Skill

implementing-network-segmentation-with-firewall-zones

Designs and implements network segmentation using firewall security zones, VLANs, ACLs, and microsegmentation to restrict lateral movement and enforce least-privilege network access.

Bash

Linux

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

网络分段（Network Segmentation）将平面网络划分为由防火墙强制边界的隔离安全区域，以遏制漏洞蔓延、限制横向移动（Lateral Movement）并在工作负载之间强制执行最小权限访问。分段是 PCI DSS、HIPAA、NIST 800-53 和零信任（Zero Trust）架构要求的基础安全控制。现代分段将传统基于 VLAN 的方案与工作负载级微分段（Microsegmentation）相结合，实现细粒度的东西向流量控制。本技能涵盖区域架构设计、区间防火墙策略配置、交换机 VLAN 分段实施以及动态环境微分段部署。

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

implementing-network-segmentation-with-firewall-zones

Designs and implements network segmentation using firewall zones, VLANs, ACLs, and microsegmentation to restrict lateral movement and enforce least-privilege access for compliance and zero trust.

asi

implementing-network-segmentation-with-firewall-zones

5.9k

Designs network segmentation using firewall zones, VLANs, ACLs, and microsegmentation to contain breaches and enforce zero-trust access policies.

3 files

cybersecurity-skills

configuring-network-segmentation-with-vlans

Designs and configures VLAN-based network segmentation on managed switches like Cisco Catalyst to isolate zones (corporate, servers, DMZ, guest, IoT) and restrict lateral movement.

3 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

使用防火墙区域实施网络分段

概述

前置条件

包含资产清单的网络拓扑文档
支持区域策略的防火墙（Palo Alto、Fortinet、Cisco Firepower）
支持 VLAN 的托管交换机（802.1Q trunk）
用于基线分析的流量文档或 NetFlow 数据
合规要求（PCI DSS 范围、HIPAA ePHI 边界）

核心概念

区域架构层级

区域	信任级别	示例	访问策略
互联网	无	公共互联网	默认拒绝入站
DMZ	低	Web 服务器、邮件中继、DNS	有限入站，限制出站
访客	低	访客 WiFi、访客网络	仅访问互联网，不可访问内网
企业内网	中	员工工作站、打印机	受控访问内部资源
服务器/数据中心	高	应用服务器、数据库	严格 ACL，限制管理员访问
PCI CDE	关键	支付系统、持卡人数据	符合 PCI DSS 的隔离
管理网	关键	网络设备、虚拟机管理程序、IPMI	高度限制，仅允许跳板机
OT/SCADA	关键	工业控制系统	物理隔离或严格防火墙

分段方式

方式	范围	粒度	适用场景
VLAN 分段	第 2 层	子网级别	部门隔离、访客隔离
防火墙区域	第 3-7 层	区域间	区间策略强制执行
路由器 ACL	第 3-4 层	子网/端口	路由边界快速过滤
微分段（Microsegmentation）	第 3-7 层	工作负载级别	零信任、容器环境
SGT/TrustSec	第 2-7 层	标签化	基于身份的分段

实施步骤

步骤 1：映射流量并定义区域

在实施分段之前，先捕获基线流量：

# 捕获 NetFlow 数据以了解现有流量模式
nfdump -R /var/cache/nfdump/ -s srcip/bytes -n 50

# 识别子网间的东西向流量
nfdump -R /var/cache/nfdump/ -s record/bytes \
  'src net 10.0.0.0/8 and dst net 10.0.0.0/8' -n 100

# 映射应用依赖关系
# 记录哪些服务器需要与哪些其他服务器通信

步骤 2：在交换机上配置 VLAN

! 核心交换机 VLAN 配置
vlan 10
 name Management
vlan 20
 name Corporate-Users
vlan 30
 name Servers
vlan 40
 name PCI-CDE
vlan 50
 name Guest
vlan 60
 name DMZ
vlan 99
 name Native-Unused

! 到防火墙的 Trunk 端口
interface GigabitEthernet1/0/1
 description Trunk-to-Firewall
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40,50,60
 switchport trunk native vlan 99
 switchport nonegotiate

! 企业用户接入端口
interface range GigabitEthernet1/0/2-24
 switchport mode access
 switchport access vlan 20
 spanning-tree portfast

! 服务器接入端口
interface range GigabitEthernet1/0/25-36
 switchport mode access
 switchport access vlan 30

! 防止 VLAN 跳跃攻击
interface range GigabitEthernet1/0/37-48
 switchport mode access
 switchport access vlan 99
 shutdown

