Discordian Cybersecurity

Home Manifesto ISMS Network Policy

🌐 Network Security: The Perimeter Is a Lie

Castle-and-Moat Security Died With Mobile Devices

Think for yourself. Network security used to be simple: hard shell, soft interior. Firewall keeps bad guys out, everything inside is trusted.

That model is dead. Has been for years. But consultants keep selling it because it's easy to explain to executives who don't understand technology. FNORD—and because admitting the perimeter is fiction means admitting they sold you lies for decades.

Nothing is true. Everything is permitted. Including attackers already inside your "secure" network. Plan for it. Are you paranoid enough? Because they're already in there.

At Hack23, we practice what we preach: zero-trust AWS cloud-native architecture with defense-in-depth. CloudFront+WAF for perimeter (DDoS protection, OWASP rule sets). GuardDuty for threat intelligence. Security Hub for finding aggregation. VPC Flow Logs for traffic analysis. Multi-region deployment (eu-west-1, eu-central-1) for resilience. DNSSEC verification on all domains. TLS 1.2+ enforced everywhere.

Our Network Security Policy is public because network security through obscurity assumes attackers can't run port scans. Transparency demonstrates our cybersecurity consulting expertise through measurable implementation. Our threat model assumes you're reading this. Welcome, adversary. Enjoy the documentation.

Illumination: If your security model assumes attackers are outside, your security model is from 1995. Update it or get pwned. We updated ours—here's the evidence. FNORD—the only thing separating you from breach is whether the attacker has coffee yet.

Why the Network Perimeter Is Fantasy

Question authority that still talks about "inside" and "outside" networks:

1. Mobile Devices Roam

Laptop leaves the office? It's "outside." Comes back? It's "inside" again. With whatever malware it picked up. VPN doesn't make devices trustworthy—it just encrypts their attacks.

Illumination: Every device that crosses the perimeter is a potential Trojan horse. The Greeks taught this lesson 3000 years ago.

2. Cloud Services Are "Outside"

Office 365? AWS? GitHub? All outside your perimeter. Yet essential to business. The perimeter doesn't include what you actually use.

Illumination: Defending a perimeter that doesn't include your data is LARPing security.

3. Insider Threats Exist

Malicious insiders. Compromised accounts. Social engineering. Threat is already inside. Your firewall doesn't stop Susan in accounting from clicking phishing links.

Illumination: The call is coming from inside the house. It always was.

4. Supply Chain Compromises

Trusted vendor gets hacked. Pushes malicious update. Through your firewall. Because you trust signed updates from "inside" the perimeter. SolarWinds, anyone?

Illumination: Trust is how supply chain attacks work. Zero trust is how they get detected.

5. APTs Are Patient

Advanced Persistent Threats don't bang on your firewall. They live inside for months. Quietly. The perimeter didn't save you—you're already compromised and don't know it.

Illumination: The average dwell time for breaches is measured in months. Your perimeter failed months ago.

Zero Trust: Verify Everything, Trust Nothing

Zero trust networking isn't paranoia. It's accepting reality and designing accordingly. At Hack23, zero-trust means cloud-native AWS architecture with layered defense:

🌐 Perimeter Layer: CloudFront + WAF

DDoS Protection: AWS Shield Standard, CloudFront distribution caching, automatic mitigation

WAF Rules: OWASP Top 10 protection, rate limiting, geo-blocking where appropriate

TLS Enforcement: TLS 1.2+ mandatory, SSL Labs A+ rating

Evidence: CloudFront metrics show real-time attack mitigation. WAF logs available via CloudWatch.

🛡️ Application Layer: Private Subnets

Lambda Functions: Serverless compute in private VPC, no direct internet exposure

API Gateway: Rate limiting, authentication, request validation before reaching backend

VPC Endpoints: Private connectivity to AWS services (S3, KMS, Systems Manager) without NAT

Microsegmentation prevents lateral movement—even if attacker breaches perimeter.

💾 Data Layer: Isolated Tier

RDS PostgreSQL: Private subnets only, no public access, encrypted at rest (KMS)

S3 Buckets: VPC endpoints for internal access, public access blocked by default

Secrets Management: AWS Secrets Manager with automatic rotation, least privilege IAM

Defense-in-depth: Even if application tier compromised, data layer requires separate breach.

🔧 Management Plane: Secure Access

Systems Manager: Secure remote access without SSH/RDP, session logging to CloudTrail

CloudTrail: All API calls logged, immutable audit trail, SIEM integration ready

Multi-Factor Authentication: AWS Identity Center with MFA mandatory for all access

Zero standing privileges—request elevated access when needed, automatically revoked.

Multi-Region Resilience: Primary region eu-west-1 (Stockholm), failover to eu-central-1 (Frankfurt). AWS Backup cross-region replication. Route 53 health checks with automatic failover.

  • Authenticate every request — Location on network doesn't grant trust. Verify identity, device health, context every time.
  • Authorize least privilege — Just because you're authenticated doesn't mean you get access to everything. Minimum required, time-limited when possible.
  • Encrypt everything in transit — TLS 1.2+ everywhere. mTLS for service-to-service communication where applicable.
  • Microsegment the network — Lateral movement is how breaches spread. Private subnets, security groups, VPC endpoints contain blast radius.
  • Monitor all traffic — VPC Flow Logs, GuardDuty threat detection, Security Hub aggregation. Assume breach means detecting it fast.

All hail Eris! Chaos teaches: trust enables betrayal. Verification prevents surprises. Our network security demonstrates this through public evidence.

