mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 21:54:56 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.4 KiB
2.4 KiB
API Reference: Implementing Network Segmentation with Firewall Zones
Zone Trust Levels
| Zone | Trust Level | Typical VLANs | Default Policy |
|---|---|---|---|
| Internet | 0 (Untrusted) | N/A | Deny all inbound |
| DMZ | 1 (Low) | 10-19 | Permit specific inbound services |
| Guest | 1 (Low) | 50-59 | Internet-only, deny internal |
| Corporate | 3 (Medium) | 100-199 | Permit outbound, restricted inbound |
| Server/DC | 4 (High) | 200-299 | Strict ACL, limited admin |
| PCI CDE | 5 (Critical) | 300-309 | PCI DSS compliant isolation |
| Management | 5 (Critical) | 900-909 | Jump box only |
| OT/SCADA | 5 (Critical) | 400-409 | Air-gapped or strictly firewalled |
Palo Alto Zone-Based CLI
# Create security zone
set network zone trust network layer3 ethernet1/2
set network zone untrust network layer3 ethernet1/1
set network zone dmz network layer3 ethernet1/3
# Inter-zone security policy
set rulebase security rules Allow-Corp-to-DMZ from trust to dmz \
application web-browsing action allow log-end yes
# Default deny rule
set rulebase security rules Deny-All from any to any application any action deny log-start yes
Cisco ASA Zone Commands
# Define nameif and security level
interface GigabitEthernet0/0
nameif outside
security-level 0
interface GigabitEthernet0/1
nameif inside
security-level 100
interface GigabitEthernet0/2
nameif dmz
security-level 50
# ACL for inter-zone traffic
access-list OUTSIDE_IN extended permit tcp any host 192.168.10.5 eq 443
access-group OUTSIDE_IN in interface outside
PCI DSS Segmentation Requirements
| Requirement | Control |
|---|---|
| Req 1.2 | Restrict connections between untrusted and CDE |
| Req 1.3 | Prohibit direct public access to CDE |
| Req 1.4 | Personal firewall on portable devices |
| Req 11.3.4 | Penetration testing validates segmentation |
VLAN Trunking (802.1Q)
# Cisco switch VLAN configuration
vlan 100
name Corporate
vlan 200
name Servers
vlan 300
name PCI_CDE
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 100,200,300
References
- NIST SP 800-41: https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
- PCI DSS v4.0 Network Segmentation: https://www.pcisecuritystandards.org/
- CIS Controls v8 Control 12: https://www.cisecurity.org/controls/v8