Networking Deep Dive
by Sergey Okinchuk
mTLS and Operating TLSFirewalls — Stateless vs Stateful

Chapter 9

Network Security

How packets get filtered, encrypted, and dispersed — firewalls, VPNs, zero trust, and surviving a DDoS.

6 topics

Everything before this chapter assumed the network would faithfully carry your packets. This chapter assumes someone on the path wants to read them, forge them, or drown them. Network security is the set of controls you add when the wire is hostile: firewalls that decide which packets pass, VPNs that encrypt the ones that must cross untrusted ground, segmentation that limits what a single breach can reach, and DDoS mitigation for when the attack is simply too much traffic to serve.

The six topics build from the packet up. Firewalls and packet filtering are the same idea at two altitudes — theory, then the iptables, nftables, and cloud security-group rules you actually type. IPsec and WireGuard are two answers to the same tunneling problem, one heavyweight and standard, one lean and modern. Zero trust is the architecture you reach for once you accept that the perimeter will be breached. DDoS closes the chapter on the one attack you cannot simply firewall away.

Drop or pass packets by their 5-tuple (IPs, ports, protocol)Firewall
Carry private traffic across an untrusted network unreadVPN
Authenticate every request, trusting nothing by locationZero trust
Absorb a flood too large for any one origin to serveDDoS mitigation

Topics in This Chapter

Topic 49
Firewalls — Stateless vs Stateful
The difference between judging each packet alone and tracking whole connections. Why conntrack lets return traffic through automatically, and why default-deny is the only safe posture.
Firewalls
Topic 50
Packet Filtering in Practice
The tools you actually configure: iptables, nftables, and cloud security groups versus NACLs. Where rule order is a correctness bug and why a security group has no deny rule.
Filtering
Topic 51
VPNs — IPsec and the Tunnel Model
Tunneling private traffic across an untrusted path with IPsec. Tunnel versus transport mode, what IKE negotiates, and why every VPN quietly shrinks your usable MTU.
VPN
Topic 52
WireGuard and Modern VPNs
The ~4,000-line VPN keyed on public keys like SSH. How AllowedIPs is both routing table and access control, and how Tailscale-style meshes are built on top.
WireGuard
Topic 53
Zero Trust and Segmentation
Why trusting everything inside the firewall fails the moment one host is compromised. Microsegmentation to shrink the blast radius, and replacing network position with verified identity.
Zero Trust
Topic 54
DDoS — Attacks and Mitigation
Volumetric, protocol, and application-layer floods, and why each needs a different defense. Amplification math, anycast dispersion, and why you cannot out-provision a botnet.
DDoS