACL for inter-zone traffic
|
||||
access-list OUTSIDE_IN extended permit tcp any host 192.168.10.5 eq 443
|
||||
access-group OUTSIDE_IN in interface outside
|
||||
```
|
||||
|
||||
## PCI DSS Segmentation Requirements
|
||||
|
||||
| Requirement | Control |
|
||||
|-------------|---------|
|
||||
| Req 1.2 | Restrict connections between untrusted and CDE |
|
||||
| Req 1.3 | Prohibit direct public access to CDE |
|
||||
| Req 1.4 | Personal firewall on portable devices |
|
||||
| Req 11.3.4 | Penetration testing validates segmentation |
|
||||
|
||||
## VLAN Trunking (802.1Q)
|
||||
|
||||
```bash
|
||||
# Cisco switch VLAN configuration
|
||||
vlan 100
|
||||
name Corporate
|
||||
vlan 200
|
||||
name Servers
|
||||
vlan 300
|
||||
name PCI_CDE
|
||||
|
||||
interface GigabitEthernet0/1
|
||||
switchport mode trunk
|
||||
switchport trunk allowed vlan 100,200,300
|
||||
```
|
||||
|
||||
### References
|
||||
|
||||
- NIST SP 800-41: https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
|
||||
- PCI DSS v4.0 Network Segmentation: https://www.pcisecuritystandards.org/
|
||||
- CIS Controls v8 Control 12: https://www.cisecurity.org/controls/v8
|
||||
Reference in New Issue
Block a user