implementing-network-segmentation-with-firewall-zones

使用防火墙安全区域、VLAN、ACL 和微分段(Microsegmentation)策略设计并实施网络分段,以限制横向移动(Lateral Movement)并强制执行最小权限网络访问。

9 stars

Best use case

implementing-network-segmentation-with-firewall-zones is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用防火墙安全区域、VLAN、ACL 和微分段(Microsegmentation)策略设计并实施网络分段,以限制横向移动(Lateral Movement)并强制执行最小权限网络访问。

Teams using implementing-network-segmentation-with-firewall-zones should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-network-segmentation-with-firewall-zones/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-network-segmentation-with-firewall-zones Compares

Feature / Agentimplementing-network-segmentation-with-firewall-zonesStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用防火墙安全区域、VLAN、ACL 和微分段(Microsegmentation)策略设计并实施网络分段,以限制横向移动(Lateral Movement)并强制执行最小权限网络访问。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用防火墙区域实施网络分段

## 概述

网络分段(Network Segmentation)将平面网络划分为由防火墙强制边界的隔离安全区域,以遏制漏洞蔓延、限制横向移动(Lateral Movement)并在工作负载之间强制执行最小权限访问。分段是 PCI DSS、HIPAA、NIST 800-53 和零信任(Zero Trust)架构要求的基础安全控制。现代分段将传统基于 VLAN 的方案与工作负载级微分段(Microsegmentation)相结合,实现细粒度的东西向流量控制。本技能涵盖区域架构设计、区间防火墙策略配置、交换机 VLAN 分段实施以及动态环境微分段部署。

## 前置条件

- 包含资产清单的网络拓扑文档
- 支持区域策略的防火墙(Palo Alto、Fortinet、Cisco Firepower)
- 支持 VLAN 的托管交换机(802.1Q trunk)
- 用于基线分析的流量文档或 NetFlow 数据
- 合规要求(PCI DSS 范围、HIPAA ePHI 边界)

## 核心概念

### 区域架构层级

| 区域 | 信任级别 | 示例 | 访问策略 |
|------|---------|------|---------|
| **互联网** | 无 | 公共互联网 | 默认拒绝入站 |
| **DMZ** | 低 | Web 服务器、邮件中继、DNS | 有限入站,限制出站 |
| **访客** | 低 | 访客 WiFi、访客网络 | 仅访问互联网,不可访问内网 |
| **企业内网** | 中 | 员工工作站、打印机 | 受控访问内部资源 |
| **服务器/数据中心** | 高 | 应用服务器、数据库 | 严格 ACL,限制管理员访问 |
| **PCI CDE** | 关键 | 支付系统、持卡人数据 | 符合 PCI DSS 的隔离 |
| **管理网** | 关键 | 网络设备、虚拟机管理程序、IPMI | 高度限制,仅允许跳板机 |
| **OT/SCADA** | 关键 | 工业控制系统 | 物理隔离或严格防火墙 |

### 分段方式

| 方式 | 范围 | 粒度 | 适用场景 |
|------|------|------|---------|
| **VLAN 分段** | 第 2 层 | 子网级别 | 部门隔离、访客隔离 |
| **防火墙区域** | 第 3-7 层 | 区域间 | 区间策略强制执行 |
| **路由器 ACL** | 第 3-4 层 | 子网/端口 | 路由边界快速过滤 |
| **微分段(Microsegmentation)** | 第 3-7 层 | 工作负载级别 | 零信任、容器环境 |
| **SGT/TrustSec** | 第 2-7 层 | 标签化 | 基于身份的分段 |

## 实施步骤

### 步骤 1:映射流量并定义区域

在实施分段之前,先捕获基线流量:

```bash
# 捕获 NetFlow 数据以了解现有流量模式
nfdump -R /var/cache/nfdump/ -s srcip/bytes -n 50

# 识别子网间的东西向流量
nfdump -R /var/cache/nfdump/ -s record/bytes \
  'src net 10.0.0.0/8 and dst net 10.0.0.0/8' -n 100

# 映射应用依赖关系
# 记录哪些服务器需要与哪些其他服务器通信
```

