Network Segmentation and Operations Triage Lab
Key Takeaways
- Segmentation limits unnecessary communication between systems and can reduce blast radius during incidents.
- Firewall rules should be specific about source, destination, protocol, port, and business purpose.
- Threat identification depends on evidence such as logs, traffic patterns, affected assets, and user reports.
- Security operations triage prioritizes severity, scope, business impact, and containment needs.
- A good analyst separates normal troubleshooting from security indicators before escalating.
Network Segmentation and Operations Triage Lab
Network and operations questions often combine technical clues with business priority. You may see VLANs, firewalls, ports, malware symptoms, alerts, user reports, and incident response choices in one scenario. The best answer usually narrows the scope, protects critical assets, and avoids overreacting to weak evidence.
Lab Scenario
A company has a flat network where workstations, printers, servers, point-of-sale systems, guest Wi-Fi, and security cameras can all communicate freely. A monitoring alert shows one guest device scanning internal addresses on TCP 445. Minutes later, a file server shows unusual failed logons. The help desk also reports that one printer is offline. The operations lead asks what to do first.
The printer outage may be ordinary troubleshooting. The guest device scanning internal file-sharing ports and failed logons against a file server are stronger security indicators. A flat network increases blast radius because a guest device should not be able to reach internal file services at all.
Segmentation Decision Table
| Zone | Should communicate with | Should be restricted from | Example control |
|---|---|---|---|
| Guest Wi-Fi | Internet only | Internal servers, POS, admin interfaces | Firewall deny to internal ranges |
| User workstations | Approved application services | Server management ports | VLANs and access control lists |
| File servers | Domain services, backup, approved clients | Guest and camera networks | Firewall rules and monitoring |
| POS systems | Payment processor and required services | General user browsing and guest networks | Dedicated segment |
| Management network | Admin interfaces | Ordinary user and guest access | Jump host, MFA, logging |
Segmentation is not only a diagram. It must be enforced with switch configuration, firewall rules, routing controls, identity controls, and monitoring. A VLAN without appropriate access rules may separate broadcasts but still allow routed access. A firewall rule that says "any any allow" defeats the purpose.
Threat Identification Drill
| Evidence | More likely meaning | Better next step |
|---|---|---|
| Guest device scans TCP 445 internally | Reconnaissance or malware behavior | Isolate device and block guest-to-internal access |
| Many failed logons on file server | Credential attack or misconfigured service | Review source, accounts, and lockout impact |
| One printer offline | Possible operational issue | Troubleshoot after higher-risk alerts are contained |
| DNS queries to known malicious domains | Possible compromised endpoint | Identify host and start incident process |
| Public web server receives high traffic from many sources | Possible DDoS or campaign | Compare to baseline and check service impact |
Operations Triage
Triage asks what matters most right now. Consider severity, scope, confidence, criticality, and whether containment is time-sensitive. If an alert involves a critical server and active lateral movement, escalate quickly. If a single endpoint has a low-confidence alert and no business impact, collect more evidence. If a user reports a phishing email and clicked the link, reset credentials and review sign-ins. If a user reports a suspicious email but did not interact, collect the message and tune filtering.
Do not confuse first response with final remediation. Blocking guest-to-internal access may contain the immediate risk, but the final fix includes redesigning segmentation, reviewing firewall rules, scanning affected systems, checking file server logs, and updating procedures. Likewise, identifying TCP 445 as SMB helps explain why a guest scan is risky: it targets a file-sharing service often involved in lateral movement.
Multi-Domain Review
This lab touches all domains. Security principles explain confidentiality, integrity, and availability impact. Business continuity asks whether critical services must keep running during containment. Access control asks whether accounts and privileges are abused. Network security asks which paths should exist. Security operations asks how to prioritize alerts, preserve evidence, and escalate.
In a PBQ-style item, expect distractors that are technically real but poorly prioritized. Replacing the offline printer, buying more bandwidth, or emailing all employees may not address the active guest-to-file-server path. Start with the evidence that shows likely harm and choose the control that reduces that harm directly.
A guest Wi-Fi device is scanning internal file servers on TCP 445. What is the best immediate action?
Which firewall rule is most aligned with least privilege?
During triage, which factor most strongly increases priority?