Skill

configuring-microsegmentation-for-zero-trust

Configure microsegmentation policies with VMware NSX, Illumio, Calico for zero trust workload isolation, preventing lateral movement in networks.

Kubernetes

Python

security

infrastructure

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- Understanding of zero trust principles (NIST SP 800-207)

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Configuring Microsegmentation for Zero Trust

Prerequisites

Understanding of zero trust principles (NIST SP 800-207)
Knowledge of network segmentation concepts
Familiarity with firewall and SDN technologies
Experience with VMware NSX, Illumio, Guardicore, or Cisco ACI

Overview

Microsegmentation divides a network into granular security zones, enforcing least-privilege access between workloads at the application layer rather than relying on traditional VLAN-based segmentation. In a zero trust architecture, microsegmentation eliminates implicit trust between workloads within the same network segment, preventing lateral movement even after an attacker gains initial access.

This skill covers designing microsegmentation policies using workload identity, implementing host-based and network-based enforcement, and validating segmentation effectiveness with tools like Illumio Core and VMware NSX.

When to Use

When deploying or configuring configuring microsegmentation for zero trust capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation

Prerequisites

Familiarity with zero trust architecture concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Architecture

Microsegmentation Models

Network-Based (VMware NSX, Cisco ACI): Distributed firewall rules enforced at the hypervisor or network fabric level
Host-Based (Illumio, Guardicore): Agent-based enforcement at the OS level using iptables/WFP rules
Container-Based (Calico, Cilium): Network policies enforced at the pod/container level in Kubernetes
Application-Based (Zscaler Workload Segmentation): Identity-based segmentation based on software identity rather than IP addresses

Enforcement Points

Traditional Segmentation        Microsegmentation
┌─────────────────┐            ┌──────────────────────┐
│  VLAN 10        │            │  Workload A ←policy→ │
│  ┌───┐ ┌───┐   │            │  Workload B ←policy→ │
│  │ A │ │ B │   │            │  Workload C ←policy→ │
│  └───┘ └───┘   │            │  Workload D ←policy→ │
│  (trust each    │            │  (zero trust between  │
│   other)        │            │   every pair)         │
└─────────────────┘            └──────────────────────┘

Key Concepts

Application Dependency Mapping

Before creating segmentation policies, discover actual communication flows between workloads using traffic telemetry. Tools like Illumio, Guardicore, and AppDynamics provide application dependency maps showing which workloads communicate, over which ports, and how frequently.

Policy Modeling

Draft policies in monitor/visibility mode before enforcement. This allows validation that proposed rules will not break legitimate traffic while identifying unnecessary or risky communication paths.

Label-Based Policy

Modern microsegmentation uses labels (role, application, environment, location) instead of IP-based rules. Label-based policies are portable across environments and survive IP changes during migrations.

Ring-Fencing

Isolate critical applications (PCI cardholder data environment, SWIFT financial systems, healthcare PHI) with strict allow-list policies that deny all traffic not explicitly permitted.

Workflow

Phase 1: Discovery and Mapping

Deploy Visibility Agents
- Install lightweight agents on all workloads (servers, VMs, containers)
- Configure agents to report real-time traffic telemetry to the management console
- Allow 2-4 weeks of traffic collection to build a comprehensive flow map
Build Application Dependency Map
- Review auto-discovered communication flows in the management console
- Identify application tiers: web servers, app servers, databases, middleware
- Map legitimate communication paths and flag unexpected connections
- Document data flows for compliance scope (PCI, HIPAA)
Assign Labels
- Create a labeling taxonomy: Role (web, app, db), Application (ERP, CRM), Environment (prod, dev, staging), Location (dc1, aws-east)
- Apply labels to all workloads via the management console or API
- Validate label accuracy against CMDB and application owner input

Phase 2: Policy Design

Define Segmentation Zones
- Environment isolation: Production cannot communicate with Development
- Tier isolation: Database tier only accepts connections from application tier
- Application ring-fencing: PCI applications isolated from non-PCI workloads
- Administrative access: Jump servers are the only management path
Create Allow-List Policies
- For each application, define explicit allow rules for required communication
- Use label-based rules rather than IP-based where possible
- Include process-level restrictions where supported (e.g., only httpd on port 443)
- Set default-deny for all unlisted communication
Model Policies in Test Mode
- Enable policies in visibility/test mode (do not enforce)
- Monitor for would-be blocked legitimate traffic
- Refine policies based on test results over 1-2 weeks
- Get application owner sign-off before enforcement

Phase 3: Enforcement

Enforce Incrementally
- Start with the most isolated, lowest-risk application
- Switch policy from test mode to enforce mode
- Monitor for application issues in the first 24-48 hours
- Proceed to next application after validation
Validate Segmentation
- Run penetration tests attempting lateral movement between segments
- Verify that blocked traffic generates alerts in the management console
- Test emergency override procedures (break-glass)
- Document enforcement status for each application zone

Phase 4: Operational Maintenance

Ongoing Policy Management
- Integrate with CI/CD: auto-label new workloads from deployment pipelines
- Review policy violations weekly and investigate anomalies
- Update policies when applications change or new services deploy
- Perform quarterly segmentation effectiveness reviews

Validation Checklist

References

NIST SP 800-207: Zero Trust Architecture
CISA Zero Trust Maturity Model v2.0 - Network Pillar
Illumio Core Administration Guide
VMware NSX Distributed Firewall Configuration Guide
Forrester Zero Trust eXtended (ZTX) Framework