步骤 3：配置防火墙区域策略

Palo Alto 基于区域的策略：

# 在防火墙子接口上定义区域
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.10 tag 10 ip 10.0.10.1/24
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.20 tag 20 ip 10.0.20.1/24
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.30 tag 30 ip 10.0.30.1/24
set network interface ethernet ethernet1/1 layer3 units ethernet1/1.40 tag 40 ip 10.0.40.1/24

set zone Management network layer3 ethernet1/1.10
set zone Corporate network layer3 ethernet1/1.20
set zone Servers network layer3 ethernet1/1.30
set zone PCI-CDE network layer3 ethernet1/1.40

# 区间策略（默认拒绝，明确允许）

# 企业内网 -> 服务器（仅特定应用）
set rulebase security rules Corp-to-Servers from Corporate to Servers
set rulebase security rules Corp-to-Servers application [ web-browsing ssl dns smtp ]
set rulebase security rules Corp-to-Servers action allow
set rulebase security rules Corp-to-Servers profile-setting group Standard-Profiles

# 企业内网 -> PCI（拒绝）
set rulebase security rules Corp-to-PCI from Corporate to PCI-CDE
set rulebase security rules Corp-to-PCI action deny log-end yes

# 服务器 -> PCI（仅支付处理）
set rulebase security rules Servers-to-PCI from Servers to PCI-CDE
set rulebase security rules Servers-to-PCI source [ 10.0.30.10 ]
set rulebase security rules Servers-to-PCI destination [ 10.0.40.10 ]
set rulebase security rules Servers-to-PCI application [ ssl ]
set rulebase security rules Servers-to-PCI service service-https
set rulebase security rules Servers-to-PCI action allow

# 管理网 -> 所有（通过跳板机进行管理员访问）
set rulebase security rules Mgmt-Admin from Management to [ Servers PCI-CDE ]
set rulebase security rules Mgmt-Admin source [ 10.0.10.50 ]
set rulebase security rules Mgmt-Admin application [ ssh rdp ]
set rulebase security rules Mgmt-Admin source-user [ admin-group ]
set rulebase security rules Mgmt-Admin action allow

# 区域内拒绝（防止区域内横向移动）
set rulebase security rules Deny-Intrazone from Corporate to Corporate
set rulebase security rules Deny-Intrazone action deny log-end yes

# 默认全部拒绝
set rulebase security rules Deny-All from any to any
set rulebase security rules Deny-All action deny log-end yes

步骤 4：实施区间路由 ACL

在路由器/三层交换机上额外进行第三层过滤：

! ACL：企业内网仅能访问特定服务器端口
ip access-list extended CORP-TO-SERVERS
 permit tcp 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 eq 80
 permit tcp 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 eq 443
 permit tcp 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 eq 25
 permit udp 10.0.20.0 0.0.0.255 10.0.30.10 0.0.0.0 eq 53
 deny ip 10.0.20.0 0.0.0.255 10.0.30.0 0.0.0.255 log

! ACL：PCI CDE 隔离
ip access-list extended PCI-ISOLATION
 permit tcp host 10.0.30.10 host 10.0.40.10 eq 443
 permit tcp 10.0.10.50 0.0.0.0 10.0.40.0 0.0.0.255 eq 22
 deny ip any 10.0.40.0 0.0.0.255 log

! 将 ACL 应用到 VLAN 接口
interface Vlan20
 ip address 10.0.20.1 255.255.255.0
 ip access-group CORP-TO-SERVERS out

interface Vlan40
 ip address 10.0.40.1 255.255.255.0
 ip access-group PCI-ISOLATION in

步骤 5：验证分段

#!/usr/bin/env python3
"""网络分段验证工具 - 测试各区域间的连通性。"""

import subprocess
import sys
import json
from datetime import datetime


class SegmentationValidator:
    """测试区域间的网络分段控制。"""

    def __init__(self):
        self.results = []

    def test_connectivity(self, src_desc: str, dst_ip: str, port: int,
                          protocol: str = "tcp", expected: str = "blocked"):
        """测试源到目标之间是否存在连通性。"""
        try:
            if protocol == "tcp":
                cmd = ["nc", "-z", "-w", "3", dst_ip, str(port)]
            elif protocol == "udp":
                cmd = ["nc", "-z", "-u", "-w", "3", dst_ip, str(port)]
            elif protocol == "icmp":
                cmd = ["ping", "-c", "1", "-W", "3", dst_ip]
            else:
                return

