Security Hardening Checklist
Network security is mostly disciplined defaults applied everywhere, not clever tricks. The breaches that matter rarely exploit a novel flaw — they walk through a default-allow egress rule, a plaintext internal hop, a flat network with no segmentation, or an admin port left open to the internet. This topic turns the security mechanisms from earlier chapters into a single pre-production checklist: minimize exposure, encrypt in transit, segment and authenticate, detect and respond.
Each item names a specific control and the exposure it closes, so you can run it down against a real deployment rather than nod along to principles. The four sections below are ordered the way an attacker is: what can they reach, can they read it, can they move laterally once in, and will you see them. Treat any item you cannot check off as a finding.
Minimize Exposure
Default-deny in both directions is the foundation. Most teams write inbound rules and leave egress wide open — but a compromised host's first move is outbound, to phone home and exfiltrate, and default-allow egress is the open door it walks through (default-deny, Topic 49). Deny outbound by default and allow only the specific destinations each workload needs.
Private-by-default closes the other half. Instances should have no public IP unless they specifically serve the internet, databases and internal services should be reachable only from inside the VPC, and the open-port count should be the minimum each tier requires — never SSH or RDP exposed to 0.0.0.0/0. Admin access goes through a bastion, a VPN, or an identity-aware proxy, never a port open to the entire address space.
# find the exposure before an attacker does: any rule open to the world, # especially on admin ports (22/SSH, 3389/RDP) gcloud compute firewall-rules list \ --filter="sourceRanges:0.0.0.0/0 AND allowed.ports:(22 OR 3389)" # on a host: confirm egress is default-deny, not default-allow iptables -L OUTPUT -n --line-numbers | head
Encrypt Everything in Transit
Plaintext on the wire is readable by anything on the path — a compromised switch, a tap, a misrouted packet. Terminate external traffic with TLS 1.3, which drops the broken ciphers and the extra round trip that TLS 1.2 carried, and redirect every plaintext port to its encrypted equivalent. There is no "internal traffic is safe" exemption in a zero-trust model: the internal network is just an attacker's next hop after the first host falls.
Service-to-service traffic gets mutual TLS, where both ends present certificates and authenticate each other, so a rogue workload cannot impersonate a legitimate caller. A service mesh (Topic 73) can apply mTLS to every hop without changing application code. The standard to enforce is simple: no plaintext hop anywhere, internal or external, including health checks and metrics scrapes.
Segment and Authenticate
Microsegmentation replaces the flat network with fine-grained boundaries: each tier or workload reaches only the specific peers it must, so a breached web host cannot pivot straight to the database. The flat layer-2 network where every host can reach every other is the anti-pattern this closes — it turns one compromise into total lateral run of the environment (segmentation, Topic 53).
Zero-trust identity goes a layer further than network position: a workload's identity, proven by a certificate or signed token, decides what it may call — not its IP address, which an attacker on the same subnet can spoof or simply share. Authenticate workloads, not subnets, and authorize on identity, so being inside the network grants nothing on its own.
Detect and Respond
A control you cannot observe is a control you cannot trust. Flow logs record who talked to whom, turning "was there lateral movement?" from a guess into a query, and anomaly alerting on unexpected egress destinations or sudden connection-rate spikes surfaces a breach while it is in progress rather than in the post-mortem. A breach with no detection is invisible until the data is already gone.
Operational saturation belongs in the same dashboard. Conntrack and ephemeral-port saturation drop new connections silently and look exactly like a network problem until you graph them (Topic 49) — and a sudden connection flood is as often an attack as a traffic spike. Alert on flow-log anomalies, conntrack utilization, and port exhaustion together, because the same signal often distinguishes an incident from an outage.
Single-control security rests everything on one mechanism — usually a perimeter firewall. It is simple, and it fails completely the instant that one control is bypassed: a single breached host inside the perimeter then has free, unencrypted, unmonitored run of a flat network with nothing left to stop it.
Defense-in-depth layers independent controls — segment, encrypt, authenticate, monitor — so no single failure is total. An attacker who bypasses the perimeter still hits microsegmentation, still cannot read mTLS traffic, still cannot authenticate as another workload, and still trips a flow-log alert. Each layer is imperfect alone; together they ensure one gap is not the whole game.
- Default-allow egress (Topic 49) — only inbound rules were written, so a compromised host has an open outbound channel to exfiltrate data and reach its command-and-control with nothing in the way.
- Treating "internal" traffic as trusted and leaving it plaintext, so the first host an attacker breaches can read every internal hop — a fatal assumption in a zero-trust world where the LAN is just the next hop.
- Relying on security groups or a perimeter firewall as the only control, so one bypass grants total lateral movement across a flat network with no encryption or identity check behind it.
- No flow logs or anomaly detection, so a breach leaves no trace and is discovered only when the data surfaces elsewhere — detection you did not build is detection you do not have.
- SSH or RDP open to 0.0.0.0/0, exposing admin ports to constant internet-wide credential-stuffing instead of gating them behind a bastion, VPN, or identity-aware proxy.
- Set default-deny on both ingress and egress (Topic 49), then allow only the specific ports and destinations each workload needs, so a compromise has no open outbound path.
- Enforce TLS 1.3 externally and mutual TLS service-to-service via a mesh (Topic 73), with no plaintext hop anywhere — internal traffic included.
- Microsegment the network (Topic 53) and authorize on workload identity rather than IP, so a breached host reaches only its declared peers and cannot impersonate another by sharing a subnet.
- Gate all admin access behind a bastion, VPN, or identity-aware proxy, and audit firewall rules for any 0.0.0.0/0 source on ports 22 and 3389.
- Enable flow logs and alert on egress anomalies plus conntrack and port saturation (Topic 49), so both breaches and operational saturation are visible in the same dashboard.
Knowledge Check
A team writes strict inbound firewall rules but leaves egress wide open. What exposure does that leave?
- A compromised host has an open outbound path to phone home and exfiltrate
- External attackers can now initiate brand-new inbound connections directly to the host from the internet
- The host's subnet will overlap with other VPCs and break peering
- All outbound traffic is automatically downgraded to plaintext
In a zero-trust model, why is authorizing service calls by source IP insufficient?
- An attacker on the same subnet can spoof or share an allowed IP, so position is forgeable
- IP-based allow rules are simply too slow to evaluate at the connection rates real service-to-service traffic reaches
- Allowing by IP makes it impossible to also use TLS on the connection
- Matching on IP fills the conntrack table faster than matching on identity
Why is a single perimeter firewall, with no other controls behind it, a weak security posture?
- One bypass grants free lateral movement through an unsegmented, unencrypted interior
- A single perimeter firewall simply cannot process enough packets per second to keep up with production traffic
- A perimeter firewall can only filter a limited range of ports
- It encrypts traffic with outdated ciphers that attackers can break
You got correct