creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-network-segmentation-with-firewall-zones/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

81 lines
2.4 KiB
Markdown
Raw Blame History

# API Reference: Implementing Network Segmentation with Firewall Zones
## Zone Trust Levels
| Zone | Trust Level | Typical VLANs | Default Policy |
|------|-------------|---------------|----------------|
| Internet | 0 (Untrusted) | N/A | Deny all inbound |
| DMZ | 1 (Low) | 10-19 | Permit specific inbound services |
| Guest | 1 (Low) | 50-59 | Internet-only, deny internal |
| Corporate | 3 (Medium) | 100-199 | Permit outbound, restricted inbound |
| Server/DC | 4 (High) | 200-299 | Strict ACL, limited admin |
| PCI CDE | 5 (Critical) | 300-309 | PCI DSS compliant isolation |
| Management | 5 (Critical) | 900-909 | Jump box only |
| OT/SCADA | 5 (Critical) | 400-409 | Air-gapped or strictly firewalled |
## Palo Alto Zone-Based CLI
```bash
# Create security zone
set network zone trust network layer3 ethernet1/2
set network zone untrust network layer3 ethernet1/1
set network zone dmz network layer3 ethernet1/3
# Inter-zone security policy
set rulebase security rules Allow-Corp-to-DMZ from trust to dmz \
application web-browsing action allow log-end yes
# Default deny rule
set rulebase security rules Deny-All from any to any application any action deny log-start yes
```
## Cisco ASA Zone Commands
```bash
# Define nameif and security level
interface GigabitEthernet0/0
nameif outside
security-level 0
interface GigabitEthernet0/1
nameif inside
security-level 100
interface GigabitEthernet0/2
nameif dmz
security-level 50
# ACL for inter-zone traffic
access-list OUTSIDE_IN extended permit tcp any host 192.168.10.5 eq 443
access-group OUTSIDE_IN in interface outside
```
## PCI DSS Segmentation Requirements
| Requirement | Control |
|-------------|---------|
| Req 1.2 | Restrict connections between untrusted and CDE |
| Req 1.3 | Prohibit direct public access to CDE |
| Req 1.4 | Personal firewall on portable devices |
| Req 11.3.4 | Penetration testing validates segmentation |
## VLAN Trunking (802.1Q)
```bash
# Cisco switch VLAN configuration
vlan 100
name Corporate
vlan 200
name Servers
vlan 300
name PCI_CDE
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 100,200,300
```
### References
- NIST SP 800-41: https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
- PCI DSS v4.0 Network Segmentation: https://www.pcisecuritystandards.org/
- CIS Controls v8 Control 12: https://www.cisecurity.org/controls/v8
Reference in New Issue View Git Blame Copy Permalink