Network Security
Overview
Network security is implemented through multiple layers including firewall rules, Kubernetes network policies, and Cloudflare protection.
Defense in Depth
graph TB
subgraph Layer 1 - Edge
CF[Cloudflare WAF/DDoS]
end
subgraph Layer 2 - Perimeter
PF[pfSense Firewall]
end
subgraph Layer 3 - Network
NP[K8s Network Policies]
end
subgraph Layer 4 - Application
Auth[Authentication]
TLS[TLS Encryption]
end
Internet --> CF
CF --> PF
PF --> NP
NP --> Auth
Cloudflare Protection
Features Enabled
| Feature |
Status |
Description |
| DDoS Protection |
Active |
Automatic mitigation |
| WAF |
Active |
Web application firewall |
| Bot Management |
Active |
Bot detection |
| Rate Limiting |
Active |
Request throttling |
Tunnel Security
- No exposed inbound ports
- Encrypted tunnel connection
- Access policies per hostname
- Automatic certificate management
Firewall Rules
pfSense Configuration
Inbound Rules
| Rule |
Source |
Destination |
Action |
| Block All |
ANY |
WAN |
Block |
Outbound Rules
| Rule |
Source |
Destination |
Ports |
Action |
| Cloudflare Tunnel |
K8s Nodes |
Cloudflare |
443 |
Allow |
| DNS |
K8s Nodes |
DNS Servers |
53 |
Allow |
| NTP |
K8s Nodes |
NTP Servers |
123 |
Allow |
Kubernetes Network Policies
Default Deny
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Allow Specific Traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-monitoring
namespace: hub
spec:
podSelector:
matchLabels:
app: hub-api
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 8080
Namespace Isolation
| From Namespace |
To Namespace |
Allowed |
| monitoring |
all |
Yes (scrape) |
| hub |
databases |
Yes |
| argocd |
all |
Yes (deploy) |
| default |
any |
No |
TLS Configuration
Certificate Management
- Cloudflare manages external TLS
- Internal communication over cluster network
Minimum TLS Version
| Component |
Version |
| Cloudflare Edge |
TLS 1.2+ |
| Internal Services |
Optional |
Authentication
Service-to-Service
| Method |
Use Case |
| Kubernetes RBAC |
API access |
| Service Accounts |
Pod identity |
| Secrets |
Credentials |
External Access
| Service |
Auth Method |
| Grafana |
Username/Password |
| Kibana |
Username/Password |
| ArgoCD |
Username/Password |
Security Monitoring
Logged Events
| Event Type |
Source |
| Firewall blocks |
pfSense |
| WAF triggers |
Cloudflare |
| Auth failures |
Applications |
| Network anomalies |
Elastic Agent |
Dashboards
- Firewall activity
- Failed authentication attempts
- Network traffic patterns
- Threat intelligence matches
Incident Response
Detection Sources
- Cloudflare security events
- pfSense firewall logs
- Elastic threat intelligence
- Application error logs
Response Steps
- Detect - Alert triggers
- Analyze - Review logs
- Contain - Block source
- Eradicate - Remove threat
- Recover - Restore service
- Learn - Update rules
Best Practices
- Least privilege - Minimal required access
- Defense in depth - Multiple security layers
- Monitor everything - Log all security events
- Regular updates - Patch vulnerabilities
- Test defenses - Periodic security testing