Network security shrinks attack surface and limits lateral movement if an attacker gets in. Core techniques:

• Segmentation — split networks into zones (public/private subnets, tiers) so a breach in one doesn’t reach everything
• Firewalls / security groups — allow only required ports and sources; default deny
• Private connectivity — keep databases/internal services off the public internet
• TLS everywhere — encrypt traffic in transit
• Zero trust — never trust based on network location; authenticate and authorize every request, even internal ones

The old “hard shell, soft center” perimeter model fails once an attacker is inside — zero trust assumes breach and verifies continuously.

Defense in depth for a web app:
  Public subnet:  load balancer only (443)
  Private subnet: app servers (reachable only from the LB)
  Private subnet: database (reachable only from app, no public route)
  Security groups: default deny; allow LB→app:8080, app→db:5432
  All traffic over TLS; internal calls authenticated (zero trust)

1. Explain network segmentation and how it limits lateral movement.
2. Write security-group rules (in words) for a three-tier web app.
3. Contrast the perimeter model with zero trust.
4. Why should databases never have a public route?

• ↗ NIST — Zero Trust Architecture (SP 800-207)