### 步骤 2:在交换机上配置 VLAN

```
! 核心交换机 VLAN 配置
vlan 10
 name Management
vlan 20
 name Corporate-Users
vlan 30
 name Servers
vlan 40
 name PCI-CDE
vlan 50
 name Guest
vlan 60
 name DMZ
vlan 99
 name Native-Unused

! 到防火墙的 Trunk 端口
interface GigabitEthernet1/0/1
 description Trunk-to-Firewall
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40,50,60
 switchport trunk native vlan 99
 switchport nonegotiate

! 企业用户接入端口
interface range GigabitEthernet1/0/2-24
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast

! 服务器接入端口
interface range GigabitEthernet1/0/25-36
 switchport mode access
 switchport access vlan 30

! 防止 VLAN 跳跃攻击
interface range GigabitEthernet1/0/37-48
 switchport mode access
 switchport access vlan 99
 shutdown
```

### 步骤 3:配置防火墙区域策略

**Palo Alto 基于区域的策略:**

```
# 在防火墙子接口上定义区域
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.10 tag 10 ip 10.0.10.1/24
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.20 tag 20 ip 10.0.20.1/24
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.30 tag 30 ip 10.0.30.1/24
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.40 tag 40 ip 10.0.40.1/24

set zone Management network layer3 ethernet1/1.10
set zone Corporate network layer3 ethernet1/1.20
set zone Servers network layer3 ethernet1/1.30
set zone PCI-CDE network layer3 ethernet1/1.40

# 区间策略(默认拒绝,明确允许)

# 企业内网 -> 服务器(仅特定应用)
set rulebase security rules Corp-to-Servers from Corporate to Servers
set rulebase security rules Corp-to-Servers application [ web-browsing ssl dns smtp ]
set rulebase security rules Corp-to-Servers action allow
set rulebase security rules Corp-to-Servers profile-setting group Standard-Profiles

# 企业内网 -> PCI(拒绝)
set rulebase security rules Corp-to-PCI from Corporate to PCI-CDE
set rulebase security rules Corp-to-PCI action deny log-end yes

# 服务器 -> PCI(仅支付处理)
set rulebase security rules Servers-to-PCI from Servers to PCI-CDE
set rulebase security rules Servers-to-PCI source [ 10.0.30.10 ]
set rulebase security rules Servers-to-PCI destination [ 10.0.40.10 ]
set rulebase security rules Servers-to-PCI application [ ssl ]
set rulebase security rules Servers-to-PCI service service-https
set rulebase security rules Servers-to-PCI action allow

# 管理网 -> 所有(通过跳板机进行管理员访问)
set rulebase security rules Mgmt-Admin from Management to [ Servers PCI-CDE ]
set rulebase security rules Mgmt-Admin source [ 10.0.10.50 ]
set rulebase security rules Mgmt-Admin application [ ssh rdp ]
set rulebase security rules Mgmt-Admin source-user [ admin-group ]
set rulebase security rules Mgmt-Admin action allow

# 区域内拒绝(防止区域内横向移动)
set rulebase security rules Deny-Intrazone from Corporate to Corporate
set rulebase security rules Deny-Intrazone action deny log-end yes

# 默认全部拒绝
set rulebase security rules Deny-All from any to any
set rulebase security rules Deny-All action deny log-end yes
```