            result = subprocess.run(cmd, capture_output=True, timeout=5)
            actual = "open" if result.returncode == 0 else "blocked"

        except subprocess.TimeoutExpired:
            actual = "blocked"
        except FileNotFoundError:
            actual = "error"

        status = "PASS" if actual == expected else "FAIL"

        self.results.append({
            "source": src_desc,
            "destination": f"{dst_ip}:{port}/{protocol}",
            "expected": expected,
            "actual": actual,
            "status": status,
        })

        symbol = "[+]" if status == "PASS" else "[!]"
        print(f"  {symbol} {src_desc} -> {dst_ip}:{port}/{protocol} "
              f"| 预期: {expected} | 实际: {actual} | {status}")

    def run_validation(self):
        """运行分段验证测试。"""
        print(f"\n{'='*70}")
        print("网络分段验证")
        print(f"{'='*70}")
        print(f"日期: {datetime.now().isoformat()}\n")

        # 应被阻断的测试
        print("[*] 测试应被阻断的流量：")
        self.test_connectivity("Corporate", "10.0.40.10", 443, "tcp", "blocked")
        self.test_connectivity("Corporate", "10.0.40.10", 22, "tcp", "blocked")
        self.test_connectivity("Guest", "10.0.30.10", 80, "tcp", "blocked")
        self.test_connectivity("Guest", "10.0.20.1", 0, "icmp", "blocked")

        # 应被允许的测试
        print("\n[*] 测试应被允许的流量：")
        self.test_connectivity("Corporate", "10.0.30.10", 443, "tcp", "open")
        self.test_connectivity("Corporate", "10.0.30.10", 80, "tcp", "open")
        self.test_connectivity("Management", "10.0.30.10", 22, "tcp", "open")

        # 汇总
        passed = sum(1 for r in self.results if r["status"] == "PASS")
        failed = sum(1 for r in self.results if r["status"] == "FAIL")
        print(f"\n{'='*70}")
        print(f"结果：{len(self.results)} 个测试中通过 {passed} 个，失败 {failed} 个")

        if failed > 0:
            print(f"\n[!] 失败的测试：")
            for r in self.results:
                if r["status"] == "FAIL":
                    print(f"  - {r['source']} -> {r['destination']}: "
                          f"预期 {r['expected']}，实际 {r['actual']}")

        # 保存报告
        report = {
            "date": datetime.now().isoformat(),
            "total_tests": len(self.results),
            "passed": passed,
            "failed": failed,
            "results": self.results,
        }
        report_path = f"segmentation_test_{datetime.now().strftime('%Y%m%d')}.json"
        with open(report_path, 'w') as f:
            json.dump(report, f, indent=2, ensure_ascii=False)
        print(f"\n报告已保存至：{report_path}")


if __name__ == "__main__":
    validator = SegmentationValidator()
    validator.run_validation()

最佳实践

默认拒绝 - 从拒绝所有区间规则开始，明确允许所需流量
文档化流量 - 在实施限制之前，先映射所有合法流量
按敏感度分段 - 根据数据分类和合规范围对资产分组
区域内控制 - 不仅要控制区域间，还要阻断区域内的横向移动
限制管理访问 - 将管理平面限制在带跳板机的专用区域
定期验证 - 使用自动化工具每季度测试分段控制
监控被拒绝流量 - 记录并审查被拒绝的区间流量以完善策略
减少 PCI 范围 - 使用分段最小化 PCI DSS 持卡人数据环境（CDE）范围

implementing-network-segmentation-with-firewall-zones

Tool Access

Preview

Supporting Assets

SKILL.md

Similar Skills

Help us improve

Help us improve

implementing-network-segmentation-with-firewall-zones

Tool Access

Preview

Supporting Assets

SKILL.md

使用防火墙区域实施网络分段

概述

前置条件

核心概念

区域架构层级

分段方式

实施步骤

步骤 1：映射流量并定义区域

步骤 2：在交换机上配置 VLAN

步骤 3：配置防火墙区域策略

步骤 4：实施区间路由 ACL

步骤 5：验证分段

最佳实践

参考资料

Similar Skills

Help us improve

使用防火墙区域实施网络分段

概述

前置条件

核心概念

区域架构层级

分段方式

实施步骤

步骤 1：映射流量并定义区域

步骤 2：在交换机上配置 VLAN

步骤 3：配置防火墙区域策略

步骤 4：实施区间路由 ACL

步骤 5：验证分段

最佳实践

参考资料