Module 2 – Network Segmentation

Module 2 – Network Segmentation

NAT vs Bridged vs Host-Only

Module 2 – Network Segmentation

Engineering Isolation Before Exposure

Network design determines:

  • Who can reach your system

  • What traffic is allowed

  • How services communicate

  • How attacks propagate

  • How failures are contained

If your lab network is flat and unsegmented, you are not simulating production.

This module builds intentional network layering using:

  • NAT

  • Bridged Adapter

  • Host-Only Adapter

1. Why Network Segmentation Matters

In production systems:

  • Public-facing services are separated from internal services.

  • Database layers are isolated.

  • Management access is restricted.

  • East-west traffic is controlled.

Your lab must reflect these realities.

If everything shares one network, you are building bad habits.

2. NAT – Outbound Access Layer

What NAT Does

NAT (Network Address Translation) allows your VM to:

  • Access the internet

  • Download packages

  • Pull container images

  • Fetch updates

Without exposing it directly to your local network.

Architecture Model

  Internet

Host Machine

VirtualBox NAT Engine

VM (Private IP) 

The VM receives a private internal IP from VirtualBox.

It can reach out.
Nothing external can reach in (without port forwarding).

When To Use NAT

✔ Package installation
✔ Secure default configuration
✔ Outbound-only systems
✔ Controlled lab experiments

Limitations of NAT

  • Other devices on your LAN cannot directly access the VM

  • Multi-node communication is limited without additional adapters

  • Not realistic for simulating public services

NAT is safe, but incomplete.

3. Bridged Adapter – LAN Exposure Layer

What Bridged Mode Does

Bridged networking makes your VM behave like a physical device on your network.

Your router assigns it an IP address.

Architecture Model

  Router
├── Host Machine
├── VM
├── Other Devices 

Your VM is now directly reachable from your LAN.

When To Use Bridged

✔ Testing web servers
✔ SSH access from another machine
✔ Simulating public-facing services
✔ Realistic service exposure testing

Risks of Bridged Mode

  • Misconfigured firewall exposes services

  • SSH brute-force exposure

  • Accidental database exposure

  • Less isolation

Bridged mode must be paired with proper firewall discipline.

4. Host-Only Adapter – Internal Communication Layer

What Host-Only Does

Host-only networking allows:

  • VM-to-VM communication

  • Host-to-VM communication

  • No internet access

Architecture Model

  Host ↔ VM1 ↔ VM2
(No external access) 

This simulates:

  • Private subnet

  • Internal service communication

  • East-west traffic

When To Use Host-Only

✔ Multi-node clusters
✔ Database + Application separation
✔ Internal-only services
✔ Kubernetes node communication

Host-only networking is critical for serious lab design.

5. Professional Lab Design – Dual Adapter Strategy

Your VM should have:

Adapter 1 → NAT
Adapter 2 → Host-Only

Why?

Because this mirrors production layering:

  • External access layer (NAT)

  • Internal service layer (Host-only)

This prepares you for:

  • VPC public/private subnet design

  • Firewall segmentation

  • Service isolation principles

6. Avoiding Common Beginner Mistakes

❌ Using only NAT for everything
❌ Using only Bridged for everything
❌ Not understanding which interface traffic uses
❌ Forgetting to verify IP addresses

7. Identifying Network Interfaces

After configuring adapters, verify:

  ip a 

You should see:

  • One interface with NAT IP (e.g., 10.x.x.x)

  • One interface with Host-only IP (e.g., 192.168.56.x)

Test outbound access:

  ping 8.8.8.8 

Test internal communication:

  ping <other-node-host-only-ip> 

Understand which interface is being used.

Do not assume.

8. Simulating Segmentation in Practice

Example design:

Node 1:

  • NAT + Host-only

Node 2:

  • Host-only only

Node 2 cannot reach the internet directly.
It can only communicate internally.

This simulates:

  • Application server (Node 1)

  • Internal database (Node 2)

This is how real systems are layered.

9. Firewall Integration (Preview of Module 3)

Segmentation is incomplete without firewall rules.

Even in host-only mode:

  • Restrict open ports

  • Control SSH access

  • Define service exposure explicitly

Network adapter choice is only step one.

Firewall discipline completes segmentation.

10. Lab Assignment

  1. Configure dual adapters on your primary node:

    • Adapter 1 → NAT

    • Adapter 2 → Host-only

  2. Create a second VM:

    • Host-only only

  3. Verify:

    • Node 1 can access internet

    • Node 2 cannot access internet

    • Node 1 and Node 2 can ping each other internally

  4. Document:

    • Which interface handles which traffic

    • What would happen if you removed NAT

    • What risks exist if you used only Bridged

Deliverable:

Write a short architecture explanation of your segmented design.

If you cannot explain traffic flow, you do not understand your network.

11. Production Reflection

Consider:

  • What happens if an internal database is placed on Bridged?

  • What happens if all nodes share one flat network?

  • How would this map to AWS VPC public/private subnets?

  • How would a firewall misconfiguration break this model?

Segmentation is a mindset.

Not a checkbox.

Module Completion Criteria

You are ready for Module 3 when:

  • You understand traffic flow for each adapter.

  • You can explain when to use NAT vs Bridged vs Host-only.

  • You have at least two communicating nodes.

  • You understand exposure risks.

Next:

→ Module 3 – System Hardening

Back To Top
Search
error: Content is protected !!