### 步骤 4:实施区间路由 ACL

在路由器/三层交换机上额外进行第三层过滤:

```
! ACL:企业内网仅能访问特定服务器端口
ip access-list extended CORP-TO-SERVERS
 permit tcp 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 eq 80
 permit tcp 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 eq 443
 permit tcp 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 eq 25
 permit udp 10.0.20.0 0.0.0.255 10.0.30.10 0.0.0.0 eq 53
 deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 log

! ACL:PCI CDE 隔离
ip access-list extended PCI-ISOLATION
 permit tcp host 10.0.30.10 host 10.0.40.10 eq 443
 permit tcp 10.0.10.50 0.0.0.0 10.0.40.0 0.0.0.255 eq 22
 deny ip any 10.0.40.0 0.0.0.255 log

! 将 ACL 应用到 VLAN 接口
interface Vlan20
 ip address 10.0.20.1 255.255.255.0
 ip access-group CORP-TO-SERVERS out

interface Vlan40
 ip address 10.0.40.1 255.255.255.0
 ip access-group PCI-ISOLATION in
```

### 步骤 5:验证分段

```python
#!/usr/bin/env python3
"""网络分段验证工具 - 测试各区域间的连通性。"""

import subprocess
import sys
import json
from datetime import datetime


class SegmentationValidator:
    """测试区域间的网络分段控制。"""

    def __init__(self):
        self.results = []

    def test_connectivity(self, src_desc: str, dst_ip: str, port: int,
                          protocol: str = "tcp", expected: str = "blocked"):
        """测试源到目标之间是否存在连通性。"""
        try:
            if protocol == "tcp":
                cmd = ["nc", "-z", "-w", "3", dst_ip, str(port)]
            elif protocol == "udp":
                cmd = ["nc", "-z", "-u", "-w", "3", dst_ip, str(port)]
            elif protocol == "icmp":
                cmd = ["ping", "-c", "1", "-W", "3", dst_ip]
            else:
                return

            result = subprocess.run(cmd, capture_output=True, timeout=5)
            actual = "open" if result.returncode == 0 else "blocked"

        except subprocess.TimeoutExpired:
            actual = "blocked"
        except FileNotFoundError:
            actual = "error"

        status = "PASS" if actual == expected else "FAIL"

        self.results.append({
            "source": src_desc,
            "destination": f"{dst_ip}:{port}/{protocol}",
            "expected": expected,
            "actual": actual,
            "status": status,
        })

        symbol = "[+]" if status == "PASS" else "[!]"
        print(f"  {symbol} {src_desc} -> {dst_ip}:{port}/{protocol} "
              f"| 预期: {expected} | 实际: {actual} | {status}")

    def run_validation(self):
        """运行分段验证测试。"""
        print(f"\n{'='*70}")
        print("网络分段验证")
        print(f"{'='*70}")
        print(f"日期: {datetime.now().isoformat()}\n")

        # 应被阻断的测试
        print("[*] 测试应被阻断的流量:")
        self.test_connectivity("Corporate", "10.0.40.10", 443, "tcp", "blocked")
        self.test_connectivity("Corporate", "10.0.40.10", 22, "tcp", "blocked")
        self.test_connectivity("Guest", "10.0.30.10", 80, "tcp", "blocked")
        self.test_connectivity("Guest", "10.0.20.1", 0, "icmp", "blocked")

        # 应被允许的测试
        print("\n[*] 测试应被允许的流量:")
        self.test_connectivity("Corporate", "10.0.30.10", 443, "tcp", "open")
        self.test_connectivity("Corporate", "10.0.30.10", 80, "tcp", "open")
        self.test_connectivity("Management", "10.0.30.10", 22, "tcp", "open")

        # 汇总
        passed = sum(1 for r in self.results if r["status"] == "PASS")
        failed = sum(1 for r in self.results if r["status"] == "FAIL")
        print(f"\n{'='*70}")
        print(f"结果:{len(self.results)} 个测试中通过 {passed} 个,失败 {failed} 个")

        if failed > 0:
            print(f"\n[!] 失败的测试:")
            for r in self.results:
                if r["status"] == "FAIL":
                    print(f"  - {r['source']} -> {r['destination']}: "
                          f"预期 {r['expected']},实际 {r['actual']}")

        # 保存报告
        report = {
            "date": datetime.now().isoformat(),
            "total_tests": len(self.results),
            "passed": passed,
            "failed": failed,
            "results": self.results,
        }
        report_path = f"segmentation_test_{datetime.now().strftime('%Y%m%d')}.json"
        with open(report_path, 'w') as f:
            json.dump(report, f, indent=2, ensure_ascii=False)
        print(f"\n报告已保存至:{report_path}")


if __name__ == "__main__":
    validator = SegmentationValidator()
    validator.run_validation()
```