Live Evidence:

Firewalls: Necessary But Insufficient

Firewalls aren't useless. They're just not sufficient:

✅ Firewalls Block Port Scans

Deny-by-default is good. Reducing attack surface is good. Basic perimeter defense is necessary.

❌ Firewalls Don't Stop Malware

Malware uses allowed ports (80/443). Encrypted in TLS. Your firewall sees encrypted traffic and says "looks fine to me."

✅ Firewalls Provide Defense in Depth

Layer in a security stack. One control among many. Not the only control.

❌ Firewalls Create False Confidence

"We have a firewall, we're secure!" No. You have one control. You need twenty more.

Think for yourself. Firewalls are tools, not magic force fields. Use them. Don't worship them.

Network Segmentation: Limit the Blast Radius

Assume breach. Design so that when (not if) attackers get in, they can't move laterally:

  • VLANs for different functions — Development, staging, production in different network segments
  • Firewall rules between segments — Default deny. Explicit allow only what's needed.
  • Jump boxes for admin access — No direct SSH/RDP to production. Through a logged, monitored, hardened jump host.
  • Service mesh for microservices — mTLS between services. Network policy enforcement at pod level.
  • Database in separate subnet — Application tier can reach it. Nothing else can. Principle of least privilege at network layer.

CHAOS ILLUMINATION: Flat networks are how one compromised WordPress blog becomes a full domain admin compromise. Segment or suffer.

Network Monitoring: Seeing the Invisible

Can't defend what you can't see. Network monitoring isn't optional. At Hack23, comprehensive visibility through AWS-native services:

🔍 VPC Flow Logs

All VPC traffic logged to CloudWatch. Source/destination IPs, ports, protocols, accept/reject decisions. Baseline normal traffic patterns, alert on anomalies.

Response Time: Anomalous traffic investigation <15 minutes per Incident Response Plan

🛡️ AWS GuardDuty

Machine learning threat detection analyzing VPC Flow Logs, CloudTrail events, DNS logs. Identifies compromised instances, reconnaissance, backdoor communication.

Integration: Findings aggregated in Security Hub, critical alerts trigger immediate investigation

🎯 AWS Security Hub

Centralized finding aggregation from GuardDuty, Inspector, IAM Access Analyzer. Automated compliance checks (CIS AWS Foundations Benchmark, PCI DSS).

Dashboard: Single pane of glass for all security findings, prioritized by severity

📊 CloudWatch + CloudTrail

All AWS API calls logged (CloudTrail). All service metrics collected (CloudWatch). Custom alarms for suspicious patterns: unusual API calls, failed auth attempts, config changes.

Retention: 90 days hot storage, 1 year cold archive per Network Security Policy

  • Flow logs — Who's talking to who, when, how much. VPC Flow Logs capture all network traffic for analysis.
  • Threat detection — GuardDuty continuously analyzes network behavior for indicators of compromise.
  • DNS monitoring — Route 53 Resolver logs DNS queries. Exfiltration often uses DNS tunneling—monitor for anomalies.
  • SIEM integration — CloudWatch Logs Insights for analysis. Security Hub for aggregation. Ready for external SIEM if needed.

Question authority: If your network team says "we can't monitor that," ask why. Usually it's "we don't want to" not "we can't." AWS makes comprehensive monitoring default—no excuses.

Real-Time Threat Response:

  • 🚨 DDoS Attacks: CloudFront metrics, real-time automatic mitigation
  • 🔍 Anomalous Traffic: VPC Flow Logs, <15 min response time
  • 🛡️ Threat Intelligence: GuardDuty findings, immediate Security Hub alerts
  • 📋 Compliance Checks: Security Hub automated controls, continuous validation

Network Security Is About Containment, Not Prevention

Nothing is true. The perimeter isn't real. "Inside" isn't trusted. Firewalls aren't magic. FNORD—your network is already compromised. The question is: do you know it yet?

Everything is permitted. Including designing networks that assume breach and minimize damage through systematic defense-in-depth. Are you paranoid enough to admit perfect prevention is impossible?

Hack23's zero-trust implementation demonstrates cybersecurity consulting expertise:

  • 🌐 CloudFront + WAF: Perimeter protection with DDoS mitigation, OWASP rules—because the perimeter is fiction but edge protection isn't
  • 🛡️ GuardDuty + Security Hub: Continuous threat detection, finding aggregation—machines watching machines because humans are terrible at this
  • 🔍 VPC Flow Logs: Complete traffic visibility, anomaly detection—trust nothing, log everything, investigate constantly
  • 🌍 Multi-Region: eu-west-1 (Stockholm), eu-central-1 (Frankfurt) resilience—because single points of failure are for amateurs
  • 🔐 TLS 1.2+ Everywhere: No unencrypted traffic, certificate validation enforced—encrypt it all or watch it leak

All hail Eris! All hail Discordia!

Read our full Network Security Policy on GitHub. Zero trust. Segmented. Monitored. With public evidence demonstrating implementation. We're paranoid. You should be too.

FINAL ILLUMINATION: The security-industrial complex sells firewalls and perimeter defense because they're easy to sell. "Buy this box, you're secure!" Reality: Network security is architecture, monitoring, and accepting that perfect prevention is impossible. Design for containment. Plan for detection. Respond with speed. Our AWS cloud-native architecture does exactly this—with measurable proof. FNORD—we're protecting against attackers who've already read this. Are you?

— Hagbard Celine
Captain of the Leif Erikson

"The perimeter is dead. Long live the perimeter-less architecture. Nothing is true. Everything is permitted. Your network agrees with neither."

🍎 23 FNORD 5