## 最佳实践

- **默认拒绝** - 从拒绝所有区间规则开始,明确允许所需流量
- **文档化流量** - 在实施限制之前,先映射所有合法流量
- **按敏感度分段** - 根据数据分类和合规范围对资产分组
- **区域内控制** - 不仅要控制区域间,还要阻断区域内的横向移动
- **限制管理访问** - 将管理平面限制在带跳板机的专用区域
- **定期验证** - 使用自动化工具每季度测试分段控制
- **监控被拒绝流量** - 记录并审查被拒绝的区间流量以完善策略
- **减少 PCI 范围** - 使用分段最小化 PCI DSS 持卡人数据环境(CDE)范围

## 参考资料

- [CISA 零信任微分段指南](https://www.cisa.gov/sites/default/files/2025-07/ZT-Microsegmentation-Guidance-Part-One_508c.pdf)
- [NIST SP 800-125B - 安全虚拟网络配置](https://csrc.nist.gov/publications/detail/sp/800-125b/final)
- [PCI DSS v4.0 - 网络分段](https://www.pcisecuritystandards.org/)

Related Skills

scanning-network-with-nmap-advanced

9
from killvxk/cybersecurity-skills-zh

使用 Nmap 的脚本引擎、时序控制、规避技术和输出解析,对授权目标网络执行高级网络侦察, 发现主机、枚举服务、检测漏洞并识别操作系统。

performing-wireless-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

执行无线网络渗透测试,通过捕获握手包、破解 WPA2/WPA3 密钥、检测流氓接入点以及使用 Aircrack-ng 和相关工具测试无线网络分段,评估 WiFi 安全性。

performing-web-application-firewall-bypass

9
from killvxk/cybersecurity-skills-zh

使用编码技术、HTTP 方法操控、参数污染和载荷混淆绕过 Web 应用防火墙保护,将 SQL 注入、XSS 及其他攻击载荷穿透 WAF 检测规则。

performing-ot-network-security-assessment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖对运营技术(OT)网络(包括SCADA系统、DCS架构和工业控制系统通信路径)进行全面安全评估。内容涉及Purdue参考模型各层、识别IT/OT融合风险、评估区域间防火墙规则,以及映射工业协议流量(Modbus、DNP3、OPC UA、EtherNet/IP),以检测关键基础设施中的错误配置、未授权连接和攻击面。

performing-network-traffic-analysis-with-zeek

9
from killvxk/cybersecurity-skills-zh

部署 Zeek 网络安全监控器,捕获、解析和分析网络流量元数据,用于威胁检测、异常识别和取证调查。

performing-network-traffic-analysis-with-tshark

9
from killvxk/cybersecurity-skills-zh

使用 tshark 和 pyshark 自动化网络流量分析,进行协议统计、可疑流量检测、DNS 异常识别以及从 PCAP 文件中提取威胁指标(IOC)

performing-network-packet-capture-analysis

9
from killvxk/cybersecurity-skills-zh

使用 Wireshark、tshark 和 tcpdump 对网络数据包捕获(PCAP/PCAPNG)进行取证分析,重建网络通信、提取传输文件、识别恶意流量,并建立数据渗出或命令与控制活动的证据。

performing-network-forensics-with-wireshark

9
from killvxk/cybersecurity-skills-zh

使用 Wireshark 和 tshark 捕获并分析网络流量,重建网络事件、提取制品并识别恶意通信。

performing-external-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

依照 PTES 方法论,通过侦察、扫描、漏洞利用和报告等阶段,对面向互联网的基础设施执行全面的外部网络渗透测试,识别可利用漏洞。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。